diff --git a/clusters/mitre-attack-pattern.json b/clusters/mitre-attack-pattern.json index 650a022c..d3a66a21 100644 --- a/clusters/mitre-attack-pattern.json +++ b/clusters/mitre-attack-pattern.json @@ -170,13 +170,6 @@ { "dest-uuid": "1a295f87-af63-4d94-b130-039d6221fb11", "type": "related-to" - }, - { - "dest-uuid": "1a295f87-af63-4d94-b130-039d6221fb11", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" } ], "uuid": "488da8ed-2887-4ef6-a39a-5b69bc6682c6", @@ -197,13 +190,6 @@ { "dest-uuid": "795c1a92-3a26-453e-b99a-6a566aa94dc6", "type": "related-to" - }, - { - "dest-uuid": "795c1a92-3a26-453e-b99a-6a566aa94dc6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" } ], "uuid": "286cc500-4291-45c2-99a1-e760db176402", @@ -224,13 +210,6 @@ { "dest-uuid": "488da8ed-2887-4ef6-a39a-5b69bc6682c6", "type": "related-to" - }, - { - "dest-uuid": "488da8ed-2887-4ef6-a39a-5b69bc6682c6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" } ], "uuid": "1a295f87-af63-4d94-b130-039d6221fb11", @@ -266,13 +245,6 @@ { "dest-uuid": "286cc500-4291-45c2-99a1-e760db176402", "type": "related-to" - }, - { - "dest-uuid": "286cc500-4291-45c2-99a1-e760db176402", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" } ], "uuid": "795c1a92-3a26-453e-b99a-6a566aa94dc6", @@ -293,13 +265,6 @@ { "dest-uuid": "03f4a766-7a21-4b5e-9ccf-e0cf422ab983", "type": "related-to" - }, - { - "dest-uuid": "03f4a766-7a21-4b5e-9ccf-e0cf422ab983", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" } ], "uuid": "e5164428-03ca-4336-a9a7-4d9ea1417e59", @@ -320,13 +285,6 @@ { "dest-uuid": "e51398e6-53dc-4e9f-a323-e54683d8672b", "type": "related-to" - }, - { - "dest-uuid": "e51398e6-53dc-4e9f-a323-e54683d8672b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" } ], "uuid": "4900fabf-1142-4c1f-92f5-0b590e049077", @@ -348,13 +306,6 @@ { "dest-uuid": "e5164428-03ca-4336-a9a7-4d9ea1417e59", "type": "related-to" - }, - { - "dest-uuid": "e5164428-03ca-4336-a9a7-4d9ea1417e59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" } ], "uuid": "03f4a766-7a21-4b5e-9ccf-e0cf422ab983", @@ -375,13 +326,6 @@ { "dest-uuid": "4900fabf-1142-4c1f-92f5-0b590e049077", "type": "related-to" - }, - { - "dest-uuid": "4900fabf-1142-4c1f-92f5-0b590e049077", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" } ], "uuid": "e51398e6-53dc-4e9f-a323-e54683d8672b", @@ -414,13 +358,6 @@ { "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", "type": "revoked-by" - }, - { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "revoked-by" } ], "uuid": "51aedbd6-2837-4d15-aeb0-cb09f2bf22ac", @@ -468,13 +405,6 @@ { "dest-uuid": "dfe29258-ce59-421c-9dee-e85cb9fa90cd", "type": "revoked-by" - }, - { - "dest-uuid": "dfe29258-ce59-421c-9dee-e85cb9fa90cd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "revoked-by" } ], "uuid": "f296fc9c-2ff5-43ee-941e-6b49c438270a", @@ -643,13 +573,6 @@ { "dest-uuid": "0d95940f-9583-4e0f-824c-a42c1be47fad", "type": "revoked-by" - }, - { - "dest-uuid": "0d95940f-9583-4e0f-824c-a42c1be47fad", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "revoked-by" } ], "uuid": "f9e4f526-ac9d-4df5-8949-833a82a1d2df", @@ -1129,13 +1052,6 @@ { "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", "type": "revoked-by" - }, - { - "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "revoked-by" } ], "uuid": "a21a6a79-f9a1-4c87-aed9-ba2d79536881", @@ -1243,13 +1159,6 @@ { "dest-uuid": "2b9a666e-bd59-4f67-9031-ed41b428e04a", "type": "related-to" - }, - { - "dest-uuid": "2b9a666e-bd59-4f67-9031-ed41b428e04a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" } ], "uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b", @@ -1274,20 +1183,6 @@ { "dest-uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b", "type": "related-to" - }, - { - "dest-uuid": "028ad431-84c5-4eb7-a364-2b797c234f88", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" } ], "uuid": "2b9a666e-bd59-4f67-9031-ed41b428e04a", @@ -1312,13 +1207,6 @@ { "dest-uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b", "type": "related-to" - }, - { - "dest-uuid": "2b9a666e-bd59-4f67-9031-ed41b428e04a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" } ], "uuid": "028ad431-84c5-4eb7-a364-2b797c234f88", @@ -1519,7 +1407,7 @@ "value": "Upload, install, and configure software/tools - T1362" }, { - "description": "By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials. \n\nLink-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name. (Citation: Wikipedia LLMNR)(Citation: TechNet NetBIOS)\n\nAdversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system. If the requested host belongs to a resource that requires identification/authentication, the username and NTLMv2 hash will then be sent to the adversary controlled system. The adversary can then collect the hash information sent over the wire through tools that monitor the ports for traffic or through [Network Sniffing](https://attack.mitre.org/techniques/T1040) and crack the hashes offline through [Brute Force](https://attack.mitre.org/techniques/T1110) to obtain the plaintext passwords.\n\nIn some cases where an adversary has access to a system that is in the authentication path between systems or when automated scans that use credentials attempt to authenticate to an adversary controlled system, the NTLMv1/v2 hashes can be intercepted and relayed to access and execute code against a target system. The relay step can happen in conjunction with poisoning but may also be independent of it.(Citation: byt3bl33d3r NTLM Relaying)(Citation: Secure Ideas SMB Relay) Additionally, adversaries may encapsulate the NTLMv1/v2 hashes into various protocols, such as LDAP, SMB, MSSQL and HTTP, to expand and use multiple services with the valid NTLM response. \n\nSeveral tools may be used to poison name services within local networks such as NBNSpoof, Metasploit, and [Responder](https://attack.mitre.org/software/S0174).(Citation: GitHub NBNSpoof)(Citation: Rapid7 LLMNR Spoofer)(Citation: GitHub Responder)", + "description": "By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials. \n\nLink-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name. (Citation: Wikipedia LLMNR)(Citation: TechNet NetBIOS)\n\nAdversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system. If the requested host belongs to a resource that requires identification/authentication, the username and NTLMv2 hash will then be sent to the adversary controlled system. The adversary can then collect the hash information sent over the wire through tools that monitor the ports for traffic or through [Network Sniffing](https://attack.mitre.org/techniques/T1040) and crack the hashes offline through [Brute Force](https://attack.mitre.org/techniques/T1110) to obtain the plaintext passwords.\n\nIn some cases where an adversary has access to a system that is in the authentication path between systems or when automated scans that use credentials attempt to authenticate to an adversary controlled system, the NTLMv1/v2 hashes can be intercepted and relayed to access and execute code against a target system. The relay step can happen in conjunction with poisoning but may also be independent of it.(Citation: byt3bl33d3r NTLM Relaying)(Citation: Secure Ideas SMB Relay) Additionally, adversaries may encapsulate the NTLMv1/v2 hashes into various protocols, such as LDAP, SMB, MSSQL and HTTP, to expand and use multiple services with the valid NTLM response. \n\nSeveral tools may be used to poison name services within local networks such as NBNSpoof, Metasploit, and [Responder](https://attack.mitre.org/software/S0174).(Citation: GitHub NBNSpoof)(Citation: Rapid7 LLMNR Spoofer)(Citation: GitHub Responder)", "meta": { "external_id": "T1557.001", "kill_chain": [ @@ -1679,7 +1567,7 @@ "value": "Match Legitimate Name or Location - T1655.001" }, { - "description": "Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.\n\nModifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. [Non-Standard Port](https://attack.mitre.org/techniques/T1571)).(Citation: change_rdp_port_conti)", + "description": "Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.\n\nModifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. [Non-Standard Port](https://attack.mitre.org/techniques/T1571)).(Citation: change_rdp_port_conti)\n\nAdversaries may also modify host networking settings that indirectly manipulate system firewalls, such as interface bandwidth or network connection request thresholds.(Citation: Huntress BlackCat) Settings related to enabling abuse of various [Remote Services](https://attack.mitre.org/techniques/T1021) may also indirectly modify firewall rules.", "meta": { "external_id": "T1562.004", "kill_chain": [ @@ -1694,11 +1582,13 @@ "mitre_platforms": [ "Linux", "macOS", - "Windows" + "Windows", + "Network" ], "refs": [ "https://attack.mitre.org/techniques/T1562/004", - "https://twitter.com/TheDFIRReport/status/1498657772254240768" + "https://twitter.com/TheDFIRReport/status/1498657772254240768", + "https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps" ] }, "related": [ @@ -1816,7 +1706,7 @@ "value": "SIP and Trust Provider Hijacking - T1553.003" }, { - "description": "Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user loging, or the computer's uptime.(Citation: Mandiant M-Trends 2015)\n\nAdversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.(Citation: FireEye WMI SANS 2015)(Citation: FireEye WMI 2015) Adversaries may also compile WMI scripts into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription.(Citation: Dell WMI Persistence)(Citation: Microsoft MOF May 2018)\n\nWMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.", + "description": "Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user login, or the computer's uptime.(Citation: Mandiant M-Trends 2015)\n\nAdversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.(Citation: FireEye WMI SANS 2015)(Citation: FireEye WMI 2015) Adversaries may also compile WMI scripts – using `mofcomp.exe` –into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription.(Citation: Dell WMI Persistence)(Citation: Microsoft MOF May 2018)\n\nWMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.", "meta": { "external_id": "T1546.003", "kill_chain": [ @@ -1825,6 +1715,7 @@ ], "mitre_data_sources": [ "Command: Command Execution", + "File: File Creation", "Process: Process Creation", "WMI: WMI Creation" ], @@ -2005,13 +1896,6 @@ { "dest-uuid": "eacd1efe-ee30-4b03-b58f-5b3b1adfe45d", "type": "related-to" - }, - { - "dest-uuid": "eacd1efe-ee30-4b03-b58f-5b3b1adfe45d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" } ], "uuid": "103d72e6-7e0d-4b3a-9373-c38567305c33", @@ -2033,13 +1917,6 @@ { "dest-uuid": "103d72e6-7e0d-4b3a-9373-c38567305c33", "type": "related-to" - }, - { - "dest-uuid": "103d72e6-7e0d-4b3a-9373-c38567305c33", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" } ], "uuid": "eacd1efe-ee30-4b03-b58f-5b3b1adfe45d", @@ -2092,13 +1969,6 @@ { "dest-uuid": "7718e92f-b011-4f88-b822-ae245a1de407", "type": "related-to" - }, - { - "dest-uuid": "7718e92f-b011-4f88-b822-ae245a1de407", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" } ], "uuid": "c721b235-679a-4d76-9ae9-e08921fccf84", @@ -2151,13 +2021,6 @@ { "dest-uuid": "c721b235-679a-4d76-9ae9-e08921fccf84", "type": "related-to" - }, - { - "dest-uuid": "7718e92f-b011-4f88-b822-ae245a1de407", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" } ], "uuid": "0722cd65-0c83-4c89-9502-539198467ab1", @@ -2182,13 +2045,6 @@ { "dest-uuid": "c721b235-679a-4d76-9ae9-e08921fccf84", "type": "related-to" - }, - { - "dest-uuid": "c721b235-679a-4d76-9ae9-e08921fccf84", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" } ], "uuid": "7718e92f-b011-4f88-b822-ae245a1de407", @@ -2213,13 +2069,6 @@ { "dest-uuid": "96eb59d1-6c46-44bb-bfcd-56be02a00d41", "type": "related-to" - }, - { - "dest-uuid": "96eb59d1-6c46-44bb-bfcd-56be02a00d41", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" } ], "uuid": "7baccb84-356c-4e89-8c5d-58e701f033fc", @@ -2292,13 +2141,6 @@ { "dest-uuid": "dfa4eaf4-50d9-49de-89e9-d33f579f3e05", "type": "related-to" - }, - { - "dest-uuid": "dfa4eaf4-50d9-49de-89e9-d33f579f3e05", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" } ], "uuid": "856a9371-4f0f-4ea9-946e-f3144204240f", @@ -2319,7 +2161,7 @@ "value": "Analyze presence of outsourced capabilities - T1303" }, { - "description": "Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely. \n\nAdversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary. \n\nAn adversary may also be able to escalate their privileges since some boot or logon initialization scripts run with higher privileges.", + "description": "Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence.(Citation: Mandiant APT29 Eye Spy Email Nov 22)(Citation: Anomali Rocke March 2019) Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely. \n\nAdversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary. \n\nAn adversary may also be able to escalate their privileges since some boot or logon initialization scripts run with higher privileges.", "meta": { "external_id": "T1037", "kill_chain": [ @@ -2337,10 +2179,13 @@ "mitre_platforms": [ "macOS", "Windows", - "Linux" + "Linux", + "Network" ], "refs": [ - "https://attack.mitre.org/techniques/T1037" + "https://attack.mitre.org/techniques/T1037", + "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang", + "https://www.mandiant.com/resources/blog/unc3524-eye-spy-email" ] }, "uuid": "03259939-0b57-482f-8eb5-87c0e0d54334", @@ -2484,13 +2329,6 @@ { "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", "type": "revoked-by" - }, - { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "revoked-by" } ], "uuid": "6b846ad0-cc20-4db6-aa34-91561397c5e2", @@ -2623,13 +2461,6 @@ { "dest-uuid": "856a9371-4f0f-4ea9-946e-f3144204240f", "type": "related-to" - }, - { - "dest-uuid": "856a9371-4f0f-4ea9-946e-f3144204240f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" } ], "uuid": "dfa4eaf4-50d9-49de-89e9-d33f579f3e05", @@ -2730,20 +2561,6 @@ { "dest-uuid": "7baccb84-356c-4e89-8c5d-58e701f033fc", "type": "related-to" - }, - { - "dest-uuid": "092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "7baccb84-356c-4e89-8c5d-58e701f033fc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" } ], "uuid": "96eb59d1-6c46-44bb-bfcd-56be02a00d41", @@ -2782,20 +2599,6 @@ { "dest-uuid": "96eb59d1-6c46-44bb-bfcd-56be02a00d41", "type": "related-to" - }, - { - "dest-uuid": "96eb59d1-6c46-44bb-bfcd-56be02a00d41", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "7baccb84-356c-4e89-8c5d-58e701f033fc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" } ], "uuid": "092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc", @@ -2871,13 +2674,6 @@ { "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", "type": "revoked-by" - }, - { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "revoked-by" } ], "uuid": "1f96d624-8409-4472-ad8a-30618ee6b2e2", @@ -2893,6 +2689,7 @@ ], "mitre_data_sources": [ "Command: Command Execution", + "Container: Container Creation", "Driver: Driver Load", "File: File Creation", "File: File Modification", @@ -2906,7 +2703,8 @@ "mitre_platforms": [ "Windows", "macOS", - "Linux" + "Linux", + "Containers" ], "refs": [ "https://attack.mitre.org/techniques/T1543", @@ -3013,13 +2811,14 @@ "value": "Distribute malicious software development tools - T1394" }, { - "description": "Adversaries may exfiltrate data by transferring the data, including backups of cloud environments, to another cloud account they control on the same service to avoid typical file transfers/downloads and network-based exfiltration detection.\n\nA defender who is monitoring for large transfers to outside the cloud environment through normal file transfers or over command and control channels may not be watching for data transfers to another account within the same cloud provider. Such transfers may utilize existing cloud provider APIs and the internal address space of the cloud provider to blend into normal traffic or avoid data transfers over external network interfaces.\n\nIncidents have been observed where adversaries have created backups of cloud instances and transferred them to separate accounts.(Citation: DOJ GRU Indictment Jul 2018) ", + "description": "Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service.\n\nA defender who is monitoring for large transfers to outside the cloud environment through normal file transfers or over command and control channels may not be watching for data transfers to another account within the same cloud provider. Such transfers may utilize existing cloud provider APIs and the internal address space of the cloud provider to blend into normal traffic or avoid data transfers over external network interfaces.(Citation: TLDRSec AWS Attacks)\n\nAdversaries may also use cloud-native mechanisms to share victim data with adversary-controlled cloud accounts, such as creating anonymous file sharing links or, in Azure, a shared access signature (SAS) URI.(Citation: Microsoft Azure Storage Shared Access Signature)\n\nIncidents have been observed where adversaries have created backups of cloud instances and transferred them to separate accounts.(Citation: DOJ GRU Indictment Jul 2018) ", "meta": { "external_id": "T1537", "kill_chain": [ "mitre-attack:exfiltration" ], "mitre_data_sources": [ + "Application Log: Application Log Content", "Cloud Storage: Cloud Storage Creation", "Cloud Storage: Cloud Storage Metadata", "Cloud Storage: Cloud Storage Modification", @@ -3029,13 +2828,18 @@ "Snapshot: Snapshot Modification" ], "mitre_platforms": [ - "IaaS" + "IaaS", + "SaaS", + "Google Workspace", + "Office 365" ], "refs": [ "https://attack.mitre.org/techniques/T1537", "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html", "https://docs.microsoft.com/en-us/azure/storage/blobs/snapshots-overview", "https://docs.microsoft.com/en-us/rest/api/storageservices/delegate-access-with-shared-access-signature", + "https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview", + "https://tldrsec.com/p/blog-lesser-known-aws-attacks", "https://www.justice.gov/file/1080281/download" ] }, @@ -3133,6 +2937,43 @@ "uuid": "46d818a5-67fa-4585-a7fc-ecf15376c8d5", "value": "Boot or Logon Initialization Scripts - T1398" }, + { + "description": "Adversaries may modify the configuration settings of a domain or identity tenant to evade defenses and/or escalate privileges in centrally managed environments. Such services provide a centralized means of managing identity resources such as devices and accounts, and often include configuration settings that may apply between domains or tenants such as trust relationships, identity syncing, or identity federation.\n\nModifications to domain or tenant settings may include altering domain Group Policy Objects (GPOs) in Microsoft Active Directory (AD) or changing trust settings for domains, including federation trusts relationships between domains or tenants.\n\nWith sufficient permissions, adversaries can modify domain or tenant policy settings. Since configuration settings for these services apply to a large number of identity resources, there are a great number of potential attacks malicious outcomes that can stem from this abuse. Examples of such abuse include: \n\n* modifying GPOs to push a malicious [Scheduled Task](https://attack.mitre.org/techniques/T1053/005) to computers throughout the domain environment(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions)\n* modifying domain trusts to include an adversary-controlled domain, allowing adversaries to forge access tokens that will subsequently be accepted by victim domain resources(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks)\n* changing configuration settings within the AD environment to implement a [Rogue Domain Controller](https://attack.mitre.org/techniques/T1207).\n* adding new, adversary-controlled federated identity providers to identity tenants, allowing adversaries to authenticate as any user managed by the victim tenant (Citation: Okta Cross-Tenant Impersonation 2023)\n\nAdversaries may temporarily modify domain or tenant policy, carry out a malicious action(s), and then revert the change to remove suspicious indicators.", + "meta": { + "external_id": "T1484", + "kill_chain": [ + "mitre-attack:defense-evasion", + "mitre-attack:privilege-escalation" + ], + "mitre_data_sources": [ + "Active Directory: Active Directory Object Creation", + "Active Directory: Active Directory Object Deletion", + "Active Directory: Active Directory Object Modification", + "Application Log: Application Log Content", + "Command: Command Execution" + ], + "mitre_platforms": [ + "Windows", + "Azure AD", + "SaaS" + ], + "refs": [ + "http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/", + "https://adsecurity.org/?p=2716", + "https://attack.mitre.org/techniques/T1484", + "https://docs.microsoft.com/en-us/office365/troubleshoot/active-directory/update-federated-domain-office-365", + "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml", + "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", + "https://wald0.com/?p=179", + "https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/", + "https://www.sygnia.co/golden-saml-advisory" + ] + }, + "uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d", + "value": "Domain or Tenant Policy Modification - T1484" + }, { "description": "Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.\n\nSince some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges.", "meta": { @@ -3156,7 +2997,8 @@ "mitre_platforms": [ "Linux", "macOS", - "Windows" + "Windows", + "Network" ], "refs": [ "http://msdn.microsoft.com/en-us/library/aa376977", @@ -3412,7 +3254,7 @@ "value": "OS-vendor provided communication channels - T1390" }, { - "description": "Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.\n\nAdversaries in possession of credentials to [Valid Accounts](https://attack.mitre.org/techniques/T1078) may be unable to complete the login process if they lack access to the 2FA or MFA mechanisms required as an additional credential and security control. To circumvent this, adversaries may abuse the automatic generation of push notifications to MFA services such as Duo Push, Microsoft Authenticator, Okta, or similar services to have the user grant access to their account.\n\nIn some cases, adversaries may continuously repeat login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls, potentially resulting in the user finally accepting the authentication request in response to “MFA fatigue.”(Citation: Russian 2FA Push Annoyance - Cimpanu)(Citation: MFA Fatigue Attacks - PortSwigger)(Citation: Suspected Russian Activity Targeting Government and Business Entities Around the Globe)", + "description": "Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.\n\nAdversaries in possession of credentials to [Valid Accounts](https://attack.mitre.org/techniques/T1078) may be unable to complete the login process if they lack access to the 2FA or MFA mechanisms required as an additional credential and security control. To circumvent this, adversaries may abuse the automatic generation of push notifications to MFA services such as Duo Push, Microsoft Authenticator, Okta, or similar services to have the user grant access to their account. If adversaries lack credentials to victim accounts, they may also abuse automatic push notification generation when this option is configured for self-service password reset (SSPR).(Citation: Obsidian SSPR Abuse 2023)\n\nIn some cases, adversaries may continuously repeat login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls, potentially resulting in the user finally accepting the authentication request in response to “MFA fatigue.”(Citation: Russian 2FA Push Annoyance - Cimpanu)(Citation: MFA Fatigue Attacks - PortSwigger)(Citation: Suspected Russian Activity Targeting Government and Business Entities Around the Globe)", "meta": { "external_id": "T1621", "kill_chain": [ @@ -3438,7 +3280,8 @@ "https://attack.mitre.org/techniques/T1621", "https://portswigger.net/daily-swig/mfa-fatigue-attacks-users-tricked-into-allowing-device-access-due-to-overload-of-push-notifications", "https://therecord.media/russian-hackers-bypass-2fa-by-annoying-victims-with-repeated-push-notifications/", - "https://www.mandiant.com/resources/russian-targeting-gov-business" + "https://www.mandiant.com/resources/russian-targeting-gov-business", + "https://www.obsidiansecurity.com/blog/behind-the-breach-self-service-password-reset-azure-ad/" ] }, "uuid": "954a1639-f2d6-407d-aef3-4917622ca493", @@ -3472,7 +3315,7 @@ "value": "Rogue Wi-Fi Access Points - T1465" }, { - "description": "Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.\n\nThe event logs can be cleared with the following utility commands:\n\n* wevtutil cl system\n* wevtutil cl application\n* wevtutil cl security\n\nThese logs may also be cleared through other mechanisms, such as the event viewer GUI or [PowerShell](https://attack.mitre.org/techniques/T1059/001). For example, adversaries may use the PowerShell command Remove-EventLog -LogName Security to delete the Security EventLog and after reboot, disable future logging. Note: events may still be generated and logged in the .evtx file between the time the command is run and the reboot.(Citation: disable_win_evt_logging)", + "description": "Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.\n\n\nWith administrator privileges, the event logs can be cleared with the following utility commands:\n\n* wevtutil cl system\n* wevtutil cl application\n* wevtutil cl security\n\nThese logs may also be cleared through other mechanisms, such as the event viewer GUI or [PowerShell](https://attack.mitre.org/techniques/T1059/001). For example, adversaries may use the PowerShell command Remove-EventLog -LogName Security to delete the Security EventLog and after reboot, disable future logging. Note: events may still be generated and logged in the .evtx file between the time the command is run and the reboot.(Citation: disable_win_evt_logging)\n\nAdversaries may also attempt to clear logs by directly deleting the stored log files within `C:\\Windows\\System32\\winevt\\logs\\`.", "meta": { "external_id": "T1070.001", "kill_chain": [ @@ -3690,7 +3533,7 @@ "value": "Indicator Removal from Tools - T1027.005" }, { - "description": "Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email account. \n\nFor example, the Add-MailboxPermission [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlet, available in on-premises Exchange and in the cloud-based service Office 365, adds permissions to a mailbox.(Citation: Microsoft - Add-MailboxPermission)(Citation: FireEye APT35 2018)(Citation: Crowdstrike Hiding in Plain Sight 2018) In Google Workspace, delegation can be enabled via the Google Admin console and users can delegate accounts via their Gmail settings.(Citation: Gmail Delegation)(Citation: Google Ensuring Your Information is Safe) \n\nAdversaries may also assign mailbox folder permissions through individual folder permissions or roles. In Office 365 environments, adversaries may assign the Default or Anonymous user permissions or roles to the Top of Information Store (root), Inbox, or other mailbox folders. By assigning one or both user permissions to a folder, the adversary can utilize any other account in the tenant to maintain persistence to the target user’s mail folders.(Citation: Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452)\n\nThis may be used in persistent threat incidents as well as BEC (Business Email Compromise) incidents where an adversary can add [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) to the accounts they wish to compromise. This may further enable use of additional techniques for gaining access to systems. For example, compromised business accounts are often used to send messages to other accounts in the network of the target business while creating inbox rules (ex: [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)), so the messages evade spam/phishing detection mechanisms.(Citation: Bienstock, D. - Defending O365 - 2019)", + "description": "Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email account. \n\nFor example, the Add-MailboxPermission [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlet, available in on-premises Exchange and in the cloud-based service Office 365, adds permissions to a mailbox.(Citation: Microsoft - Add-MailboxPermission)(Citation: FireEye APT35 2018)(Citation: Crowdstrike Hiding in Plain Sight 2018) In Google Workspace, delegation can be enabled via the Google Admin console and users can delegate accounts via their Gmail settings.(Citation: Gmail Delegation)(Citation: Google Ensuring Your Information is Safe) \n\nAdversaries may also assign mailbox folder permissions through individual folder permissions or roles. In Office 365 environments, adversaries may assign the Default or Anonymous user permissions or roles to the Top of Information Store (root), Inbox, or other mailbox folders. By assigning one or both user permissions to a folder, the adversary can utilize any other account in the tenant to maintain persistence to the target user’s mail folders.(Citation: Mandiant Defend UNC2452 White Paper)\n\nThis may be used in persistent threat incidents as well as BEC (Business Email Compromise) incidents where an adversary can add [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) to the accounts they wish to compromise. This may further enable use of additional techniques for gaining access to systems. For example, compromised business accounts are often used to send messages to other accounts in the network of the target business while creating inbox rules (ex: [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)), so the messages evade spam/phishing detection mechanisms.(Citation: Bienstock, D. - Defending O365 - 2019)", "meta": { "external_id": "T1098.002", "kill_chain": [ @@ -3713,8 +3556,8 @@ "https://googleblog.blogspot.com/2011/06/ensuring-your-information-is-safe.html", "https://support.google.com/a/answer/7223765?hl=en", "https://www.crowdstrike.com/blog/hiding-in-plain-sight-using-the-office-365-activities-api-to-investigate-business-email-compromises/", - "https://www.fireeye.com/blog/threat-research/2021/01/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452.html", "https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf", + "https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452", "https://www.slideshare.net/DouglasBienstock/shmoocon-2019-becs-and-beyond-investigating-and-defending-office-365" ] }, @@ -4019,7 +3862,7 @@ "value": "Compromise Software Supply Chain - T1195.002" }, { - "description": "Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if an adversary has a username and password but the user is not logged onto the system the adversary can then create a logon session for the user using the `LogonUser` function. The function will return a copy of the new session's access token and the adversary can use `SetThreadToken` to assign the token to a thread.\n\nThis behavior is distinct from [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) in that this refers to creating a new user token instead of stealing or duplicating an existing one.", + "description": "Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if an adversary has a username and password but the user is not logged onto the system the adversary can then create a logon session for the user using the `LogonUser` function.(Citation: LogonUserW function) The function will return a copy of the new session's access token and the adversary can use `SetThreadToken` to assign the token to a thread.\n\nThis behavior is distinct from [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) in that this refers to creating a new user token instead of stealing or duplicating an existing one.", "meta": { "external_id": "T1134.003", "kill_chain": [ @@ -4035,6 +3878,7 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1134/003", + "https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-logonuserw", "https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing" ] }, @@ -4143,7 +3987,7 @@ "value": "Hidden Files and Directories - T1564.001" }, { - "description": "Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.\n\nThere are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)\n\nAdversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)\n\nIf a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program. Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.", + "description": "Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.\n\nThere are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)\n\nPhantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.\n\nAdversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)\n\nIf a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program. Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.", "meta": { "external_id": "T1574.001", "kill_chain": [ @@ -4165,6 +4009,7 @@ "https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection?redirectedfrom=MSDN", "https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order?redirectedfrom=MSDN", "https://msdn.microsoft.com/en-US/library/aa375365", + "https://www.crowdstrike.com/blog/4-ways-adversaries-hijack-dlls/", "https://www.fireeye.com/blog/threat-research/2010/07/malware-persistence-windows-registry.html", "https://www.fireeye.com/blog/threat-research/2010/08/dll-search-order-hijacking-revisited.html", "https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html", @@ -4790,7 +4635,7 @@ "value": "Application or System Exploitation - T1499.004" }, { - "description": "Adversaries may abuse permission configurations that allow them to gain temporarily elevated access to cloud resources. Many cloud environments allow administrators to grant user or service accounts permission to request just-in-time access to roles, impersonate other accounts, pass roles onto resources and services, or otherwise gain short-term access to a set of privileges that may be distinct from their own. \n\nJust-in-time access is a mechanism for granting additional roles to cloud accounts in a granular, temporary manner. This allows accounts to operate with only the permissions they need on a daily basis, and to request additional permissions as necessary. Sometimes just-in-time access requests are configured to require manual approval, while other times the desired permissions are automatically granted.(Citation: Google Cloud Just in Time Access 2023)(Citation: Azure Just in Time Access 2023)\n\nAccount impersonation allows user or service accounts to temporarily act with the permissions of another account. For example, in GCP users with the `iam.serviceAccountTokenCreator` role can create temporary access tokens or sign arbitrary payloads with the permissions of a service account.(Citation: Google Cloud Service Account Authentication Roles) In Exchange Online, the `ApplicationImpersonation` role allows a service account to use the permissions associated with specified user accounts.(Citation: Microsoft Impersonation and EWS in Exchange) \n\nMany cloud environments also include mechanisms for users to pass roles to resources that allow them to perform tasks and authenticate to other services. While the user that creates the resource does not directly assume the role they pass to it, they may still be able to take advantage of the role's access -- for example, by configuring the resource to perform certain actions with the permissions it has been granted. In AWS, users with the `PassRole` permission can allow a service they create to assume a given role, while in GCP, users with the `iam.serviceAccountUser` role can attach a service account to a resource.(Citation: AWS PassRole)(Citation: Google Cloud Service Account Authentication Roles)\n\nWhile users require specific role assignments in order to use any of these features, cloud administrators may misconfigure permissions. This could result in escalation paths that allow adversaries to gain access to resources beyond what was originally intended.(Citation: Rhino Google Cloud Privilege Escalation)(Citation: Rhino Security Labs AWS Privilege Escalation)\n\n**Note:** this technique is distinct from [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003), which involves assigning permanent roles to accounts rather than abusing existing permissions structures to gain temporarily elevated access to resources. However, adversaries that compromise a sufficiently privileged account may grant another account they control [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) that would allow them to also abuse these features. This may also allow for greater stealth than would be had by directly using the highly privileged account, especially when logs do not clarify when role impersonation is taking place.(Citation: CrowdStrike StellarParticle January 2022)", + "description": "Adversaries may abuse permission configurations that allow them to gain temporarily elevated access to cloud resources. Many cloud environments allow administrators to grant user or service accounts permission to request just-in-time access to roles, impersonate other accounts, pass roles onto resources and services, or otherwise gain short-term access to a set of privileges that may be distinct from their own. \n\nJust-in-time access is a mechanism for granting additional roles to cloud accounts in a granular, temporary manner. This allows accounts to operate with only the permissions they need on a daily basis, and to request additional permissions as necessary. Sometimes just-in-time access requests are configured to require manual approval, while other times the desired permissions are automatically granted.(Citation: Azure Just in Time Access 2023)\n\nAccount impersonation allows user or service accounts to temporarily act with the permissions of another account. For example, in GCP users with the `iam.serviceAccountTokenCreator` role can create temporary access tokens or sign arbitrary payloads with the permissions of a service account, while service accounts with domain-wide delegation permission are permitted to impersonate Google Workspace accounts.(Citation: Google Cloud Service Account Authentication Roles)(Citation: Hunters Domain Wide Delegation Google Workspace 2023)(Citation: Google Cloud Just in Time Access 2023)(Citation: Palo Alto Unit 42 Google Workspace Domain Wide Delegation 2023) In Exchange Online, the `ApplicationImpersonation` role allows a service account to use the permissions associated with specified user accounts.(Citation: Microsoft Impersonation and EWS in Exchange) \n\nMany cloud environments also include mechanisms for users to pass roles to resources that allow them to perform tasks and authenticate to other services. While the user that creates the resource does not directly assume the role they pass to it, they may still be able to take advantage of the role's access -- for example, by configuring the resource to perform certain actions with the permissions it has been granted. In AWS, users with the `PassRole` permission can allow a service they create to assume a given role, while in GCP, users with the `iam.serviceAccountUser` role can attach a service account to a resource.(Citation: AWS PassRole)(Citation: Google Cloud Service Account Authentication Roles)\n\nWhile users require specific role assignments in order to use any of these features, cloud administrators may misconfigure permissions. This could result in escalation paths that allow adversaries to gain access to resources beyond what was originally intended.(Citation: Rhino Google Cloud Privilege Escalation)(Citation: Rhino Security Labs AWS Privilege Escalation)\n\n**Note:** this technique is distinct from [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003), which involves assigning permanent roles to accounts rather than abusing existing permissions structures to gain temporarily elevated access to resources. However, adversaries that compromise a sufficiently privileged account may grant another account they control [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) that would allow them to also abuse these features. This may also allow for greater stealth than would be had by directly using the highly privileged account, especially when logs do not clarify when role impersonation is taking place.(Citation: CrowdStrike StellarParticle January 2022)", "meta": { "external_id": "T1548.005", "kill_chain": [ @@ -4803,7 +4648,8 @@ "mitre_platforms": [ "IaaS", "Azure AD", - "Office 365" + "Office 365", + "Google Workspace" ], "refs": [ "https://attack.mitre.org/techniques/T1548/005", @@ -4814,7 +4660,9 @@ "https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/impersonation-and-ews-in-exchange", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", "https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/", - "https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" + "https://unit42.paloaltonetworks.com/critical-risk-in-google-workspace-delegation-feature/", + "https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/", + "https://www.hunters.security/en/blog/delefriend-a-newly-discovered-design-flaw-in-domain-wide-delegation-could-leave-google-workspace-vulnerable-for-takeover" ] }, "related": [ @@ -4827,7 +4675,7 @@ "value": "Temporary Elevated Cloud Access - T1548.005" }, { - "description": "Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) \n\nWhen used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)\n\nKernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through kextload and kextunload commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)\n\nSince macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as \"Legacy System Extensions\" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)\n\nAdversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)", + "description": "Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) \n\nWhen used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)\n\nKernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through kextload and kextunload commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)\n\nSince macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as \"Legacy System Extensions\" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)\n\nAdversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)", "meta": { "external_id": "T1547.006", "kill_chain": [ @@ -5160,7 +5008,7 @@ "value": "Exfiltration Over C2 Channel - T1041" }, { - "description": "Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.\n\nAn adversary may need to determine if the remote system is in a vulnerable state, which may be done through [Network Service Discovery](https://attack.mitre.org/techniques/T1046) or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.\n\nThere are several well-known vulnerabilities that exist in common services such as SMB (Citation: CIS Multiple SMB Vulnerabilities) and RDP (Citation: NVD CVE-2017-0176) as well as applications that may be used within internal networks such as MySQL (Citation: NVD CVE-2016-6662) and web server services.(Citation: NVD CVE-2014-7169)\n\nDepending on the permissions level of the vulnerable remote service an adversary may achieve [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068) as a result of lateral movement exploitation as well.", + "description": "Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.\n\nAn adversary may need to determine if the remote system is in a vulnerable state, which may be done through [Network Service Discovery](https://attack.mitre.org/techniques/T1046) or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.\n\nThere are several well-known vulnerabilities that exist in common services such as SMB (Citation: CIS Multiple SMB Vulnerabilities) and RDP (Citation: NVD CVE-2017-0176) as well as applications that may be used within internal networks such as MySQL (Citation: NVD CVE-2016-6662) and web server services.(Citation: NVD CVE-2014-7169)\n\nDepending on the permissions level of the vulnerable remote service an adversary may achieve [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068) as a result of lateral movement exploitation as well.", "meta": { "external_id": "T1210", "kill_chain": [ @@ -5404,7 +5252,8 @@ "mitre_platforms": [ "Linux", "macOS", - "Windows" + "Windows", + "Network" ], "refs": [ "https://attack.mitre.org/techniques/T1027", @@ -5422,7 +5271,7 @@ "value": "Obfuscated Files or Information - T1027" }, { - "description": "Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091). Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.", + "description": "Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system.(Citation: ESET Sednit USBStealer 2014) Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091). Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.", "meta": { "external_id": "T1092", "kill_chain": [ @@ -5438,6 +5287,7 @@ "Windows" ], "refs": [ + "http://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/", "https://attack.mitre.org/techniques/T1092" ] }, @@ -5542,7 +5392,7 @@ "value": "Indicator Removal on Host - T1630" }, { - "description": "Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nMany command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106). Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather file and directory information (e.g. dir, show flash, and/or nvram).(Citation: US-CERT-TA18-106A)", + "description": "Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nMany command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106). Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather file and directory information (e.g. dir, show flash, and/or nvram).(Citation: US-CERT-TA18-106A)\n\nSome files and directories may require elevated or specific user permissions to access.", "meta": { "external_id": "T1083", "kill_chain": [ @@ -5626,13 +5476,6 @@ { "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", "type": "revoked-by" - }, - { - "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "revoked-by" } ], "uuid": "b765efd1-02e6-4e67-aebf-0fef5c37e54b", @@ -5997,7 +5840,7 @@ "value": "Bypass User Account Control - T1088" }, { - "description": "Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.\n\nAdversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001). The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection.\n\nThere have also been examples of vulnerabilities in public cloud infrastructure of SaaS applications that may bypass defense boundaries (Citation: Salesforce zero-day in facebook phishing attack), evade security logs (Citation: Bypassing CloudTrail in AWS Service Catalog), or deploy hidden infrastructure.(Citation: GhostToken GCP flaw)", + "description": "Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.\n\nAdversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001). The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection.\n\nThere have also been examples of vulnerabilities in public cloud infrastructure of SaaS applications that may bypass defense boundaries (Citation: Salesforce zero-day in facebook phishing attack), evade security logs (Citation: Bypassing CloudTrail in AWS Service Catalog), or deploy hidden infrastructure.(Citation: GhostToken GCP flaw)", "meta": { "external_id": "T1211", "kill_chain": [ @@ -6056,7 +5899,7 @@ "value": "Extra Window Memory Injection - T1181" }, { - "description": "Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. \n\nCredentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain authenticated access to systems. One example of this is `MS14-068`, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions.(Citation: Technet MS14-068)(Citation: ADSecurity Detecting Forged Tickets) Another example of this is replay attacks, in which the adversary intercepts data packets sent between parties and then later replays these packets. If services don't properly validate authentication requests, these replayed packets may allow an adversary to impersonate one of the parties and gain unauthorized access or privileges.(Citation: Bugcrowd Replay Attack)(Citation: Comparitech Replay Attack)(Citation: Microsoft Midnight Blizzard Replay Attack)\n\nSuch exploitation has been demonstrated in cloud environments as well. For example, adversaries have exploited vulnerabilities in public cloud infrastructure that allowed for unintended authentication token creation and renewal.(Citation: Storm-0558 techniques for unauthorized email access)\n\nExploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained.", + "description": "Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. \n\nCredentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain authenticated access to systems. One example of this is `MS14-068`, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions.(Citation: Technet MS14-068)(Citation: ADSecurity Detecting Forged Tickets) Another example of this is replay attacks, in which the adversary intercepts data packets sent between parties and then later replays these packets. If services don't properly validate authentication requests, these replayed packets may allow an adversary to impersonate one of the parties and gain unauthorized access or privileges.(Citation: Bugcrowd Replay Attack)(Citation: Comparitech Replay Attack)(Citation: Microsoft Midnight Blizzard Replay Attack)\n\nSuch exploitation has been demonstrated in cloud environments as well. For example, adversaries have exploited vulnerabilities in public cloud infrastructure that allowed for unintended authentication token creation and renewal.(Citation: Storm-0558 techniques for unauthorized email access)\n\nExploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained.", "meta": { "external_id": "T1212", "kill_chain": [ @@ -6161,7 +6004,7 @@ "value": "System Network Connections Discovery - T1421" }, { - "description": "Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system. (Citation: Linux Kernel Programming) When used maliciously, Loadable Kernel Modules (LKMs) can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0). (Citation: Linux Kernel Module Programming Guide) Adversaries can use loadable kernel modules to covertly persist on a system and evade defenses. Examples have been found in the wild and there are some open source projects. (Citation: Volatility Phalanx2) (Citation: CrowdStrike Linux Rootkit) (Citation: GitHub Reptile) (Citation: GitHub Diamorphine)\n\nCommon features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors and enabling root access to non-privileged users. (Citation: iDefense Rootkit Overview)\n\nKernel extensions, also called kext, are used for macOS to load functionality onto a system similar to LKMs for Linux. They are loaded and unloaded through kextload and kextunload commands. Several examples have been found where this can be used. (Citation: RSAC 2015 San Francisco Patrick Wardle) (Citation: Synack Secure Kernel Extension Broken) Examples have been found in the wild. (Citation: Securelist Ventir)", + "description": "Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system. (Citation: Linux Kernel Programming) When used maliciously, Loadable Kernel Modules (LKMs) can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0). (Citation: Linux Kernel Module Programming Guide) Adversaries can use loadable kernel modules to covertly persist on a system and evade defenses. Examples have been found in the wild and there are some open source projects. (Citation: Volatility Phalanx2) (Citation: CrowdStrike Linux Rootkit) (Citation: GitHub Reptile) (Citation: GitHub Diamorphine)\n\nCommon features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors and enabling root access to non-privileged users. (Citation: iDefense Rootkit Overview)\n\nKernel extensions, also called kext, are used for macOS to load functionality onto a system similar to LKMs for Linux. They are loaded and unloaded through kextload and kextunload commands. Several examples have been found where this can be used. (Citation: RSAC 2015 San Francisco Patrick Wardle) (Citation: Synack Secure Kernel Extension Broken) Examples have been found in the wild. (Citation: Securelist Ventir)", "meta": { "external_id": "T1215", "kill_chain": [ @@ -6500,7 +6343,7 @@ "value": "Cloud Storage Object Discovery - T1619" }, { - "description": "Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of operating systems they access or through information discovery of remote systems. \n\n \n\nOn Android, details of onboard network interfaces are accessible to apps through the `java.net.NetworkInterface` class.(Citation: NetworkInterface) Previously, the Android `TelephonyManager` class could be used to gather telephony-related device identifiers, information such as the IMSI, IMEI, and phone number. However, starting with Android 10, only preloaded, carrier, the default SMS, or device and profile owner applications can access the telephony-related device identifiers.(Citation: TelephonyManager) \n\n \n\nOn iOS, gathering network configuration information is not possible without root access. \n\n \n\nAdversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1422) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. ", + "description": "Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of devices they access or through information discovery of remote systems. \n\nAdversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1422) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. \n\nOn Android, details of onboard network interfaces are accessible to apps through the `java.net.NetworkInterface` class.(Citation: NetworkInterface) Previously, the Android `TelephonyManager` class could be used to gather telephony-related device identifiers, information such as the IMSI, IMEI, and phone number. However, starting with Android 10, only preloaded, carrier, the default SMS, or device and profile owner applications can access the telephony-related device identifiers.(Citation: TelephonyManager) \n\n \n\nOn iOS, gathering network configuration information is not possible without root access. \n\n \n\nAdversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1422) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. ", "meta": { "external_id": "T1422", "kill_chain": [ @@ -6684,13 +6527,6 @@ { "dest-uuid": "0d95940f-9583-4e0f-824c-a42c1be47fad", "type": "revoked-by" - }, - { - "dest-uuid": "0d95940f-9583-4e0f-824c-a42c1be47fad", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "revoked-by" } ], "uuid": "b928b94a-4966-4e2a-9e61-36505b896ebc", @@ -6782,13 +6618,14 @@ "value": "Identify web defensive services - T1256" }, { - "description": "Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.\n\nApplication access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework that issues tokens to users for access to systems. Adversaries who steal account API tokens in cloud and containerized environments may be able to access data and perform actions with the permissions of these accounts, which can lead to privilege escalation and further compromise of the environment.\n\nIn Kubernetes environments, processes running inside a container communicate with the Kubernetes API server using service account tokens. If a container is compromised, an attacker may be able to steal the container’s token and thereby gain access to Kubernetes API commands.(Citation: Kubernetes Service Accounts)\n\nToken theft can also occur through social engineering, in which case user action may be required to grant access. An application desiring access to cloud-based services or protected APIs can gain entry using OAuth 2.0 through a variety of authorization protocols. An example commonly-used sequence is Microsoft's Authorization Code Grant flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested by the application without obtaining user credentials. \n \nAdversaries can leverage OAuth authorization by constructing a malicious application designed to be granted access to resources with the target user's OAuth token.(Citation: Amnesty OAuth Phishing Attacks, August 2019)(Citation: Trend Micro Pawn Storm OAuth 2017) The adversary will need to complete registration of their application with the authorization server, for example Microsoft Identity Platform using Azure Portal, the Visual Studio IDE, the command-line interface, PowerShell, or REST API calls.(Citation: Microsoft - Azure AD App Registration - May 2019) Then, they can send a [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) to the target user to entice them to grant access to the application. Once the OAuth access token is granted, the application can gain potentially long-term access to features of the user account through [Application Access Token](https://attack.mitre.org/techniques/T1550/001).(Citation: Microsoft - Azure AD Identity Tokens - Aug 2019)\n\nApplication access tokens may function within a limited lifetime, limiting how long an adversary can utilize the stolen token. However, in some cases, adversaries can also steal application refresh tokens(Citation: Auth0 Understanding Refresh Tokens), allowing them to obtain new access tokens without prompting the user. \n\n", + "description": "Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.\n\nApplication access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) Adversaries who steal account API tokens in cloud and containerized environments may be able to access data and perform actions with the permissions of these accounts, which can lead to privilege escalation and further compromise of the environment.\n\nFor example, in Kubernetes environments, processes running inside a container may communicate with the Kubernetes API server using service account tokens. If a container is compromised, an adversary may be able to steal the container’s token and thereby gain access to Kubernetes API commands.(Citation: Kubernetes Service Accounts) Similarly, instances within continuous-development / continuous-integration (CI/CD) pipelines will often use API tokens to authenticate to other services for testing and deployment.(Citation: Cider Security Top 10 CICD Security Risks) If these pipelines are compromised, adversaries may be able to steal these tokens and leverage their privileges.\n\nToken theft can also occur through social engineering, in which case user action may be required to grant access. OAuth is one commonly implemented framework that issues tokens to users for access to systems. An application desiring access to cloud-based services or protected APIs can gain entry using OAuth 2.0 through a variety of authorization protocols. An example commonly-used sequence is Microsoft's Authorization Code Grant flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested by the application without obtaining user credentials. \n \nAdversaries can leverage OAuth authorization by constructing a malicious application designed to be granted access to resources with the target user's OAuth token.(Citation: Amnesty OAuth Phishing Attacks, August 2019)(Citation: Trend Micro Pawn Storm OAuth 2017) The adversary will need to complete registration of their application with the authorization server, for example Microsoft Identity Platform using Azure Portal, the Visual Studio IDE, the command-line interface, PowerShell, or REST API calls.(Citation: Microsoft - Azure AD App Registration - May 2019) Then, they can send a [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) to the target user to entice them to grant access to the application. Once the OAuth access token is granted, the application can gain potentially long-term access to features of the user account through [Application Access Token](https://attack.mitre.org/techniques/T1550/001).(Citation: Microsoft - Azure AD Identity Tokens - Aug 2019)\n\nApplication access tokens may function within a limited lifetime, limiting how long an adversary can utilize the stolen token. However, in some cases, adversaries can also steal application refresh tokens(Citation: Auth0 Understanding Refresh Tokens), allowing them to obtain new access tokens without prompting the user. \n\n", "meta": { "external_id": "T1528", "kill_chain": [ "mitre-attack:credential-access" ], "mitre_data_sources": [ + "Active Directory: Active Directory Object Modification", "User Account: User Account Modification" ], "mitre_platforms": [ @@ -6808,7 +6645,8 @@ "https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app", "https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow", "https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/", - "https://www.amnesty.org/en/latest/research/2019/08/evolving-phishing-attacks-targeting-journalists-and-human-rights-defenders-from-the-middle-east-and-north-africa/" + "https://www.amnesty.org/en/latest/research/2019/08/evolving-phishing-attacks-targeting-journalists-and-human-rights-defenders-from-the-middle-east-and-north-africa/", + "https://www.cidersecurity.io/top-10-cicd-security-risks/" ] }, "uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", @@ -7020,7 +6858,7 @@ "value": "Remote Service Session Hijacking - T1563" }, { - "description": "An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.\n\nCookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.(Citation: Pass The Cookie)\n\nThere are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) There are also open source frameworks such as `Evilginx2` and `Muraena` that can gather session cookies through a malicious proxy (ex: [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)) that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena)\n\nAfter an adversary acquires a valid cookie, they can then perform a [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004) technique to login to the corresponding web application.", + "description": "An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.\n\nCookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.(Citation: Pass The Cookie)\n\nThere are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) Adversaries may also steal cookies by injecting malicious JavaScript content into websites or relying on [User Execution](https://attack.mitre.org/techniques/T1204) by tricking victims into running malicious JavaScript in their browser.(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023)\n\nThere are also open source frameworks such as `Evilginx2` and `Muraena` that can gather session cookies through a malicious proxy (e.g., [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)) that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena)\n\nAfter an adversary acquires a valid cookie, they can then perform a [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004) technique to login to the corresponding web application.", "meta": { "external_id": "T1539", "kill_chain": [ @@ -7040,8 +6878,10 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1539", + "https://blog.talosintelligence.com/roblox-scam-overview/", "https://github.com/kgretzky/evilginx2", "https://github.com/muraenateam/muraena", + "https://krebsonsecurity.com/2023/05/discord-admins-hacked-by-malicious-bookmarks/", "https://securelist.com/project-tajmahal/90240/", "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/", "https://wunderwuzzi23.github.io/blog/passthecookie.html" @@ -7173,7 +7013,7 @@ "value": "Network Denial of Service - T1464" }, { - "description": "Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers.\n\nAdversaries may make modifications to client software binaries to carry out malicious tasks when those applications are in use. For example, an adversary may copy source code for the client software, add a backdoor, compile for the target, and replace the legitimate application binary (or support files) with the backdoored one. An adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)(Citation: Unit42 Banking Trojans Hooking 2022) prior to the binary’s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.(Citation: ESET FontOnLake Analysis 2021)\n\nSince these applications may be routinely executed by the user, the adversary can leverage this for persistent access to the host.", + "description": "Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications.\n\nAdversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host.\n\nAn adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)(Citation: Unit42 Banking Trojans Hooking 2022) prior to the binary’s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.(Citation: ESET FontOnLake Analysis 2021)", "meta": { "external_id": "T1554", "kill_chain": [ @@ -7197,7 +7037,7 @@ ] }, "uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", - "value": "Compromise Client Software Binary - T1554" + "value": "Compromise Host Software Binary - T1554" }, { "description": "Adversaries may modify system software binaries to establish persistent access to devices. System software binaries are used by the underlying operating system and users over adb or terminal emulators. \n\nAdversaries may make modifications to client software binaries to carry out malicious tasks when those binaries are executed. For example, malware may come with a pre-compiled malicious binary intended to overwrite the genuine one on the device. Since these binaries may be routinely executed by the system or user, the adversary can leverage this for persistent access to the device. ", @@ -7220,7 +7060,7 @@ "value": "Compromise Client Software Binary - T1645" }, { - "description": "Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.", + "description": "Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk.(Citation: TechNet How UAC Works)(Citation: sudo man page 2018) An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.(Citation: OSX Keydnap malware)(Citation: Fortinet Fareit)", "meta": { "external_id": "T1548", "kill_chain": [ @@ -7247,7 +7087,11 @@ "Azure AD" ], "refs": [ - "https://attack.mitre.org/techniques/T1548" + "https://attack.mitre.org/techniques/T1548", + "https://blog.fortinet.com/2016/12/16/malicious-macro-bypasses-uac-to-elevate-privilege-for-fareit-malware", + "https://technet.microsoft.com/en-us/itpro/windows/keep-secure/how-user-account-control-works", + "https://www.sudo.ws/", + "https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/" ] }, "uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", @@ -7280,6 +7124,24 @@ "uuid": "667e5707-3843-4da8-bd34-88b922526f0d", "value": "Replication Through Removable Media - T1458" }, + { + "description": "Adversaries may exploit software vulnerabilities to gain initial access to a mobile device. \n\nThis can be accomplished in a variety of ways. Vulnerabilities may be present in applications, services, the underlying operating system, or in the kernel itself. Several well-known mobile device exploits exist, including FORCEDENTRY, StageFright, and BlueBorne. Further, some exploits may be possible to exploit without any user interaction (zero-click), making them particularly dangerous. Mobile operating system vendors are typically very quick to patch such critical bugs, ensuring only a small window where they can be exploited. ", + "meta": { + "external_id": "T1664", + "kill_chain": [ + "mitre-mobile-attack:initial-access" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1664" + ] + }, + "uuid": "6ecbc2eb-e85a-440a-ab68-4d98f8d56fbe", + "value": "Exploitation for Initial Access - T1664" + }, { "description": "An adversary could cause the mobile device to use less secure protocols, for example by jamming frequencies used by newer protocols such as LTE and only allowing older protocols such as GSM to communicate(Citation: NIST-SP800187). Use of less secure protocols may make communication easier to eavesdrop upon or manipulate.", "meta": { @@ -7461,7 +7323,7 @@ "value": "Endpoint Denial of Service - T1499" }, { - "description": "Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.", + "description": "Adversaries may search for common password storage locations to obtain user credentials.(Citation: F-Secure The Dukes) Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.", "meta": { "external_id": "T1555", "kill_chain": [ @@ -7482,7 +7344,8 @@ "IaaS" ], "refs": [ - "https://attack.mitre.org/techniques/T1555" + "https://attack.mitre.org/techniques/T1555", + "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" ] }, "uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", @@ -7596,7 +7459,7 @@ "value": "Modify Cloud Compute Infrastructure - T1578" }, { - "description": "Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, etc.) as well as sensitive details such as credentials.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about users could also be enumerated via other active means (i.e. [Active Scanning](https://attack.mitre.org/techniques/T1595)) such as probing and analyzing responses from authentication services that may reveal valid usernames in a system.(Citation: GrimBlog UsernameEnum) Information about victims may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: OPM Leak)(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks)\n\nGathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).", + "description": "Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, security question responses, etc.) as well as sensitive details such as credentials or multi-factor authentication (MFA) configurations.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about users could also be enumerated via other active means (i.e. [Active Scanning](https://attack.mitre.org/techniques/T1595)) such as probing and analyzing responses from authentication services that may reveal valid usernames in a system or permitted MFA /methods associated with those usernames.(Citation: GrimBlog UsernameEnum)(Citation: Obsidian SSPR Abuse 2023) Information about victims may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: OPM Leak)(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks)\n\nGathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).", "meta": { "external_id": "T1589", "kill_chain": [ @@ -7616,6 +7479,7 @@ "https://labs.detectify.com/2016/04/28/slack-bot-token-leakage-exposing-business-critical-information/", "https://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/", "https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#242c479d3196", + "https://www.obsidiansecurity.com/blog/behind-the-breach-self-service-password-reset-azure-ad/", "https://www.opm.gov/cybersecurity/cybersecurity-incidents/", "https://www.theregister.com/2015/02/28/uber_subpoenas_github_for_hacker_details/", "https://www.theregister.com/2017/09/26/deloitte_leak_github_and_google/" @@ -7624,6 +7488,36 @@ "uuid": "5282dd9a-d26d-4e16-88b7-7c0f4553daf4", "value": "Gather Victim Identity Information - T1589" }, + { + "description": "Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.(Citation: AutoIT)(Citation: AutoHotKey)\n\nAdversaries may use AHK (`.ahk`) and AutoIT (`.au3`) scripts to execute malicious code on a victim's system. For example, adversaries have used for AHK to execute payloads and other modular malware such as keyloggers. Adversaries have also used custom AHK files containing embedded malware as [Phishing](https://attack.mitre.org/techniques/T1566) payloads.(Citation: Splunk DarkGate)\n\nThese scripts may also be compiled into self-contained exectuable payloads (`.exe`).(Citation: AutoIT)(Citation: AutoHotKey)", + "meta": { + "external_id": "T1059.010", + "kill_chain": [ + "mitre-attack:execution" + ], + "mitre_data_sources": [ + "Command: Command Execution", + "Process: Process Creation" + ], + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1059/010", + "https://www.autohotkey.com/docs/v1/Program.htm", + "https://www.autoitscript.com/autoit3/docs/intro/running.htm", + "https://www.splunk.com/en_us/blog/security/enter-the-gates-an-analysis-of-the-darkgate-autoit-loader.html" + ] + }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "type": "subtechnique-of" + } + ], + "uuid": "3a32740a-11b0-4bcf-b0a9-3abd0f6d3cd5", + "value": "AutoHotKey & AutoIT - T1059.010" + }, { "description": "Adversaries may target the Management Information Base (MIB) to collect and/or mine valuable information in a network managed using Simple Network Management Protocol (SNMP).\n\nThe MIB is a configuration repository that stores variable information accessible via SNMP in the form of object identifiers (OID). Each OID identifies a variable that can be read or set and permits active management tasks, such as configuration changes, through remote modification of these variables. SNMP can give administrators great insight in their systems, such as, system information, description of hardware, physical location, and software packages(Citation: SANS Information Security Reading Room Securing SNMP Securing SNMP). The MIB may also contain device operational information, including running configuration, routing table, and interface details.\n\nAdversaries may use SNMP queries to collect MIB content directly from SNMP-managed devices in order to collect network information that allows the adversary to build network maps and facilitate future targeted exploitation.(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks) ", "meta": { @@ -7736,7 +7630,7 @@ "value": "Dynamic-link Library Injection - T1055.001" }, { - "description": "Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.\n\nExploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211). \n\nIf an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.\n\nAdversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)\n\nFor websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)", + "description": "Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.\n\nExploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203).\n\nIf an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.\n\nAdversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)\n\nFor websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)", "meta": { "external_id": "T1190", "kill_chain": [ @@ -7894,13 +7788,6 @@ { "dest-uuid": "0d95940f-9583-4e0f-824c-a42c1be47fad", "type": "revoked-by" - }, - { - "dest-uuid": "0d95940f-9583-4e0f-824c-a42c1be47fad", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "revoked-by" } ], "uuid": "11bd699b-f2c2-4e48-bf46-fb3f8acd9799", @@ -8121,7 +8008,7 @@ "value": "Disable Crypto Hardware - T1600.002" }, { - "description": "Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.(Citation: Microsoft - Cached Creds)\n\nOn Windows Vista and newer, the hash format is DCC2 (Domain Cached Credentials version 2) hash, also known as MS-Cache v2 hash.(Citation: PassLib mscache) The number of default cached credentials varies and can be altered per system. This hash does not allow pass-the-hash style attacks, and instead requires [Password Cracking](https://attack.mitre.org/techniques/T1110/002) to recover the plaintext password.(Citation: ired mscache)\n\nWith SYSTEM access, the tools/utilities such as [Mimikatz](https://attack.mitre.org/software/S0002), [Reg](https://attack.mitre.org/software/S0075), and secretsdump.py can be used to extract the cached credentials.\n\nNote: Cached credentials for Windows Vista are derived using PBKDF2.(Citation: PassLib mscache)", + "description": "Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.(Citation: Microsoft - Cached Creds)\n\nOn Windows Vista and newer, the hash format is DCC2 (Domain Cached Credentials version 2) hash, also known as MS-Cache v2 hash.(Citation: PassLib mscache) The number of default cached credentials varies and can be altered per system. This hash does not allow pass-the-hash style attacks, and instead requires [Password Cracking](https://attack.mitre.org/techniques/T1110/002) to recover the plaintext password.(Citation: ired mscache)\n\nOn Linux systems, Active Directory credentials can be accessed through caches maintained by software like System Security Services Daemon (SSSD) or Quest Authentication Services (formerly VAS). Cached credential hashes are typically located at `/var/lib/sss/db/cache.[domain].ldb` for SSSD or `/var/opt/quest/vas/authcache/vas_auth.vdb` for Quest. Adversaries can use utilities, such as `tdbdump`, on these database files to dump the cached hashes and use [Password Cracking](https://attack.mitre.org/techniques/T1110/002) to obtain the plaintext password.(Citation: Brining MimiKatz to Unix) \n\nWith SYSTEM or sudo access, the tools/utilities such as [Mimikatz](https://attack.mitre.org/software/S0002), [Reg](https://attack.mitre.org/software/S0075), and secretsdump.py for Windows or Linikatz for Linux can be used to extract the cached credentials.(Citation: Brining MimiKatz to Unix)\n\nNote: Cached credentials for Windows Vista are derived using PBKDF2.(Citation: PassLib mscache)", "meta": { "external_id": "T1003.005", "kill_chain": [ @@ -8131,13 +8018,15 @@ "Command: Command Execution" ], "mitre_platforms": [ - "Windows" + "Windows", + "Linux" ], "refs": [ "https://attack.mitre.org/techniques/T1003/005", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh994565(v%3Dws.11)", "https://github.com/mattifestation/PowerSploit", "https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-and-cracking-mscash-cached-domain-credentials", + "https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf", "https://passlib.readthedocs.io/en/stable/lib/passlib.hash.msdcc2.html" ] }, @@ -8161,6 +8050,7 @@ "Command: Command Execution", "File: File Deletion", "File: File Modification", + "Process: Process Creation", "User Account: User Account Authentication" ], "mitre_platforms": [ @@ -8475,7 +8365,7 @@ "value": "Windows Remote Management - T1021.006" }, { - "description": "Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as SMB, FTP, FTPS, and TFTP that transfer files may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ", + "description": "Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as SMB(Citation: US-CERT TA18-074A), FTP(Citation: ESET Machete July 2019), FTPS, and TFTP that transfer files may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ", "meta": { "external_id": "T1071.002", "kill_chain": [ @@ -8488,11 +8378,14 @@ "mitre_platforms": [ "Linux", "macOS", - "Windows" + "Windows", + "Network" ], "refs": [ "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf", - "https://attack.mitre.org/techniques/T1071/002" + "https://attack.mitre.org/techniques/T1071/002", + "https://www.us-cert.gov/ncas/alerts/TA18-074A", + "https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf" ] }, "related": [ @@ -8698,7 +8591,7 @@ "value": "Archive via Utility - T1560.001" }, { - "description": "Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.\n\nFor example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn infrastructure-as-a-service (IaaS) environments, after gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes)\n\nAdversaries may also use the CreateAccessKey API in AWS or the gcloud iam service-accounts keys create command in GCP to add access keys to an account. If the target account has different permissions from the requesting account, the adversary may also be able to escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation: Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel 2.0) For example, in Azure AD environments, an adversary with the Application Administrator role can add a new set of credentials to their application's service principal. In doing so the adversary would be able to access the service principal’s roles and permissions, which may be different from those of the Application Administrator.(Citation: SpecterOps Azure Privilege Escalation) \n\nIn AWS environments, adversaries with the appropriate permissions may also use the `sts:GetFederationToken` API call to create a temporary set of credentials tied to the permissions of the original user account. These credentials may remain valid for the duration of their lifetime even if the original account’s API credentials are deactivated.\n(Citation: Crowdstrike AWS User Federation Persistence)", + "description": "Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.\n\nFor example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn infrastructure-as-a-service (IaaS) environments, after gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes)\n\nAdversaries may also use the CreateAccessKey API in AWS or the gcloud iam service-accounts keys create command in GCP to add access keys to an account. If the target account has different permissions from the requesting account, the adversary may also be able to escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation: Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel 2.0) For example, in Azure AD environments, an adversary with the Application Administrator role can add a new set of credentials to their application's service principal. In doing so the adversary would be able to access the service principal’s roles and permissions, which may be different from those of the Application Administrator.(Citation: SpecterOps Azure Privilege Escalation) \n\nIn AWS environments, adversaries with the appropriate permissions may also use the `sts:GetFederationToken` API call to create a temporary set of credentials to [Forge Web Credentials](https://attack.mitre.org/techniques/T1606) tied to the permissions of the original user account. These temporary credentials may remain valid for the duration of their lifetime even if the original account’s API credentials are deactivated.\n(Citation: Crowdstrike AWS User Federation Persistence)", "meta": { "external_id": "T1098.001", "kill_chain": [ @@ -8927,7 +8820,7 @@ "value": "Archive via Library - T1560.002" }, { - "description": "Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)).\n\nAdversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via various languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002)(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware)(Citation: Spoofing credential dialogs) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015)(Citation: Spoofing credential dialogs) On Linux systems adversaries may launch dialog boxes prompting users for credentials from malicious shell scripts or the command line (i.e. [Unix Shell](https://attack.mitre.org/techniques/T1059/004)).(Citation: Spoofing credential dialogs) ", + "description": "Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)).\n\nAdversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via various languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002)(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware)(Citation: Spoofing credential dialogs) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015)(Citation: Spoofing credential dialogs) On Linux systems adversaries may launch dialog boxes prompting users for credentials from malicious shell scripts or the command line (i.e. [Unix Shell](https://attack.mitre.org/techniques/T1059/004)).(Citation: Spoofing credential dialogs)\n\nAdversaries may also mimic common software authentication requests, such as those from browsers or email clients. This may also be paired with user activity monitoring (i.e., [Browser Information Discovery](https://attack.mitre.org/techniques/T1217) and/or [Application Window Discovery](https://attack.mitre.org/techniques/T1010)) to spoof prompts when users are naturally accessing sensitive sites/data.", "meta": { "external_id": "T1056.002", "kill_chain": [ @@ -9388,7 +9281,7 @@ "value": "Break Process Trees - T1036.009" }, { - "description": "An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.(Citation: AWS IAM Policies and Permissions)(Citation: Google Cloud IAM Policies)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).(Citation: Expel AWS Attacker)\n(Citation: Microsoft O365 Admin Roles) \n\nThis account modification may immediately follow [Create Account](https://attack.mitre.org/techniques/T1136) or other malicious account activity. Adversaries may also modify existing [Valid Accounts](https://attack.mitre.org/techniques/T1078) that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts.\n\nFor example, in AWS environments, an adversary with appropriate permissions may be able to use the CreatePolicyVersion API to define a new version of an IAM policy or the AttachUserPolicy API to attach an IAM policy with additional or distinct permissions to a compromised user account.(Citation: Rhino Security Labs AWS Privilege Escalation)", + "description": "An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.(Citation: AWS IAM Policies and Permissions)(Citation: Google Cloud IAM Policies)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).(Citation: Expel AWS Attacker)\n(Citation: Microsoft O365 Admin Roles) \n\nThis account modification may immediately follow [Create Account](https://attack.mitre.org/techniques/T1136) or other malicious account activity. Adversaries may also modify existing [Valid Accounts](https://attack.mitre.org/techniques/T1078) that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts.\n\nFor example, in AWS environments, an adversary with appropriate permissions may be able to use the CreatePolicyVersion API to define a new version of an IAM policy or the AttachUserPolicy API to attach an IAM policy with additional or distinct permissions to a compromised user account.(Citation: Rhino Security Labs AWS Privilege Escalation)\n\nIn some cases, adversaries may add roles to adversary-controlled accounts outside the victim cloud tenant. This allows these external accounts to perform actions inside the victim tenant without requiring the adversary to [Create Account](https://attack.mitre.org/techniques/T1136) or modify a victim-owned account.(Citation: Invictus IR DangerDev 2024)", "meta": { "external_id": "T1098.003", "kill_chain": [ @@ -9412,7 +9305,8 @@ "https://docs.microsoft.com/en-us/office365/admin/add-users/about-admin-roles?view=o365-worldwide", "https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", - "https://support.office.com/en-us/article/add-another-admin-f693489f-9f55-4bd0-a637-a81ce93de22d" + "https://support.office.com/en-us/article/add-another-admin-f693489f-9f55-4bd0-a637-a81ce93de22d", + "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" ] }, "related": [ @@ -10047,7 +9941,8 @@ "mitre_platforms": [ "Linux", "macOS", - "Windows" + "Windows", + "Network" ], "refs": [ "https://attack.mitre.org/techniques/T1561/001", @@ -10067,7 +9962,7 @@ "value": "Disk Content Wipe - T1561.001" }, { - "description": "Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nExample commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), reg query with [Reg](https://attack.mitre.org/software/S0075), dir with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.\n\nAdversaries may also utilize cloud APIs to discover the configurations of firewall rules within an environment.(Citation: Expel IO Evil in AWS) For example, the permitted IP ranges, ports or user accounts for the inbound/outbound rules of security groups, virtual firewalls established within AWS for EC2 and/or VPC instances, can be revealed by the DescribeSecurityGroups action with various request parameters. (Citation: DescribeSecurityGroups - Amazon Elastic Compute Cloud)", + "description": "Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as cloud monitoring agents and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nExample commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), reg query with [Reg](https://attack.mitre.org/software/S0075), dir with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.\n\nAdversaries may also utilize the [Cloud API](https://attack.mitre.org/techniques/T1059/009) to discover cloud-native security software installed on compute infrastructure, such as the AWS CloudWatch agent, Azure VM Agent, and Google Cloud Monitor agent. These agents may collect metrics and logs from the VM, which may be centrally aggregated in a cloud-based monitoring platform.", "meta": { "external_id": "T1518.001", "kill_chain": [ @@ -10082,18 +9977,12 @@ ], "mitre_platforms": [ "Windows", - "Azure AD", - "Office 365", - "SaaS", "IaaS", "Linux", - "macOS", - "Google Workspace" + "macOS" ], "refs": [ - "https://attack.mitre.org/techniques/T1518/001", - "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html", - "https://expel.io/blog/finding-evil-in-aws/" + "https://attack.mitre.org/techniques/T1518/001" ] }, "related": [ @@ -10130,6 +10019,31 @@ "uuid": "ed730f20-0e44-48b9-85f8-0e2adeb76867", "value": "Determine Physical Locations - T1591.001" }, + { + "description": "Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using `adb shell netstat` for Android.(Citation: adb_commands)\n\nAdversaries may use the results and responses from these requests to determine if the mobile devices are capable of communicating with adversary-owned C2 servers before attempting to connect to them. The results may also be used to identify routes, redirectors, and proxy servers.", + "meta": { + "external_id": "T1422.001", + "kill_chain": [ + "mitre-mobile-attack:discovery" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1422/001", + "https://gist.github.com/Pulimet/5013acf2cd5b28e55036c82c91bd56d8" + ] + }, + "related": [ + { + "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "type": "subtechnique-of" + } + ], + "uuid": "45a5fe76-eda3-4d40-8f22-c186efd6278d", + "value": "Internet Connection Discovery - T1422.001" + }, { "description": "Adversaries may smuggle commands to download malicious payloads past content filters by hiding them within otherwise seemingly benign windows shortcut files. Windows shortcut files (.LNK) include many metadata fields, including an icon location field (also known as the `IconEnvironmentDataBlock`) designed to specify the path to an icon file that is to be displayed for the LNK file within a host directory. \n\nAdversaries may abuse this LNK metadata to download malicious payloads. For example, adversaries have been observed using LNK files as phishing payloads to deliver malware. Once invoked (e.g., [Malicious File](https://attack.mitre.org/techniques/T1204/002)), payloads referenced via external URLs within the LNK icon location field may be downloaded. These files may also then be invoked by [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)/[System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218) arguments within the target path field of the LNK.(Citation: Unprotect Shortcut)(Citation: Booby Trap Shortcut 2017)\n\nLNK Icon Smuggling may also be utilized post compromise, such as malicious scripts executing an LNK on an infected host to download additional malicious payloads. \n", "meta": { @@ -10196,7 +10110,7 @@ "value": "GUI Input Capture - T1417.002" }, { - "description": "Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.\n\nIt is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). (Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. (Citation: SRD GPP)\n\nIn cloud and/or containerized environments, authenticated user and service account credentials are often stored in local configuration and credential files.(Citation: Unit 42 Hildegard Malware) They may also be found as parameters to deployment commands in container logs.(Citation: Unit 42 Unsecured Docker Daemons) In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.(Citation: Specter Ops - Cloud Credential Storage)", + "description": "Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.\n\nIt is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003).(Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller.(Citation: SRD GPP)\n\nIn cloud and/or containerized environments, authenticated user and service account credentials are often stored in local configuration and credential files.(Citation: Unit 42 Hildegard Malware) They may also be found as parameters to deployment commands in container logs.(Citation: Unit 42 Unsecured Docker Daemons) In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.(Citation: Specter Ops - Cloud Credential Storage)", "meta": { "external_id": "T1552.001", "kill_chain": [ @@ -10908,40 +10822,27 @@ "value": "Credentials in Registry - T1552.002" }, { - "description": "Adversaries may add new domain trusts or modify the properties of existing domain trusts to evade defenses and/or elevate privileges. Domain trust details, such as whether or not a domain is federated, allow authentication and authorization properties to apply between domains for the purpose of accessing shared resources.(Citation: Microsoft - Azure AD Federation) These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains.\n\nManipulating the domain trusts may allow an adversary to escalate privileges and/or evade defenses by modifying settings to add objects which they control. For example, this may be used to forge [SAML Tokens](https://attack.mitre.org/techniques/T1606/002), without the need to compromise the signing certificate to forge new credentials. Instead, an adversary can manipulate domain trusts to add their own signing certificate. An adversary may also convert a domain to a federated domain, which may enable malicious trust modifications such as altering the claim issuance rules to log in any valid set of credentials as a specified user.(Citation: AADInternals zure AD Federated Domain) ", + "description": "Adversaries may attempt to hide multimedia files from the user. By doing so, adversaries may conceal captured files, such as pictures, videos and/or screenshots, then later exfiltrate those files. \n\nSpecific to Android devices, if the `.nomedia` file is present in a folder, multimedia files in that folder will not be visible to the user in the Gallery application. Additionally, other applications are asked not to scan the folder with the `.nomedia` file, effectively making the folder appear invisible to the user. \n\nThis technique is often used by stalkerware and spyware applications. ", "meta": { - "external_id": "T1484.002", + "external_id": "T1628.003", "kill_chain": [ - "mitre-attack:defense-evasion", - "mitre-attack:privilege-escalation" - ], - "mitre_data_sources": [ - "Active Directory: Active Directory Object Creation", - "Active Directory: Active Directory Object Modification", - "Command: Command Execution" + "mitre-mobile-attack:defense-evasion" ], "mitre_platforms": [ - "Windows", - "Azure AD" + "Android" ], "refs": [ - "https://attack.mitre.org/techniques/T1484/002", - "https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed", - "https://docs.microsoft.com/en-us/office365/troubleshoot/active-directory/update-federated-domain-office-365", - "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml", - "https://o365blog.com/post/federation-vulnerability/", - "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", - "https://www.sygnia.co/golden-saml-advisory" + "https://attack.mitre.org/techniques/T1628/003" ] }, "related": [ { - "dest-uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d", + "dest-uuid": "fc53309d-ebd5-4573-9242-57024ebdad4f", "type": "subtechnique-of" } ], - "uuid": "24769ab5-14bd-4f4e-a752-cfb185da53ee", - "value": "Domain Trust Modification - T1484.002" + "uuid": "ea132c68-b518-4478-ae8d-1763cda26ee3", + "value": "Conceal Multimedia Files - T1628.003" }, { "description": "Adversaries may target the different network services provided by systems to conduct a denial of service (DoS). Adversaries often target the availability of DNS and web services, however others have been targeted as well.(Citation: Arbor AnnualDoSreport Jan 2018) Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service.\n\nOne example of this type of attack is known as a simple HTTP flood, where an adversary sends a large number of HTTP requests to a web server to overwhelm it and/or an application that runs on top of it. This flood relies on raw volume to accomplish the objective, exhausting any of the various resources required by the victim software to provide the service.(Citation: Cloudflare HTTPflood)\n\nAnother variation, known as a SSL renegotiation attack, takes advantage of a protocol feature in SSL/TLS. The SSL/TLS protocol suite includes mechanisms for the client and server to agree on an encryption algorithm to use for subsequent secure connections. If SSL renegotiation is enabled, a request can be made for renegotiation of the crypto algorithm. In a renegotiation attack, the adversary establishes a SSL/TLS connection and then proceeds to make a series of renegotiation requests. Because the cryptographic renegotiation has a meaningful cost in computation cycles, this can cause an impact to the availability of the service when done in volume.(Citation: Arbor SSLDoS April 2012)", @@ -11307,7 +11208,7 @@ "value": "Purchase Technical Data - T1597.002" }, { - "description": "Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure.\n\nAcquiring a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers. Adversaries may also acquire infrastructure from VPS service providers that are known for renting VPSs with minimal registration information, allowing for more anonymous acquisitions of infrastructure.(Citation: TrendmicroHideoutsLease)", + "description": "Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure.\n\nAcquiring a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers. Adversaries may also acquire infrastructure from VPS service providers that are known for renting VPSs with minimal registration information, allowing for more anonymous acquisitions of infrastructure.(Citation: TrendmicroHideoutsLease)", "meta": { "external_id": "T1583.003", "kill_chain": [ @@ -11356,14 +11257,14 @@ "Windows" ], "refs": [ - "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-finding-holes-operation-emmental.pdf", "https://attack.mitre.org/techniques/T1553/004", "https://docs.microsoft.com/sysinternals/downloads/sigcheck", "https://en.wikipedia.org/wiki/Root_certificate", "https://objective-see.com/blog/blog_0x26.html", "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", "https://www.kaspersky.com/blog/lenovo-pc-with-adware-superfish-preinstalled/7712/", - "https://www.tripwire.com/state-of-security/off-topic/appunblocker-bypassing-applocker/" + "https://www.tripwire.com/state-of-security/off-topic/appunblocker-bypassing-applocker/", + "https://www.youtube.com/watch?v=gchKFumYHWc" ] }, "related": [ @@ -11551,7 +11452,7 @@ "value": "Runtime Data Manipulation - T1565.003" }, { - "description": "Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels. \n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services. These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries will create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and software that's running in an environment. The adversary can then send malicious links or attachments through these services.\n\nA common example is to build rapport with a target via social media, then send content to a personal webmail service that the target uses on their work computer. This allows an adversary to bypass some email restrictions on the work account, and the target is more likely to open the file since it's something they were expecting. If the payload doesn't work as expected, the adversary can continue normal communications and troubleshoot with the target on how to get it working.", + "description": "Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels. \n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services.(Citation: Lookout Dark Caracal Jan 2018) These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries will create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and software that's running in an environment. The adversary can then send malicious links or attachments through these services.\n\nA common example is to build rapport with a target via social media, then send content to a personal webmail service that the target uses on their work computer. This allows an adversary to bypass some email restrictions on the work account, and the target is more likely to open the file since it's something they were expecting. If the payload doesn't work as expected, the adversary can continue normal communications and troubleshoot with the target on how to get it working.", "meta": { "external_id": "T1566.003", "kill_chain": [ @@ -11568,7 +11469,8 @@ "Windows" ], "refs": [ - "https://attack.mitre.org/techniques/T1566/003" + "https://attack.mitre.org/techniques/T1566/003", + "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" ] }, "related": [ @@ -11649,7 +11551,8 @@ "Command: Command Execution", "File: File Metadata", "File: File Modification", - "Process: OS API Execution" + "Process: OS API Execution", + "Process: Process Creation" ], "mitre_platforms": [ "Windows" @@ -11687,6 +11590,7 @@ "mitre_data_sources": [ "Command: Command Execution", "Module: Module Load", + "Process: Process Creation", "Windows Registry: Windows Registry Key Modification" ], "mitre_platforms": [ @@ -12099,6 +12003,42 @@ "uuid": "90c4a591-d02d-490b-92aa-619d9701ac04", "value": "Network Provider DLL - T1556.008" }, + { + "description": "Adversaries may disable or modify conditional access policies to enable persistent access to compromised accounts. Conditional access policies are additional verifications used by identity providers and identity and access management systems to determine whether a user should be granted access to a resource.\n\nFor example, in Azure AD, Okta, and JumpCloud, users can be denied access to applications based on their IP address, device enrollment status, and use of multi-factor authentication.(Citation: Microsoft Conditional Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional Access Policies) In some cases, identity providers may also support the use of risk-based metrics to deny sign-ins based on a variety of indicators. In AWS and GCP, IAM policies can contain `condition` attributes that verify arbitrary constraints such as the source IP, the date the request was made, and the nature of the resources or regions being requested.(Citation: AWS IAM Conditions)(Citation: GCP IAM Conditions) These measures help to prevent compromised credentials from resulting in unauthorized access to data or resources, as well as limit user permissions to only those required. \n\nBy modifying conditional access policies, such as adding additional trusted IP ranges, removing [Multi-Factor Authentication](https://attack.mitre.org/techniques/T1556/006) requirements, or allowing additional [Unused/Unsupported Cloud Regions](https://attack.mitre.org/techniques/T1535), adversaries may be able to ensure persistent access to accounts and circumvent defensive measures.", + "meta": { + "external_id": "T1556.009", + "kill_chain": [ + "mitre-attack:credential-access", + "mitre-attack:defense-evasion", + "mitre-attack:persistence" + ], + "mitre_data_sources": [ + "Active Directory: Active Directory Object Modification", + "Cloud Service: Cloud Service Modification" + ], + "mitre_platforms": [ + "Azure AD", + "SaaS", + "IaaS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1556/009", + "https://cloud.google.com/iam/docs/conditions-overview", + "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html", + "https://jumpcloud.com/support/get-started-conditional-access-policies", + "https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview", + "https://support.okta.com/help/s/article/Conditional-access-based-on-device-security-posture?language=en_US" + ] + }, + "related": [ + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "type": "subtechnique-of" + } + ], + "uuid": "ceaeb6d8-95ee-4da2-9d42-dc6aa6ca43ae", + "value": "Conditional Access Policies - T1556.009" + }, { "description": "Adversaries may spoof security alerting from tools, presenting false evidence to impair defenders’ awareness of malicious activity.(Citation: BlackBasta) Messages produced by defensive tools contain information about potential security events as well as the functioning status of security software and the system. Security reporting messages are important for monitoring the normal operation of a system and identifying important events that can signal a security incident.\n\nRather than or in addition to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), an adversary can spoof positive affirmations that security tools are continuing to function even after legitimate security tools have been disabled (e.g., [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001)). An adversary can also present a “healthy” system status even after infection. This can be abused to enable further malicious activity by delaying defender responses.\n\nFor example, adversaries may show a fake Windows Security GUI and tray icon with a “healthy” system status after Windows Defender and other system tools have been disabled.(Citation: BlackBasta)", "meta": { @@ -12370,7 +12310,7 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1535", - "https://blog.cloudsploit.com/the-danger-of-unused-aws-regions-af0bf1b878fc" + "https://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc" ] }, "uuid": "59bd0dec-f8b2-4b9a-9141-37a1e6899761", @@ -12440,7 +12380,7 @@ "value": "Application Window Discovery - T1010" }, { - "description": "Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.\n\nSeveral of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.\n", + "description": "Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.\n\nSeveral of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.\n", "meta": { "external_id": "T1003", "kill_chain": [ @@ -12450,6 +12390,7 @@ "Active Directory: Active Directory Object Access", "Command: Command Execution", "File: File Access", + "File: File Creation", "Network Traffic: Network Traffic Content", "Network Traffic: Network Traffic Flow", "Process: OS API Execution", @@ -12467,6 +12408,7 @@ "https://adsecurity.org/?p=1729", "https://attack.mitre.org/techniques/T1003", "https://github.com/mattifestation/PowerSploit", + "https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf", "https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea", "https://msdn.microsoft.com/library/cc228086.aspx", "https://msdn.microsoft.com/library/cc237008.aspx", @@ -12573,7 +12515,8 @@ "File: File Creation" ], "mitre_platforms": [ - "Windows" + "Windows", + "Network" ], "refs": [ "http://www.codeproject.com/Articles/32169/FDump-Dumping-File-Sectors-Directly-from-Disk-usin", @@ -12818,7 +12761,7 @@ "value": "Device Administrator Permissions - T1401" }, { - "description": "Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://attack.mitre.org/software/S0095). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \n\nOn Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as IEX(New-Object Net.WebClient).downloadString() and Invoke-WebRequest. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)\n\nAdversaries may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts.\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)", + "description": "Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://attack.mitre.org/software/S0095). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \n\nOn Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as IEX(New-Object Net.WebClient).downloadString() and Invoke-WebRequest. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)\n\nAdversaries may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows `search-ms` protocol handler, to deliver malicious files to victims through remote file searches invoked by [User Execution](https://attack.mitre.org/techniques/T1204) (typically after interacting with [Phishing](https://attack.mitre.org/techniques/T1566) lures).(Citation: T1105: Trellix_search-ms)\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)", "meta": { "external_id": "T1105", "kill_chain": [ @@ -12834,14 +12777,16 @@ "mitre_platforms": [ "Linux", "macOS", - "Windows" + "Windows", + "Network" ], "refs": [ "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf", "https://attack.mitre.org/techniques/T1105", "https://lolbas-project.github.io/#t1105", "https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-Snatch-eng.pdf", - "https://www.technologyreview.com/2013/08/21/83143/dropbox-and-similar-services-can-sync-malware/" + "https://www.technologyreview.com/2013/08/21/83143/dropbox-and-similar-services-can-sync-malware/", + "https://www.trellix.com/blogs/research/beyond-file-search-a-novel-method/" ] }, "uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", @@ -12916,7 +12861,7 @@ "value": "Application Deployment Software - T1017" }, { - "description": "Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nAdversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP. ", + "description": "Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nAdversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.(Citation: Mandiant APT29 Eye Spy Email Nov 22) ", "meta": { "external_id": "T1071", "kill_chain": [ @@ -12929,11 +12874,13 @@ "mitre_platforms": [ "Linux", "macOS", - "Windows" + "Windows", + "Network" ], "refs": [ "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf", - "https://attack.mitre.org/techniques/T1071" + "https://attack.mitre.org/techniques/T1071", + "https://www.mandiant.com/resources/blog/unc3524-eye-spy-email" ] }, "uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", @@ -13179,7 +13126,7 @@ "value": "Parent PID Spoofing - T1502" }, { - "description": "Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk. Reflectively loaded payloads may be compiled binaries, anonymous files (only present in RAM), or just snubs of fileless executable code (ex: position-independent shellcode).(Citation: Introducing Donut)(Citation: S1 Custom Shellcode Tool)(Citation: Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Mandiant BYOL)\n\nReflective code injection is very similar to [Process Injection](https://attack.mitre.org/techniques/T1055) except that the “injection” loads code into the processes’ own memory instead of that of a separate process. Reflective loading may evade process-based detections since the execution of the arbitrary code may be masked within a legitimate or otherwise benign process. Reflectively loading payloads directly into memory may also avoid creating files or other artifacts on disk, while also enabling malware to keep these payloads encrypted (or otherwise obfuscated) until execution.(Citation: Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Intezer ACBackdoor)(Citation: S1 Old Rat New Tricks)", + "description": "Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk (e.g., [Shared Modules](https://attack.mitre.org/techniques/T1129)).\n\nReflectively loaded payloads may be compiled binaries, anonymous files (only present in RAM), or just snubs of fileless executable code (ex: position-independent shellcode).(Citation: Introducing Donut)(Citation: S1 Custom Shellcode Tool)(Citation: Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Mandiant BYOL) For example, the `Assembly.Load()` method executed by [PowerShell](https://attack.mitre.org/techniques/T1059/001) may be abused to load raw code into the running process.(Citation: Microsoft AssemblyLoad)\n\nReflective code injection is very similar to [Process Injection](https://attack.mitre.org/techniques/T1055) except that the “injection” loads code into the processes’ own memory instead of that of a separate process. Reflective loading may evade process-based detections since the execution of the arbitrary code may be masked within a legitimate or otherwise benign process. Reflectively loading payloads directly into memory may also avoid creating files or other artifacts on disk, while also enabling malware to keep these payloads encrypted (or otherwise obfuscated) until execution.(Citation: Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Intezer ACBackdoor)(Citation: S1 Old Rat New Tricks)", "meta": { "external_id": "T1620", "kill_chain": [ @@ -13198,6 +13145,7 @@ "refs": [ "https://0x00sec.org/t/super-stealthy-droppers/3715", "https://attack.mitre.org/techniques/T1620", + "https://learn.microsoft.com/dotnet/api/system.reflection.assembly.load", "https://magisterquis.github.io/2018/03/31/in-memory-only-elf-execution.html", "https://thewover.github.io/Introducing-Donut/", "https://www.intezer.com/blog/research/acbackdoor-analysis-of-a-new-multiplatform-backdoor/", @@ -13239,7 +13187,7 @@ "value": "Rogue Domain Controller - T1207" }, { - "description": "Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.). \n\nAccess to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints. Network infrastructure may also have administration tools that can be similarly abused by adversaries. (Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)\n\nThe permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it's intended purpose.", + "description": "Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management and software deployment applications may be used in an enterprise network or cloud environment for routine administration purposes. These systems may also be integrated into CI/CD pipelines. Examples of such solutions include: SCCM, HBSS, Altiris, AWS Systems Manager, Microsoft Intune, Azure Arc, and GCP Deployment Manager. \n\nAccess to network-wide or enterprise-wide endpoint management software may enable an adversary to achieve remote code execution on all connected systems. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.\n\nSaaS-based configuration management services may allow for broad [Cloud Administration Command](https://attack.mitre.org/techniques/T1651) on cloud-hosted instances, as well as the execution of arbitrary commands on on-premises endpoints. For example, Microsoft Configuration Manager allows Global or Intune Administrators to run scripts as SYSTEM on on-premises devices joined to Azure AD.(Citation: SpecterOps Lateral Movement from Azure to On-Prem AD 2020) Such services may also utilize [Web Protocols](https://attack.mitre.org/techniques/T1071/001) to communicate back to adversary owned infrastructure.(Citation: Mitiga Security Advisory: SSM Agent as Remote Access Trojan)\n\nNetwork infrastructure devices may also have configuration management tools that can be similarly abused by adversaries.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)\n\nThe permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to access specific functionality.", "meta": { "external_id": "T1072", "kill_chain": [ @@ -13254,11 +13202,14 @@ "Linux", "macOS", "Windows", - "Network" + "Network", + "SaaS" ], "refs": [ "https://attack.mitre.org/techniques/T1072", - "https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem" + "https://posts.specterops.io/death-from-above-lateral-movement-from-azure-to-on-prem-ad-d18cb3959d4d", + "https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem", + "https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan" ] }, "uuid": "92a78814-b191-47ca-909c-1ccfe3777414", @@ -13485,7 +13436,7 @@ "value": "Proxy Through Victim - T1604" }, { - "description": "Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) (WinRM).(Citation: MSDN WMI) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: MSDN WMI)(Citation: FireEye WMI 2015)\n\nAn adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015)", + "description": "Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.(Citation: WMI 1-3) WMI is an administration feature that provides a uniform environment to access Windows system components.\n\nThe WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006).(Citation: WMI 1-3) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: WMI 1-3) (Citation: Mandiant WMI)\n\nAn adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for [Discovery](https://attack.mitre.org/tactics/TA0007) as well as [Execution](https://attack.mitre.org/tactics/TA0002) of commands and payloads.(Citation: Mandiant WMI) For example, `wmic.exe` can be abused by an adversary to delete shadow copies with the command `wmic.exe Shadowcopy Delete` (i.e., [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490)).(Citation: WMI 6)\n\n**Note:** `wmic.exe` is deprecated as of January of 2024, with the WMIC feature being “disabled by default” on Windows 11+. WMIC will be removed from subsequent Windows releases and replaced by [PowerShell](https://attack.mitre.org/techniques/T1059/001) as the primary WMI interface.(Citation: WMI 7,8) In addition to PowerShell and tools like `wbemtool.exe`, COM APIs can also be used to programmatically interact with WMI via C++, .NET, VBScript, etc.(Citation: WMI 7,8)", "meta": { "external_id": "T1047", "kill_chain": [ @@ -13502,9 +13453,11 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1047", - "https://msdn.microsoft.com/en-us/library/aa394582.aspx", + "https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page?redirectedfrom=MSDN", + "https://techcommunity.microsoft.com/t5/windows-it-pro-blog/wmi-command-line-wmic-utility-deprecation-next-steps/ba-p/4039242", "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf", - "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/sans-dfir-2015.pdf" + "https://www.mandiant.com/resources/reports", + "https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/" ] }, "uuid": "01a5a209-b94c-450b-b7f9-946497d91055", @@ -13531,7 +13484,7 @@ "value": "Stored Application Data - T1409" }, { - "description": "Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.\n\nOperating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Furthermore, adversaries may disable recovery notifications, then corrupt backups.(Citation: disable_notif_synology_ransom)\n\nA number of native Windows utilities have been used by adversaries to disable or delete system recovery features:\n\n* vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet\n* [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) can be used to delete volume shadow copies - wmic shadowcopy delete\n* wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet\n* bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no\n* REAgentC.exe can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system\n\nOn network devices, adversaries may leverage [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.\n\nAdversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)", + "description": "Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.\n\nOperating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Furthermore, adversaries may disable recovery notifications, then corrupt backups.(Citation: disable_notif_synology_ransom)\n\nA number of native Windows utilities have been used by adversaries to disable or delete system recovery features:\n\n* vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet\n* [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) can be used to delete volume shadow copies - wmic shadowcopy delete\n* wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet\n* bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no\n* REAgentC.exe can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system\n* diskshadow.exe can be used to delete all volume shadow copies on a system - diskshadow delete shadows all (Citation: Diskshadow) (Citation: Crytox Ransomware)\n\nOn network devices, adversaries may leverage [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.\n\nAdversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)", "meta": { "external_id": "T1490", "kill_chain": [ @@ -13557,11 +13510,13 @@ "refs": [ "https://attack.mitre.org/techniques/T1490", "https://blog.talosintelligence.com/2018/02/olympic-destroyer.html", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", "https://rhinosecuritylabs.com/aws/s3-ransomware-part-2-prevention-and-defense/", "https://twitter.com/TheDFIRReport/status/1498657590259109894", "https://www.darkreading.com/attacks-breaches/code-hosting-service-shuts-down-after-cyber-attack", "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html", - "https://www.zdnet.com/article/ransomware-victims-thought-their-backups-were-safe-they-were-wrong/" + "https://www.zdnet.com/article/ransomware-victims-thought-their-backups-were-safe-they-were-wrong/", + "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware" ] }, "uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", @@ -13598,7 +13553,7 @@ "value": "Server Software Component - T1505" }, { - "description": "An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.\n\nBoth compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method.", + "description": "An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network.(Citation: DOJ GRU Indictment Jul 2018) Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.\n\nBoth compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method.", "meta": { "external_id": "T1560", "kill_chain": [ @@ -13617,7 +13572,8 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1560", - "https://en.wikipedia.org/wiki/List_of_file_signatures" + "https://en.wikipedia.org/wiki/List_of_file_signatures", + "https://www.justice.gov/file/1080281/download" ] }, "uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", @@ -14084,7 +14040,7 @@ "value": "Space after Filename - T1151" }, { - "description": "Adversaries may break out of a container to gain access to the underlying host. This can allow an adversary access to other containerized resources from the host level or to the host itself. In principle, containerized resources should provide a clear separation of application functionality and be isolated from the host environment.(Citation: Docker Overview)\n\nThere are multiple ways an adversary may escape to a host environment. Examples include creating a container configured to mount the host’s filesystem using the bind parameter, which allows the adversary to drop payloads and execute control utilities such as cron on the host; utilizing a privileged container to run commands or load a malicious kernel module on the underlying host; or abusing system calls such as `unshare` and `keyctl` to escalate privileges and steal secrets.(Citation: Docker Bind Mounts)(Citation: Trend Micro Privileged Container)(Citation: Intezer Doki July 20)(Citation: Container Escape)(Citation: Crowdstrike Kubernetes Container Escape)(Citation: Keyctl-unmask)\n\nAdditionally, an adversary may be able to exploit a compromised container with a mounted container management socket, such as `docker.sock`, to break out of the container via a [Container Administration Command](https://attack.mitre.org/techniques/T1609).(Citation: Container Escape) Adversaries may also escape via [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), such as exploiting vulnerabilities in global symbolic links in order to access the root directory of a host machine.(Citation: Windows Server Containers Are Open)\n\nGaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, or setting up a command and control channel on the host.", + "description": "Adversaries may break out of a container to gain access to the underlying host. This can allow an adversary access to other containerized resources from the host level or to the host itself. In principle, containerized resources should provide a clear separation of application functionality and be isolated from the host environment.(Citation: Docker Overview)\n\nThere are multiple ways an adversary may escape to a host environment. Examples include creating a container configured to mount the host’s filesystem using the bind parameter, which allows the adversary to drop payloads and execute control utilities such as cron on the host; utilizing a privileged container to run commands or load a malicious kernel module on the underlying host; or abusing system calls such as `unshare` and `keyctl` to escalate privileges and steal secrets.(Citation: Docker Bind Mounts)(Citation: Trend Micro Privileged Container)(Citation: Intezer Doki July 20)(Citation: Container Escape)(Citation: Crowdstrike Kubernetes Container Escape)(Citation: Keyctl-unmask)\n\nAdditionally, an adversary may be able to exploit a compromised container with a mounted container management socket, such as `docker.sock`, to break out of the container via a [Container Administration Command](https://attack.mitre.org/techniques/T1609).(Citation: Container Escape) Adversaries may also escape via [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), such as exploiting vulnerabilities in global symbolic links in order to access the root directory of a host machine.(Citation: Windows Server Containers Are Open)\n\nGaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, accessing other containers running on the host, or setting up a command and control channel on the host.", "meta": { "external_id": "T1611", "kill_chain": [ @@ -14181,7 +14137,7 @@ "value": "Credentials in Registry - T1214" }, { - "description": "An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. (Citation: MSDN System Time)(Citation: Technet Windows Time Service)\n\nSystem time information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039) on Windows by performing net time \\\\hostname to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using w32tm /tz.(Citation: Technet Windows Time Service)\n\nOn network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show clock detail` can be used to see the current time configuration.(Citation: show_clock_detail_cisco_cmd)\n\nThis information could be useful for performing other techniques, such as executing a file with a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)(Citation: RSA EU12 They're Inside), or to discover locality information based on time zone to assist in victim targeting (i.e. [System Location Discovery](https://attack.mitre.org/techniques/T1614)). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.(Citation: AnyRun TimeBomb)", + "description": "An adversary may gather the system time and/or time zone settings from a local or remote system. The system time is set and stored by services, such as the Windows Time Service on Windows or systemsetup on macOS.(Citation: MSDN System Time)(Citation: Technet Windows Time Service)(Citation: systemsetup mac time) These time settings may also be synchronized between systems and services in an enterprise network, typically accomplished with a network time server within a domain.(Citation: Mac Time Sync)(Citation: linux system time)\n\nSystem time information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039) on Windows by performing net time \\\\hostname to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using w32tm /tz.(Citation: Technet Windows Time Service) In addition, adversaries can discover device uptime through functions such as GetTickCount() to determine how long it has been since the system booted up.(Citation: Virtualization/Sandbox Evasion)\n\nOn network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show clock detail` can be used to see the current time configuration.(Citation: show_clock_detail_cisco_cmd)\n\nIn addition, system calls – such as time() – have been used to collect the current time on Linux devices.(Citation: MAGNET GOBLIN) On macOS systems, adversaries may use commands such as systemsetup -gettimezone or timeIntervalSinceNow to gather current time zone information or current date and time.(Citation: System Information Discovery Technique)(Citation: ESET DazzleSpy Jan 2022)\n\nThis information could be useful for performing other techniques, such as executing a file with a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)(Citation: RSA EU12 They're Inside), or to discover locality information based on time zone to assist in victim targeting (i.e. [System Location Discovery](https://attack.mitre.org/techniques/T1614)). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.(Citation: AnyRun TimeBomb)", "meta": { "external_id": "T1124", "kill_chain": [ @@ -14194,15 +14150,24 @@ ], "mitre_platforms": [ "Windows", - "Network" + "Network", + "Linux", + "macOS" ], "refs": [ "https://any.run/cybersecurity-blog/time-bombs-malware-with-delayed-execution/", "https://attack.mitre.org/techniques/T1124", "https://msdn.microsoft.com/ms724961.aspx", + "https://research.checkpoint.com/2024/magnet-goblin-targets-publicly-facing-servers-using-1-day-vulnerabilities/", + "https://support.apple.com/en-gb/guide/remote-desktop/apd95406b8d/mac", "https://technet.microsoft.com/windows-server-docs/identity/ad-ds/get-started/windows-time-service/windows-time-service-tools-and-settings", + "https://wiki.archlinux.org/title/System_time", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674", - "https://www.rsaconference.com/writable/presentations/file_upload/ht-209_rivner_schwartz.pdf" + "https://www.macinstruct.com/tutorials/synchronize-your-macs-clock-with-a-time-server/", + "https://www.picussecurity.com/resource/the-system-information-discovery-technique-explained-mitre-attack-t1082", + "https://www.picussecurity.com/resource/virtualization/sandbox-evasion-how-attackers-avoid-malware-analysis", + "https://www.rsaconference.com/writable/presentations/file_upload/ht-209_rivner_schwartz.pdf", + "https://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/" ] }, "uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", @@ -14275,7 +14240,7 @@ "value": "Netsh Helper DLL - T1128" }, { - "description": "An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.(Citation: Symantec Living off the Land)(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy)\n\nRemote access software may be installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system.\n \nAdversaries may similarly abuse response features included in EDR and other defensive tools that enable remote access.\n\nInstallation of many remote access software may also include persistence (e.g., the software's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003)).", + "description": "An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.(Citation: Symantec Living off the Land)(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy)\n\nRemote access software may be installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary-controlled system.\n \nAdversaries may similarly abuse response features included in EDR and other defensive tools that enable remote access.\n\nInstallation of many remote access software may also include persistence (e.g., the software's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003)). Remote access modules/features may also exist as part of otherwise existing software (e.g., Google Chrome’s Remote Desktop).(Citation: Google Chrome Remote Desktop)(Citation: Chrome Remote Desktop)", "meta": { "external_id": "T1219", "kill_chain": [ @@ -14296,6 +14261,8 @@ "https://attack.mitre.org/techniques/T1219", "https://blog.crysys.hu/2013/03/teamspy/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/15GlobalThreatReport.pdf", + "https://support.google.com/chrome/answer/1649523", + "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", "https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-living-off-the-land-and-fileless-attack-techniques-en.pdf" ] }, @@ -14688,7 +14655,7 @@ "value": "Spearphishing via Service - T1194" }, { - "description": "Adversaries may abuse cloud management services to execute commands within virtual machines or hybrid-joined devices. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. Similarly, in Azure AD environments, Microsoft Endpoint Manager allows Global or Intune Administrators to run scripts as SYSTEM on on-premises devices joined to the Azure AD.(Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run Command)(Citation: SpecterOps Lateral Movement from Azure to On-Prem AD 2020)\n\nIf an adversary gains administrative access to a cloud environment, they may be able to abuse cloud management services to execute commands in the environment’s virtual machines or on-premises hybrid-joined devices. Additionally, an adversary that compromises a service provider or delegated administrator account may similarly be able to leverage a [Trusted Relationship](https://attack.mitre.org/techniques/T1199) to execute commands in connected virtual machines.(Citation: MSTIC Nobelium Oct 2021)", + "description": "Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. (Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run Command)\n\nIf an adversary gains administrative access to a cloud environment, they may be able to abuse cloud management services to execute commands in the environment’s virtual machines. Additionally, an adversary that compromises a service provider or delegated administrator account may similarly be able to leverage a [Trusted Relationship](https://attack.mitre.org/techniques/T1199) to execute commands in connected virtual machines.(Citation: MSTIC Nobelium Oct 2021)", "meta": { "external_id": "T1651", "kill_chain": [ @@ -14700,14 +14667,12 @@ "Script: Script Execution" ], "mitre_platforms": [ - "IaaS", - "Azure AD" + "IaaS" ], "refs": [ "https://attack.mitre.org/techniques/T1651", "https://docs.aws.amazon.com/systems-manager/latest/userguide/run-command.html", "https://learn.microsoft.com/en-us/azure/virtual-machines/run-command-overview", - "https://posts.specterops.io/death-from-above-lateral-movement-from-azure-to-on-prem-ad-d18cb3959d4d", "https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/" ] }, @@ -14715,7 +14680,7 @@ "value": "Cloud Administration Command - T1651" }, { - "description": "Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path `\\\\SYSVOL\\\\Policies\\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)\n\nAdversaries may use commands such as gpresult or various publicly available PowerShell functions, such as Get-DomainGPO and Get-DomainGPOLocalGroup, to gather information on Group Policy settings.(Citation: Microsoft gpresult)(Citation: Github PowerShell Empire) Adversaries may use this information to shape follow-on behaviors, including determining potential attack paths within the target network as well as opportunities to manipulate Group Policy settings (i.e. [Domain Policy Modification](https://attack.mitre.org/techniques/T1484)) for their benefit.", + "description": "Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path `\\\\SYSVOL\\\\Policies\\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)\n\nAdversaries may use commands such as gpresult or various publicly available PowerShell functions, such as Get-DomainGPO and Get-DomainGPOLocalGroup, to gather information on Group Policy settings.(Citation: Microsoft gpresult)(Citation: Github PowerShell Empire) Adversaries may use this information to shape follow-on behaviors, including determining potential attack paths within the target network as well as opportunities to manipulate Group Policy settings (i.e. [Domain or Tenant Policy Modification](https://attack.mitre.org/techniques/T1484)) for their benefit.", "meta": { "external_id": "T1615", "kill_chain": [ @@ -15037,13 +15002,6 @@ { "dest-uuid": "73e7d7d5-1782-4cd0-a4d7-00c7ec051c2a", "type": "related-to" - }, - { - "dest-uuid": "73e7d7d5-1782-4cd0-a4d7-00c7ec051c2a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" } ], "uuid": "5b6ce031-bb86-407a-9984-2b9700ac4549", @@ -15276,13 +15234,6 @@ { "dest-uuid": "5b6ce031-bb86-407a-9984-2b9700ac4549", "type": "related-to" - }, - { - "dest-uuid": "5b6ce031-bb86-407a-9984-2b9700ac4549", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" } ], "uuid": "73e7d7d5-1782-4cd0-a4d7-00c7ec051c2a", @@ -15300,13 +15251,6 @@ { "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", "type": "revoked-by" - }, - { - "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "revoked-by" } ], "uuid": "e30cc912-7ea1-4683-9219-543b86cbdec9", @@ -15382,20 +15326,6 @@ { "dest-uuid": "7860e21e-7514-4a3f-8a9d-56405ccfdb0c", "type": "related-to" - }, - { - "dest-uuid": "7860e21e-7514-4a3f-8a9d-56405ccfdb0c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "59369f72-3005-4e54-9095-3d00efcece73", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" } ], "uuid": "78e41091-d10d-4001-b202-89612892b6ff", @@ -15449,13 +15379,6 @@ { "dest-uuid": "af358cad-eb71-4e91-a752-236edc237dae", "type": "related-to" - }, - { - "dest-uuid": "af358cad-eb71-4e91-a752-236edc237dae", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" } ], "uuid": "74a3288e-eee9-4f8e-973a-fbc128e033f1", @@ -15609,13 +15532,6 @@ { "dest-uuid": "78e41091-d10d-4001-b202-89612892b6ff", "type": "related-to" - }, - { - "dest-uuid": "7860e21e-7514-4a3f-8a9d-56405ccfdb0c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" } ], "uuid": "59369f72-3005-4e54-9095-3d00efcece73", @@ -15683,13 +15599,6 @@ { "dest-uuid": "78e41091-d10d-4001-b202-89612892b6ff", "type": "related-to" - }, - { - "dest-uuid": "59369f72-3005-4e54-9095-3d00efcece73", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" } ], "uuid": "7860e21e-7514-4a3f-8a9d-56405ccfdb0c", @@ -15714,20 +15623,6 @@ { "dest-uuid": "a757670d-d600-48d9-8ae9-601d42c184a5", "type": "related-to" - }, - { - "dest-uuid": "74a3288e-eee9-4f8e-973a-fbc128e033f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "a757670d-d600-48d9-8ae9-601d42c184a5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" } ], "uuid": "af358cad-eb71-4e91-a752-236edc237dae", @@ -15780,20 +15675,6 @@ { "dest-uuid": "af358cad-eb71-4e91-a752-236edc237dae", "type": "related-to" - }, - { - "dest-uuid": "af358cad-eb71-4e91-a752-236edc237dae", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "74a3288e-eee9-4f8e-973a-fbc128e033f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" } ], "uuid": "a757670d-d600-48d9-8ae9-601d42c184a5", @@ -15850,13 +15731,6 @@ { "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", "type": "revoked-by" - }, - { - "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "revoked-by" } ], "uuid": "831e3269-da49-48ac-94dc-948008e8fd16", @@ -16136,7 +16010,8 @@ "Azure AD", "Office 365", "IaaS", - "Google Workspace" + "Google Workspace", + "SaaS" ], "refs": [ "https://attack.mitre.org/techniques/T1538", @@ -16244,15 +16119,7 @@ "https://attack.mitre.org/techniques/T1454" ] }, - "related": [ - { - "dest-uuid": "2d646840-f6f5-4619-a5a8-29c8316bbac5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "revoked-by" - } - ], + "related": [], "uuid": "0bcc4ec1-a897-49a9-a9ff-c00df1d1209d", "value": "Malicious SMS Message - T1454" }, @@ -16349,40 +16216,6 @@ "uuid": "8f0e39c6-82c9-41ec-9f93-5696c0f2e274", "value": "Carrier Billing Fraud - T1448" }, - { - "description": "Adversaries may modify the configuration settings of a domain to evade defenses and/or escalate privileges in domain environments. Domains provide a centralized means of managing how computer resources (ex: computers, user accounts) can act, and interact with each other, on a network. The policy of the domain also includes configuration settings that may apply between domains in a multi-domain/forest environment. Modifications to domain settings may include altering domain Group Policy Objects (GPOs) or changing trust settings for domains, including federation trusts.\n\nWith sufficient permissions, adversaries can modify domain policy settings. Since domain configuration settings control many of the interactions within the Active Directory (AD) environment, there are a great number of potential attacks that can stem from this abuse. Examples of such abuse include modifying GPOs to push a malicious [Scheduled Task](https://attack.mitre.org/techniques/T1053/005) to computers throughout the domain environment(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) or modifying domain trusts to include an adversary controlled domain where they can control access tokens that will subsequently be accepted by victim domain resources.(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks) Adversaries can also change configuration settings within the AD environment to implement a [Rogue Domain Controller](https://attack.mitre.org/techniques/T1207).\n\nAdversaries may temporarily modify domain policy, carry out a malicious action(s), and then revert the change to remove suspicious indicators.", - "meta": { - "external_id": "T1484", - "kill_chain": [ - "mitre-attack:defense-evasion", - "mitre-attack:privilege-escalation" - ], - "mitre_data_sources": [ - "Active Directory: Active Directory Object Creation", - "Active Directory: Active Directory Object Deletion", - "Active Directory: Active Directory Object Modification", - "Command: Command Execution" - ], - "mitre_platforms": [ - "Windows", - "Azure AD" - ], - "refs": [ - "http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/", - "https://adsecurity.org/?p=2716", - "https://attack.mitre.org/techniques/T1484", - "https://docs.microsoft.com/en-us/office365/troubleshoot/active-directory/update-federated-domain-office-365", - "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml", - "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/", - "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", - "https://wald0.com/?p=179", - "https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/", - "https://www.sygnia.co/golden-saml-advisory" - ] - }, - "uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d", - "value": "Domain Policy Modification - T1484" - }, { "description": "Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making. \n\nAdversaries may alter application binaries used to display data in order to cause runtime manipulations. Adversaries may also conduct [Change Default File Association](https://attack.mitre.org/techniques/T1042) and [Masquerading](https://attack.mitre.org/techniques/T1036) to cause a similar effect. The type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.", "meta": { @@ -16422,13 +16255,6 @@ { "dest-uuid": "2d646840-f6f5-4619-a5a8-29c8316bbac5", "type": "revoked-by" - }, - { - "dest-uuid": "2d646840-f6f5-4619-a5a8-29c8316bbac5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "revoked-by" } ], "uuid": "c91c304a-975d-4501-9789-0db1c57afd3f", @@ -16486,13 +16312,6 @@ { "dest-uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57", "type": "revoked-by" - }, - { - "dest-uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "revoked-by" } ], "uuid": "a9cab8f6-4c94-4c9b-9e7d-9d863ff53431", @@ -16624,6 +16443,7 @@ "mitre_data_sources": [ "Active Directory: Active Directory Object Modification", "Application Log: Application Log Content", + "Cloud Service: Cloud Service Modification", "File: File Creation", "File: File Modification", "Logon Session: Logon Session Creation", @@ -16868,7 +16688,7 @@ "value": "Right-to-Left Override - T1036.002" }, { - "description": "To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source. A particular variant of this behavior is to use onion routing networks, such as the publicly available TOR network. (Citation: Onion Routing)\n\nIn the case of network infrastructure, particularly routers, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain within the Wide-Area Network (WAN) of the enterprise. By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001), adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This custom onion routing network will transport the encrypted C2 traffic through the compromised population, allowing adversaries to communicate with any device within the onion routing network. This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method in order to allow the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s WAN. Protocols such as ICMP may be used as a transport.", + "description": "Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.\n\nFor example, adversaries may construct or use onion routing networks – such as the publicly available [Tor](https://attack.mitre.org/software/S0183) network – to transport encrypted C2 traffic through a compromised population, allowing communication with any device within the network.(Citation: Onion Routing)\n\nIn the case of network infrastructure, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain (i.e., [Network Devices](https://attack.mitre.org/techniques/T1584/008)). By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001) on routers, adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method allowing the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s Wide-Area Network (WAN). Protocols such as ICMP may be used as a transport.\n\nSimilarly, adversaries may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement routing between a decentralized network of peers.(Citation: NGLite Trojan)", "meta": { "external_id": "T1090.003", "kill_chain": [ @@ -16887,7 +16707,8 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1090/003", - "https://en.wikipedia.org/wiki/Onion_routing" + "https://en.wikipedia.org/wiki/Onion_routing", + "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/" ] }, "related": [ @@ -17084,6 +16905,30 @@ "uuid": "d916f176-a1ca-4a78-9fdd-4058bc28162e", "value": "One-Way Communication - T1481.003" }, + { + "description": "Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of [Discovery](https://attack.mitre.org/tactics/TA0032) or [Credential Access](https://attack.mitre.org/tactics/TA0031) activity to support both ongoing and future campaigns. ", + "meta": { + "external_id": "T1422.002", + "kill_chain": [ + "mitre-mobile-attack:discovery" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1422/002" + ] + }, + "related": [ + { + "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "type": "subtechnique-of" + } + ], + "uuid": "be63612f-a48f-44f2-a7a6-1763509fcf80", + "value": "Wi-Fi Discovery - T1422.002" + }, { "description": "Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).\n\nSide-loading takes advantage of the DLL search order used by the loader by positioning both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.(Citation: FireEye DLL Side-Loading)", "meta": { @@ -17191,6 +17036,7 @@ ], "mitre_data_sources": [ "Active Directory: Active Directory Object Modification", + "Application Log: Application Log Content", "Logon Session: Logon Session Creation", "User Account: User Account Authentication", "User Account: User Account Modification" @@ -17539,7 +17385,7 @@ "value": "Inter-Process Communication - T1559" }, { - "description": "Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using `DuplicateToken` or `DuplicateTokenEx`. The token can then be used with `ImpersonateLoggedOnUser` to allow the calling thread to impersonate a logged on user's security context, or with `SetThreadToken` to assign the impersonated token to a thread.\n\nAn adversary may perform [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) when they have a specific, existing process they want to assign the duplicated token to. For example, this may be useful for when the target user has a non-network logon session on the system.\n\nWhen an adversary would instead use a duplicated token to create a new process rather than attaching to an existing process, they can additionally [Create Process with Token](https://attack.mitre.org/techniques/T1134/002) using `CreateProcessWithTokenW` or `CreateProcessAsUserW`. [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) is also distinct from [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003) in that it refers to duplicating an existing token, rather than creating a new one.", + "description": "Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using `DuplicateToken` or `DuplicateTokenEx`.(Citation: DuplicateToken function) The token can then be used with `ImpersonateLoggedOnUser` to allow the calling thread to impersonate a logged on user's security context, or with `SetThreadToken` to assign the impersonated token to a thread.\n\nAn adversary may perform [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) when they have a specific, existing process they want to assign the duplicated token to. For example, this may be useful for when the target user has a non-network logon session on the system.\n\nWhen an adversary would instead use a duplicated token to create a new process rather than attaching to an existing process, they can additionally [Create Process with Token](https://attack.mitre.org/techniques/T1134/002) using `CreateProcessWithTokenW` or `CreateProcessAsUserW`. [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) is also distinct from [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003) in that it refers to duplicating an existing token, rather than creating a new one.", "meta": { "external_id": "T1134.001", "kill_chain": [ @@ -17555,6 +17401,7 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1134/001", + "https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-duplicatetoken", "https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing" ] }, @@ -17567,6 +17414,37 @@ "uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", "value": "Token Impersonation/Theft - T1134.001" }, + { + "description": "Adversaries may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to impede detection. Encrypting and/or encoding file content aims to conceal malicious artifacts within a file used in an intrusion. Many other techniques, such as [Software Packing](https://attack.mitre.org/techniques/T1027/002), [Steganography](https://attack.mitre.org/techniques/T1027/003), and [Embedded Payloads](https://attack.mitre.org/techniques/T1027/009), share this same broad objective. Encrypting and/or encoding files could lead to a lapse in detection of static signatures, only for this malicious content to be revealed (i.e., [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)) at the time of execution/use.\n\nThis type of file obfuscation can be applied to many file artifacts present on victim hosts, such as malware log/configuration and payload files.(Citation: File obfuscation) Files can be encrypted with a hardcoded or user-supplied key, as well as otherwise obfuscated using standard encoding/compression schemes such as Base64.\n\nThe entire content of a file may be obfuscated, or just specific functions or values (such as C2 addresses). Encryption and encoding may also be applied in redundant layers for additional protection.\n\nFor example, adversaries may abuse password-protected Word documents or self-extracting (SFX) archives as a method of encrypting/encoding a file such as a [Phishing](https://attack.mitre.org/techniques/T1566) payload. These files typically function by attaching the intended archived content to a decompressor stub that is executed when the file is invoked (e.g., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: SFX - Encrypted/Encoded File) \n\nAdversaries may also abuse file-specific as well as custom encoding schemes. For example, Byte Order Mark (BOM) headers in text files may be abused to manipulate and obfuscate file content until [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) execution.", + "meta": { + "external_id": "T1027.013", + "kill_chain": [ + "mitre-attack:defense-evasion" + ], + "mitre_data_sources": [ + "File: File Creation", + "File: File Metadata" + ], + "mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1027/013", + "https://www.crowdstrike.com/blog/self-extracting-archives-decoy-files-and-their-hidden-payloads/", + "https://www.crowdstrike.com/blog/shlayer-malvertising-campaigns-still-using-flash-update-disguise/" + ] + }, + "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "type": "subtechnique-of" + } + ], + "uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "value": "Encrypted/Encoded File - T1027.013" + }, { "description": "Adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts.\n\nAdversaries may search DNS data to gather actionable information. Threat actors can query nameservers for a target organization directly, or search through centralized repositories of logged DNS query responses (known as passive DNS).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Adversaries may also seek and target DNS misconfigurations/leaks that reveal information about internal networks. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).", "meta": { @@ -17593,7 +17471,36 @@ "value": "DNS/Passive DNS - T1596.001" }, { - "description": "Adversaries may add junk data to protocols used for command and control to make detection more difficult. By adding random or meaningless data to the protocols used for command and control, adversaries can prevent trivial methods for decoding, deciphering, or otherwise analyzing the traffic. Examples may include appending/prepending data with junk characters or writing junk characters between significant characters. ", + "description": "Adversaries may attempt to hide their file-based artifacts by writing them to specific folders or file names excluded from antivirus (AV) scanning and other defensive capabilities. AV and other file-based scanners often include exclusions to optimize performance as well as ease installation and legitimate use of applications. These exclusions may be contextual (e.g., scans are only initiated in response to specific triggering events/alerts), but are also often hardcoded strings referencing specific folders and/or files assumed to be trusted and legitimate.(Citation: Microsoft File Folder Exclusions)\n\nAdversaries may abuse these exclusions to hide their file-based artifacts. For example, rather than tampering with tool settings to add a new exclusion (i.e., [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001)), adversaries may drop their file-based payloads in default or otherwise well-known exclusions. Adversaries may also use [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) and other [Discovery](https://attack.mitre.org/tactics/TA0007)/[Reconnaissance](https://attack.mitre.org/tactics/TA0043) activities to both discover and verify existing exclusions in a victim environment.", + "meta": { + "external_id": "T1564.012", + "kill_chain": [ + "mitre-attack:defense-evasion" + ], + "mitre_data_sources": [ + "File: File Creation" + ], + "mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1564/012", + "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-contextual-file-folder-exclusions-microsoft-defender-antivirus" + ] + }, + "related": [ + { + "dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8", + "type": "subtechnique-of" + } + ], + "uuid": "09b008a9-b4eb-462a-a751-a0eb58050cd9", + "value": "File/Path Exclusions - T1564.012" + }, + { + "description": "Adversaries may add junk data to protocols used for command and control to make detection more difficult.(Citation: FireEye SUNBURST Backdoor December 2020) By adding random or meaningless data to the protocols used for command and control, adversaries can prevent trivial methods for decoding, deciphering, or otherwise analyzing the traffic. Examples may include appending/prepending data with junk characters or writing junk characters between significant characters. ", "meta": { "external_id": "T1001.001", "kill_chain": [ @@ -17609,7 +17516,8 @@ ], "refs": [ "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf", - "https://attack.mitre.org/techniques/T1001/001" + "https://attack.mitre.org/techniques/T1001/001", + "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" ] }, "related": [ @@ -17657,7 +17565,7 @@ "value": "Traffic Duplication - T1020.001" }, { - "description": "Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).\n\nAs well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.\n\nFor example, on the target host use procdump:\n\n* procdump -ma lsass.exe lsass_dump\n\nLocally, mimikatz can be run using:\n\n* sekurlsa::Minidump lsassdump.dmp\n* sekurlsa::logonPasswords\n\nBuilt-in Windows tools such as comsvcs.dll can also be used:\n\n* rundll32.exe C:\\Windows\\System32\\comsvcs.dll MiniDump PID lsass.dmp full(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)\n\n\nWindows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Security Packages and HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)\n\nThe following SSPs can be used to access credentials:\n\n* Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.\n* Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection)\n* Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.\n* CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection)\n", + "description": "Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).\n\nAs well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.\n\nFor example, on the target host use procdump:\n\n* procdump -ma lsass.exe lsass_dump\n\nLocally, mimikatz can be run using:\n\n* sekurlsa::Minidump lsassdump.dmp\n* sekurlsa::logonPasswords\n\nBuilt-in Windows tools such as `comsvcs.dll` can also be used:\n\n* rundll32.exe C:\\Windows\\System32\\comsvcs.dll MiniDump PID lsass.dmp full(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)\n\nSimilar to [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012), the silent process exit mechanism can be abused to create a memory dump of `lsass.exe` through Windows Error Reporting (`WerFault.exe`).(Citation: Deep Instinct LSASS)\n\nWindows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Security Packages and HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)\n\nThe following SSPs can be used to access credentials:\n\n* Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.\n* Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection)\n* Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.\n* CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection)\n", "meta": { "external_id": "T1003.001", "kill_chain": [ @@ -17665,6 +17573,7 @@ ], "mitre_data_sources": [ "Command: Command Execution", + "File: File Creation", "Logon Session: Logon Session Creation", "Process: OS API Execution", "Process: Process Access", @@ -17681,6 +17590,7 @@ "https://github.com/mattifestation/PowerSploit", "https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea", "https://symantec.broadcom.com/hubfs/Attacks-Against-Government-Sector.pdf", + "https://www.deepinstinct.com/blog/lsass-memory-dumps-are-stealthier-than-ever-before-part-2", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/" ] }, @@ -17737,7 +17647,8 @@ "mitre_platforms": [ "Linux", "macOS", - "Windows" + "Windows", + "Network" ], "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/", @@ -17769,7 +17680,8 @@ "mitre_platforms": [ "Linux", "macOS", - "Windows" + "Windows", + "Network" ], "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/", @@ -17819,7 +17731,7 @@ "value": "LSA Secrets - T1003.004" }, { - "description": "Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the `/proc//maps` file shows how memory is mapped within the process’s virtual address space. And `/proc//mem`, exposed for debugging purposes, provides access to the process’s virtual address space.(Citation: Picus Labs Proc cump 2022)(Citation: baeldung Linux proc map 2022)\n\nWhen executing with root privileges, adversaries can search these memory locations for all processes on a system that contain patterns that are indicative of credentials, such as looking for fixed strings in memory structures or cached hashes. When running without privileged access, processes can still view their own virtual memory locations. Some services or programs may save credentials in clear text inside the process’s memory.(Citation: MimiPenguin GitHub May 2017)(Citation: Polop Linux PrivEsc Gitbook)\n\nIf running as or with the permissions of a web browser, a process can search the `/maps` & `/mem` locations for common website credential patterns (that can also be used to find adjacent memory within the same structure) in which hashes or cleartext credentials may be located.", + "description": "Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the `/proc//maps` file shows how memory is mapped within the process’s virtual address space. And `/proc//mem`, exposed for debugging purposes, provides access to the process’s virtual address space.(Citation: Picus Labs Proc cump 2022)(Citation: baeldung Linux proc map 2022)\n\nWhen executing with root privileges, adversaries can search these memory locations for all processes on a system that contain patterns indicative of credentials. Adversaries may use regex patterns, such as grep -E \"^[0-9a-f-]* r\" /proc/\"$pid\"/maps | cut -d' ' -f 1, to look for fixed strings in memory structures or cached hashes.(Citation: atomic-red proc file system) When running without privileged access, processes can still view their own virtual memory locations. Some services or programs may save credentials in clear text inside the process’s memory.(Citation: MimiPenguin GitHub May 2017)(Citation: Polop Linux PrivEsc Gitbook)\n\nIf running as or with the permissions of a web browser, a process can search the `/maps` & `/mem` locations for common website credential patterns (that can also be used to find adjacent memory within the same structure) in which hashes or cleartext credentials may be located.", "meta": { "external_id": "T1003.007", "kill_chain": [ @@ -17836,6 +17748,7 @@ "https://attack.mitre.org/techniques/T1003/007", "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#proc-usdpid-maps-and-proc-usdpid-mem", "https://github.com/huntergregal/mimipenguin", + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md", "https://www.baeldung.com/linux/proc-id-maps", "https://www.picussecurity.com/resource/the-mitre-attck-t1003-os-credential-dumping-technique-and-its-adversary-use" ] @@ -18039,7 +17952,8 @@ "Linux", "macOS", "Google Workspace", - "Containers" + "Containers", + "Network" ], "refs": [ "http://www.blackhillsinfosec.com/?p=4645", @@ -18077,7 +17991,8 @@ "Linux", "macOS", "Google Workspace", - "Containers" + "Containers", + "Network" ], "refs": [ "https://attack.mitre.org/techniques/T1110/004", @@ -18107,7 +18022,8 @@ "mitre_platforms": [ "Linux", "macOS", - "Windows" + "Windows", + "Network" ], "refs": [ "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf", @@ -18320,7 +18236,7 @@ "value": "Cloud Services - T1021.007" }, { - "description": "Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as SMTP/S, POP3/S, and IMAP that carry electronic mail may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the email messages themselves. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ", + "description": "Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as SMTP/S, POP3/S, and IMAP that carry electronic mail may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the email messages themselves. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.(Citation: FireEye APT28) ", "meta": { "external_id": "T1071.003", "kill_chain": [ @@ -18333,11 +18249,13 @@ "mitre_platforms": [ "Linux", "macOS", - "Windows" + "Windows", + "Network" ], "refs": [ "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf", - "https://attack.mitre.org/techniques/T1071/003" + "https://attack.mitre.org/techniques/T1071/003", + "https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" ] }, "related": [ @@ -18529,7 +18447,8 @@ "Linux", "macOS", "Google Workspace", - "Containers" + "Containers", + "Network" ], "refs": [ "https://attack.mitre.org/techniques/T1078/001", @@ -18549,7 +18468,7 @@ "value": "Default Accounts - T1078.001" }, { - "description": "Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.\n\nCommands such as net user and net localgroup of the [Net](https://attack.mitre.org/software/S0039) utility and id and groupson macOS and Linux can list local users and groups. On Linux, local users can also be enumerated through the use of the /etc/passwd file. On macOS the dscl . list /Users command can be used to enumerate local accounts.", + "description": "Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.\n\nCommands such as net user and net localgroup of the [Net](https://attack.mitre.org/software/S0039) utility and id and groups on macOS and Linux can list local users and groups.(Citation: Mandiant APT1)(Citation: id man page)(Citation: groups man page) On Linux, local users can also be enumerated through the use of the /etc/passwd file. On macOS the dscl . list /Users command can be used to enumerate local accounts.", "meta": { "external_id": "T1087.001", "kill_chain": [ @@ -18569,7 +18488,10 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1087/001", - "https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql" + "https://linux.die.net/man/1/groups", + "https://linux.die.net/man/1/id", + "https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql", + "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" ] }, "related": [ @@ -18833,6 +18755,7 @@ "mitre_data_sources": [ "Logon Session: Logon Session Creation", "Logon Session: Logon Session Metadata", + "Process: Process Creation", "User Account: User Account Authentication", "Web Credential: Web Credential Creation", "Web Credential: Web Credential Usage" @@ -18994,7 +18917,7 @@ "value": "Domain Accounts - T1078.002" }, { - "description": "Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges.\n\nCommands such as net user /domain and net group /domain of the [Net](https://attack.mitre.org/software/S0039) utility, dscacheutil -q groupon macOS, and ldapsearch on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets including Get-ADUser and Get-ADGroupMember may enumerate members of Active Directory groups. ", + "description": "Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges.\n\nCommands such as net user /domain and net group /domain of the [Net](https://attack.mitre.org/software/S0039) utility, dscacheutil -q groupon macOS, and ldapsearch on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets including Get-ADUser and Get-ADGroupMember may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022) ", "meta": { "external_id": "T1087.002", "kill_chain": [ @@ -19013,7 +18936,8 @@ "Windows" ], "refs": [ - "https://attack.mitre.org/techniques/T1087/002" + "https://attack.mitre.org/techniques/T1087/002", + "https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" ] }, "related": [ @@ -19038,7 +18962,8 @@ "mitre_platforms": [ "macOS", "Linux", - "Windows" + "Windows", + "Network" ], "refs": [ "https://attack.mitre.org/techniques/T1027/008", @@ -19107,7 +19032,8 @@ ], "mitre_platforms": [ "macOS", - "Linux" + "Linux", + "Network" ], "refs": [ "http://manpages.ubuntu.com/manpages/bionic/man8/systemd-rc-local-generator.8.html", @@ -19173,7 +19099,7 @@ "value": "Scheduled Task - T1053.005" }, { - "description": "Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.(Citation: volexity_0day_sophos_FW)\n\nIn addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (e.g. [China Chopper](https://attack.mitre.org/software/S0020) Web shell client).(Citation: Lee 2013)", + "description": "Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to access the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.(Citation: volexity_0day_sophos_FW)\n\nIn addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (e.g. [China Chopper](https://attack.mitre.org/software/S0020) Web shell client).(Citation: Lee 2013)", "meta": { "external_id": "T1505.003", "kill_chain": [ @@ -19464,7 +19390,8 @@ ], "mitre_platforms": [ "macOS", - "Linux" + "Linux", + "Network" ], "refs": [ "https://attack.mitre.org/techniques/T1059/004", @@ -19482,7 +19409,7 @@ "value": "Unix Shell - T1059.004" }, { - "description": "Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud or be hybrid joined between on-premises systems and the cloud through federation with other identity sources such as Windows Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)\n\nService or user accounts may be targeted by adversaries through [Brute Force](https://attack.mitre.org/techniques/T1110), [Phishing](https://attack.mitre.org/techniques/T1566), or various other means to gain access to the environment. Federated accounts may be a pathway for the adversary to affect both on-premises systems and cloud environments.\n\nAn adversary may create long lasting [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) on a compromised cloud account to maintain persistence in the environment. Such credentials may also be used to bypass security controls such as multi-factor authentication. \n\nCloud accounts may also be able to assume [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005) or other privileges through various means within the environment. Misconfigurations in role assignments or role assumption policies may allow an adversary to use these mechanisms to leverage permissions outside the intended scope of the account. Such over privileged accounts may be used to harvest sensitive data from online storage accounts and databases through [Cloud API](https://attack.mitre.org/techniques/T1059/009) or other methods. \n", + "description": "Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)\n\nService or user accounts may be targeted by adversaries through [Brute Force](https://attack.mitre.org/techniques/T1110), [Phishing](https://attack.mitre.org/techniques/T1566), or various other means to gain access to the environment. Federated or synced accounts may be a pathway for the adversary to affect both on-premises systems and cloud environments - for example, by leveraging shared credentials to log onto [Remote Services](https://attack.mitre.org/techniques/T1021). High privileged cloud accounts, whether federated, synced, or cloud-only, may also allow pivoting to on-premises environments by leveraging SaaS-based [Software Deployment Tools](https://attack.mitre.org/techniques/T1072) to run commands on hybrid-joined devices.\n\nAn adversary may create long lasting [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) on a compromised cloud account to maintain persistence in the environment. Such credentials may also be used to bypass security controls such as multi-factor authentication. \n\nCloud accounts may also be able to assume [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005) or other privileges through various means within the environment. Misconfigurations in role assignments or role assumption policies may allow an adversary to use these mechanisms to leverage permissions outside the intended scope of the account. Such over privileged accounts may be used to harvest sensitive data from online storage accounts and databases through [Cloud API](https://attack.mitre.org/techniques/T1059/009) or other methods. \n", "meta": { "external_id": "T1078.004", "kill_chain": [ @@ -19650,7 +19577,7 @@ "value": "Proc Memory - T1055.009" }, { - "description": "Adversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user clicking a malicious link in order to divulge information (including credentials) or to gain execution, as in [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Links can be used for spearphishing, such as sending an email accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003)) or a phish to gain initial access to a system (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002)), an adversary must set up the resources for a link target for the spearphishing link. \n\nTypically, the resources for a link target will be an HTML page that may include some client-side script such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) to decide what content to serve to the user. Adversaries may clone legitimate sites to serve as the link target, this can include cloning of login pages of legitimate web services or organization login pages in an effort to harvest credentials during [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003).(Citation: Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September 2019) Adversaries may also [Upload Malware](https://attack.mitre.org/techniques/T1608/001) and have the link target point to malware for download/execution by the user.\n\nAdversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Link shortening services can also be employed. Adversaries may also use free or paid accounts on Platform-as-a-Service providers to host link targets while taking advantage of the widely trusted domains of those providers to avoid being blocked.(Citation: Netskope GCP Redirection)(Citation: Netskope Cloud Phishing)(Citation: Intezer App Service Phishing) Finally, adversaries may take advantage of the decentralized nature of the InterPlanetary File System (IPFS) to host link targets that are difficult to remove.(Citation: Talos IPFS 2022)", + "description": "Adversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user clicking a malicious link in order to divulge information (including credentials) or to gain execution, as in [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Links can be used for spearphishing, such as sending an email accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003)) or a phish to gain initial access to a system (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002)), an adversary must set up the resources for a link target for the spearphishing link. \n\nTypically, the resources for a link target will be an HTML page that may include some client-side script such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) to decide what content to serve to the user. Adversaries may clone legitimate sites to serve as the link target, this can include cloning of login pages of legitimate web services or organization login pages in an effort to harvest credentials during [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003).(Citation: Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September 2019) Adversaries may also [Upload Malware](https://attack.mitre.org/techniques/T1608/001) and have the link target point to malware for download/execution by the user.\n\nAdversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Malicious Link](https://attack.mitre.org/techniques/T1204/001).\n\nLinks can be written by adversaries to mask the true destination in order to deceive victims by abusing the URL schema and increasing the effectiveness of phishing.(Citation: Kaspersky-masking)(Citation: mandiant-masking)\n\nAdversaries may also use free or paid accounts on link shortening services and Platform-as-a-Service providers to host link targets while taking advantage of the widely trusted domains of those providers to avoid being blocked while redirecting victims to malicious pages.(Citation: Netskope GCP Redirection)(Citation: Netskope Cloud Phishing)(Citation: Intezer App Service Phishing)(Citation: Cofense-redirect) In addition, adversaries may serve a variety of malicious links through uniquely generated URIs/URLs.(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique) Finally, adversaries may take advantage of the decentralized nature of the InterPlanetary File System (IPFS) to host link targets that are difficult to remove.(Citation: Talos IPFS 2022)", "meta": { "external_id": "T1608.005", "kill_chain": [ @@ -19666,10 +19593,17 @@ "https://attack.mitre.org/techniques/T1608/005", "https://blog.malwarebytes.com/malwarebytes-news/2020/10/silent-librarian-apt-phishing-attack/", "https://blog.talosintelligence.com/ipfs-abuse/", + "https://cofense.com/blog/major-energy-company-targeted-in-large-qr-code-campaign/", + "https://docs.ostorlab.co/kb/IPA_URL_SCHEME_HIJACKING/index.html", + "https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF", + "https://www.blackhat.com/presentations/bh-dc-08/McFeters-Rios-Carter/Presentation/bh-dc-08-mcfeters-rios-carter.pdf", "https://www.intezer.com/blog/malware-analysis/kud-i-enter-your-server-new-vulnerabilities-in-microsoft-azure/", + "https://www.kaspersky.com/blog/malicious-redirect-methods/50045/", + "https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse", "https://www.netskope.com/blog/a-big-catch-cloud-phishing-from-google-app-engine-and-azure-app-service", "https://www.netskope.com/blog/targeted-attacks-abusing-google-cloud-platform-open-redirection", - "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian" + "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian", + "https://www.techtarget.com/searchsecurity/tip/Preparing-for-uniform-resource-identifier-URI-exploits" ] }, "related": [ @@ -20024,7 +19958,31 @@ "value": "Code Repositories - T1213.003" }, { - "description": "Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the net user /add /domain command can be used to create a domain account.\n\nSuch accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.", + "description": "Adversaries may use [SSL Pinning](https://attack.mitre.org/techniques/T1521/003) to protect the C2 traffic from being intercepted and analyzed.\n\n[SSL Pinning](https://attack.mitre.org/techniques/T1521/003) is a technique commonly utilized by legitimate websites to ensure that encrypted communications are only allowed with a pre-defined certificate. If another certificate is presented, it could indicate device compromise, traffic interception, or another upstream issue. While benign usages are common, it is also possible for adversaries to abuse this technology to protect malicious C2 traffic.\n\nIn normal, not pinned SSL validation, when a client connects to a server using HTTPS, it typically checks whether the server’s SSL/TLS certificate is signed by a trusted Certificate Authority (CA) in the device’s trust store. If the certificate is valid and signed by a trusted CA, the connection is established. However, with [SSL Pinning](https://attack.mitre.org/techniques/T1521/003) , the client is configured to trust a specific SSL/TLS certificate or public key, rather than relying on the device’s trust store. This means that even if the server’s certificate is signed by a trusted CA, the client will only establish the connection of the certificate or key is pinned.\n\nThere are two types of [SSL Pinning](https://attack.mitre.org/techniques/T1521/003) :\n\n1.\tCertificate Pinning: The client stores a copy of the server’s certificate and compares it with the certificate received during the SSL handshake. If the certificates match, then the client proceeds with the connection. This approach also works with self-signed certificates.\n\n2.\tPublic Key Pinning: Instead of pinning the entire certificate, the client pins just the public key extracted from the certificate. This is often more flexible, as it allows the server to renew its certificate without having to update the pinned certificate or breaking the SSL connection.", + "meta": { + "external_id": "T1521.003", + "kill_chain": [ + "mitre-mobile-attack:command-and-control" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1521/003" + ] + }, + "related": [ + { + "dest-uuid": "ed2c05a1-4f81-4d97-9e1b-aff01c34ae84", + "type": "subtechnique-of" + } + ], + "uuid": "dfafc230-5465-4993-8dc5-f51fa9fec002", + "value": "SSL Pinning - T1521.003" + }, + { + "description": "Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the net user /add /domain command can be used to create a domain account.(Citation: Savill 1999)\n\nSuch accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.", "meta": { "external_id": "T1136.002", "kill_chain": [ @@ -20042,7 +20000,8 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1136/002", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720" + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720", + "https://web.archive.org/web/20150511162820/http://windowsitpro.com/windows/netexe-reference" ] }, "related": [ @@ -20080,7 +20039,7 @@ "value": "Unix Shell - T1623.001" }, { - "description": "Adversaries may abuse the Microsoft Office \"Office Test\" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.(Citation: Hexacorn Office Test)(Citation: Palo Alto Office Test Sofacy)\n\nThere exist user and global Registry keys for the Office Test feature:\n\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Office test\\Special\\Perf\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Office test\\Special\\Perf\n\nAdversaries may add this Registry key and specify a malicious DLL that will be executed whenever an Office application, such as Word or Excel, is started.", + "description": "Adversaries may abuse the Microsoft Office \"Office Test\" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.(Citation: Hexacorn Office Test)(Citation: Palo Alto Office Test Sofacy)\n\nThere exist user and global Registry keys for the Office Test feature, such as:\n\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Office test\\Special\\Perf\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Office test\\Special\\Perf\n\nAdversaries may add this Registry key and specify a malicious DLL that will be executed whenever an Office application, such as Word or Excel, is started.", "meta": { "external_id": "T1137.002", "kill_chain": [ @@ -20115,7 +20074,7 @@ "value": "Office Test - T1137.002" }, { - "description": "Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)\n\nSystem firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity. Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect.", + "description": "Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer.(Citation: Wikipedia BIOS)(Citation: Wikipedia UEFI)(Citation: About UEFI)\n\nSystem firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity. Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect.", "meta": { "external_id": "T1542.001", "kill_chain": [ @@ -20126,7 +20085,8 @@ "Firmware: Firmware Modification" ], "mitre_platforms": [ - "Windows" + "Windows", + "Network" ], "refs": [ "http://www.intelsecurity.com/advanced-threat-research/content/data/HT-UEFI-rootkit.html", @@ -20329,7 +20289,7 @@ "value": "Business Relationships - T1591.002" }, { - "description": "Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)\n\nAdversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection.\n\nOnce an adversary has created a cloud account, they can then manipulate that account to ensure persistence and allow access to additional resources - for example, by adding [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) or assigning [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003).", + "description": "Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)\n\nIn addition to user accounts, cloud accounts may be associated with services. Cloud providers handle the concept of service accounts in different ways. In Azure, service accounts include service principals and managed identities, which can be linked to various resources such as OAuth applications, serverless functions, and virtual machines in order to grant those resources permissions to perform various activities in the environment.(Citation: Microsoft Entra ID Service Principals) In GCP, service accounts can also be linked to specific resources, as well as be impersonated by other accounts for [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005).(Citation: GCP Service Accounts) While AWS has no specific concept of service accounts, resources can be directly granted permission to assume roles.(Citation: AWS Instance Profiles)(Citation: AWS Lambda Execution Role)\n\nAdversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection.\n\nOnce an adversary has created a cloud account, they can then manipulate that account to ensure persistence and allow access to additional resources - for example, by adding [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) or assigning [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003).", "meta": { "external_id": "T1136.003", "kill_chain": [ @@ -20347,9 +20307,13 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1136/003", + "https://cloud.google.com/iam/docs/service-account-overview", + "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html", + "https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html", "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-users-azure-active-directory", "https://docs.microsoft.com/en-us/office365/admin/add-users/about-admin-roles?view=o365-worldwide", + "https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals?tabs=browser", "https://support.google.com/cloudidentity/answer/7332836?hl=en&ref_topic=7558554", "https://support.office.com/en-us/article/add-another-admin-f693489f-9f55-4bd0-a637-a81ce93de22d" ] @@ -20628,7 +20592,8 @@ "mitre_platforms": [ "Linux", "Windows", - "macOS" + "macOS", + "Network" ], "refs": [ "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf", @@ -20797,7 +20762,7 @@ "value": "AppInit DLLs - T1546.010" }, { - "description": "Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.(Citation: AddMonitor) This DLL can be located in C:\\Windows\\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions.(Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors. \n\nThe Registry key contains entries for the following:\n\n* Local Port\n* Standard TCP/IP Port\n* USB Monitor\n* WSD Port\n\nAdversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.", + "description": "Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.(Citation: AddMonitor) This DLL can be located in C:\\Windows\\System32 and will be loaded and run by the print spooler service, `spoolsv.exe`, under SYSTEM level permissions on boot.(Citation: Bloxham) \n\nAlternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to the `Driver` value of an existing or new arbitrarily named subkey of HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors. The Registry key contains entries for the following:\n\n* Local Port\n* Standard TCP/IP Port\n* USB Monitor\n* WSD Port\n", "meta": { "external_id": "T1547.010", "kill_chain": [ @@ -20854,7 +20819,7 @@ "value": "Identify Roles - T1591.004" }, { - "description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)\n\nSpecific checks will vary based on the target and/or adversary, but may involve behaviors such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047), [PowerShell](https://attack.mitre.org/techniques/T1059/001), [System Information Discovery](https://attack.mitre.org/techniques/T1082), and [Query Registry](https://attack.mitre.org/techniques/T1012) to obtain system information and search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system, hardware, and/or the Registry. Adversaries may use scripting to automate these checks into one script and then have the program exit if it determines the system to be a virtual environment. \n\nChecks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. \n\nOther common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications, and VME-specific hardware/processor instructions.(Citation: McAfee Virtual Jan 2017) In applications like VMWare, adversaries can also use a special I/O port to send commands and receive output. \n \nHardware checks, such as the presence of the fan, temperature, and audio devices, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices.(Citation: Unit 42 OilRig Sept 2018)", + "description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)\n\nSpecific checks will vary based on the target and/or adversary, but may involve behaviors such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047), [PowerShell](https://attack.mitre.org/techniques/T1059/001), [System Information Discovery](https://attack.mitre.org/techniques/T1082), and [Query Registry](https://attack.mitre.org/techniques/T1012) to obtain system information and search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system, hardware, and/or the Registry. Adversaries may use scripting to automate these checks into one script and then have the program exit if it determines the system to be a virtual environment. \n\nChecks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. Once executed, malware may also use [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) to check if it was saved in a folder or file with unexpected or even analysis-related naming artifacts such as `malware`, `sample`, or `hash`.\n\nOther common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications, and VME-specific hardware/processor instructions.(Citation: McAfee Virtual Jan 2017) In applications like VMWare, adversaries can also use a special I/O port to send commands and receive output. \n \nHardware checks, such as the presence of the fan, temperature, and audio devices, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices.(Citation: Unit 42 OilRig Sept 2018)", "meta": { "external_id": "T1497.001", "kill_chain": [ @@ -20921,7 +20886,7 @@ "value": "Golden Ticket - T1558.001" }, { - "description": "Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.\n\nThere are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one. ", + "description": "Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution.(Citation: Unit 42 DarkHydrus July 2018) Spearphishing may also involve social engineering techniques, such as posing as a trusted source.\n\nThere are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one. ", "meta": { "external_id": "T1566.001", "kill_chain": [ @@ -20941,6 +20906,7 @@ "refs": [ "https://attack.mitre.org/techniques/T1566/001", "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide", + "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/", "https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf", "https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql" ] @@ -21100,7 +21066,7 @@ "value": "Device Lockout - T1629.002" }, { - "description": "Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014) Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible. \n\nSystemd utilizes unit configuration files with the `.service` file extension to encode information about a service's process. By default, system level unit files are stored in the `/systemd/system` directory of the root owned directories (`/`). User level unit files are stored in the `/systemd/user` directories of the user owned directories (`$HOME`).(Citation: lambert systemd 2022) \n\nInside the `.service` unit files, the following directives are used to execute commands:(Citation: freedesktop systemd.service) \n\n* `ExecStart`, `ExecStartPre`, and `ExecStartPost` directives execute when a service is started manually by `systemctl` or on system start if the service is set to automatically start.\n* `ExecReload` directive executes when a service restarts. \n* `ExecStop`, `ExecStopPre`, and `ExecStopPost` directives execute when a service is stopped. \n\nAdversaries have created new service files, altered the commands a `.service` file’s directive executes, and modified the user directive a `.service` file executes as, which could result in privilege escalation. Adversaries may also place symbolic links in these directories, enabling systemd to find these payloads regardless of where they reside on the filesystem.(Citation: Anomali Rocke March 2019)(Citation: airwalk backdoor unix systems)(Citation: Rapid7 Service Persistence 22JUNE2016) ", + "description": "Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014) Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible. \n\nSystemd utilizes unit configuration files with the `.service` file extension to encode information about a service's process. By default, system level unit files are stored in the `/systemd/system` directory of the root owned directories (`/`). User level unit files are stored in the `/systemd/user` directories of the user owned directories (`$HOME`).(Citation: lambert systemd 2022) \n\nInside the `.service` unit files, the following directives are used to execute commands:(Citation: freedesktop systemd.service) \n\n* `ExecStart`, `ExecStartPre`, and `ExecStartPost` directives execute when a service is started manually by `systemctl` or on system start if the service is set to automatically start.\n* `ExecReload` directive executes when a service restarts. \n* `ExecStop`, `ExecStopPre`, and `ExecStopPost` directives execute when a service is stopped. \n\nAdversaries have created new service files, altered the commands a `.service` file’s directive executes, and modified the user directive a `.service` file executes as, which could result in privilege escalation. Adversaries may also place symbolic links in these directories, enabling systemd to find these payloads regardless of where they reside on the filesystem.(Citation: Anomali Rocke March 2019)(Citation: airwalk backdoor unix systems)(Citation: Rapid7 Service Persistence 22JUNE2016) \n\nThe .service file’s User directive can be used to run service as a specific user, which could result in privilege escalation based on specific user/group permissions. ", "meta": { "external_id": "T1543.002", "kill_chain": [ @@ -21245,7 +21211,8 @@ "mitre_platforms": [ "Linux", "macOS", - "Windows" + "Windows", + "Network" ], "refs": [ "http://www.sans.org/reading-room/whitepapers/analyst/finding-hidden-threats-decrypting-ssl-34840", @@ -21337,6 +21304,45 @@ "uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "value": "Call Log - T1636.002" }, + { + "description": "Adversaries may add new domain trusts, modify the properties of existing domain trusts, or otherwise change the configuration of trust relationships between domains and tenants to evade defenses and/or elevate privileges.Trust details, such as whether or not user identities are federated, allow authentication and authorization properties to apply between domains or tenants for the purpose of accessing shared resources.(Citation: Microsoft - Azure AD Federation) These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains.\n\nManipulating these trusts may allow an adversary to escalate privileges and/or evade defenses by modifying settings to add objects which they control. For example, in Microsoft Active Directory (AD) environments, this may be used to forge [SAML Tokens](https://attack.mitre.org/techniques/T1606/002) without the need to compromise the signing certificate to forge new credentials. Instead, an adversary can manipulate domain trusts to add their own signing certificate. An adversary may also convert an AD domain to a federated domain using Active Directory Federation Services (AD FS), which may enable malicious trust modifications such as altering the claim issuance rules to log in any valid set of credentials as a specified user.(Citation: AADInternals zure AD Federated Domain) \n\nAn adversary may also add a new federated identity provider to an identity tenant such as Okta, which may enable the adversary to authenticate as any user of the tenant.(Citation: Okta Cross-Tenant Impersonation 2023)", + "meta": { + "external_id": "T1484.002", + "kill_chain": [ + "mitre-attack:defense-evasion", + "mitre-attack:privilege-escalation" + ], + "mitre_data_sources": [ + "Active Directory: Active Directory Object Creation", + "Active Directory: Active Directory Object Modification", + "Application Log: Application Log Content", + "Command: Command Execution" + ], + "mitre_platforms": [ + "Windows", + "Azure AD", + "SaaS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1484/002", + "https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed", + "https://docs.microsoft.com/en-us/office365/troubleshoot/active-directory/update-federated-domain-office-365", + "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml", + "https://o365blog.com/post/federation-vulnerability/", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", + "https://www.sygnia.co/golden-saml-advisory" + ] + }, + "related": [ + { + "dest-uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d", + "type": "subtechnique-of" + } + ], + "uuid": "24769ab5-14bd-4f4e-a752-cfb185da53ee", + "value": "Trust Modification - T1484.002" + }, { "description": "Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.\n\nAdversaries may manipulate the configuration on the network device specifying use of a malicious TFTP server, which may be used in conjunction with [Modify System Image](https://attack.mitre.org/techniques/T1601) to load a modified image on device startup or reset. The unauthorized image allows adversaries to modify device configuration, add malicious capabilities to the device, and introduce backdoors to maintain control of the network device while minimizing detection through use of a standard functionality. This technique is similar to [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) and may result in the network device running a modified image. (Citation: Cisco Blog Legacy Device Attacks)", "meta": { @@ -21579,7 +21585,7 @@ "value": "Reflection Amplification - T1498.002" }, { - "description": "An adversary may obtain root access (allowing them to read securityd’s memory), then they can scan through memory to find the correct sequence of keys in relatively few tries to decrypt the user’s logon keychain. This provides the adversary with all the plaintext passwords for users, WiFi, mail, browsers, certificates, secure notes, etc.(Citation: OS X Keychain)(Citation: OSX Keydnap malware)\n\nIn OS X prior to El Capitan, users with root access can read plaintext keychain passwords of logged-in users because Apple’s keychain implementation allows these credentials to be cached so that users are not repeatedly prompted for passwords.(Citation: OS X Keychain)(Citation: External to DA, the OS X Way) Apple’s securityd utility takes the user’s logon password, encrypts it with PBKDF2, and stores this master key in memory. Apple also uses a set of keys and algorithms to encrypt the user’s password, but once the master key is found, an adversary need only iterate over the other values to unlock the final password.(Citation: OS X Keychain)", + "description": "An adversary with root access may gather credentials by reading `securityd`’s memory. `securityd` is a service/daemon responsible for implementing security protocols such as encryption and authorization.(Citation: Apple Dev SecurityD) A privileged adversary may be able to scan through `securityd`'s memory to find the correct sequence of keys to decrypt the user’s logon keychain. This may provide the adversary with various plaintext passwords, such as those for users, WiFi, mail, browsers, certificates, secure notes, etc.(Citation: OS X Keychain)(Citation: OSX Keydnap malware)\n\nIn OS X prior to El Capitan, users with root access can read plaintext keychain passwords of logged-in users because Apple’s keychain implementation allows these credentials to be cached so that users are not repeatedly prompted for passwords.(Citation: OS X Keychain)(Citation: External to DA, the OS X Way) Apple’s `securityd` utility takes the user’s logon password, encrypts it with PBKDF2, and stores this master key in memory. Apple also uses a set of keys and algorithms to encrypt the user’s password, but once the master key is found, an adversary need only iterate over the other values to unlock the final password.(Citation: OS X Keychain)", "meta": { "external_id": "T1555.002", "kill_chain": [ @@ -21597,6 +21603,7 @@ "http://juusosalonen.com/post/30923743427/breaking-into-the-os-x-keychain", "http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way", "https://attack.mitre.org/techniques/T1555/002", + "https://developer.apple.com/library/archive/documentation/Security/Conceptual/Security_Overview/Architecture/Architecture.html", "https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/" ] }, @@ -21640,7 +21647,7 @@ "value": "Container API - T1552.007" }, { - "description": "Adversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email providers to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant APT1) Adversaries may also take steps to cultivate a persona around the email account, such as through use of [Social Media Accounts](https://attack.mitre.org/techniques/T1585/001), to increase the chance of success of follow-on behaviors. Created email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)).(Citation: Mandiant APT1)\n\nTo decrease the chance of physically tying back operations to themselves, adversaries may make use of disposable email services.(Citation: Trend Micro R980 2016)", + "description": "Adversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email providers to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant APT1) Establishing email accounts may also allow adversaries to abuse free services – such as trial periods – to [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) for follow-on purposes.(Citation: Free Trial PurpleUrchin)\n\nAdversaries may also take steps to cultivate a persona around the email account, such as through use of [Social Media Accounts](https://attack.mitre.org/techniques/T1585/001), to increase the chance of success of follow-on behaviors. Created email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)).(Citation: Mandiant APT1)\n\nTo decrease the chance of physically tying back operations to themselves, adversaries may make use of disposable email services.(Citation: Trend Micro R980 2016) ", "meta": { "external_id": "T1585.002", "kill_chain": [ @@ -21652,6 +21659,7 @@ "refs": [ "https://attack.mitre.org/techniques/T1585/002", "https://blog.trendmicro.com/trendlabs-security-intelligence/r980-ransomware-disposable-email-service/", + "https://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources/", "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" ] }, @@ -21759,6 +21767,7 @@ ], "mitre_data_sources": [ "Command: Command Execution", + "Process: Process Creation", "Sensor Health: Host Status", "Windows Registry: Windows Registry Key Modification" ], @@ -21786,7 +21795,7 @@ "value": "Indicator Blocking - T1562.006" }, { - "description": "Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place.\n\nAdversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly. Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an \"IDN homograph attack\").(Citation: CISA IDN ST05-016) URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an “@” symbol: for example, `hxxp://google.com@1157586937`.(Citation: Mandiant URL Obfuscation 2023)\n\nAdversaries may also utilize links to perform consent phishing, typically with OAuth 2.0 request URLs that when accepted by the user provide permissions/access for malicious applications, allowing adversaries to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: Trend Micro Pawn Storm OAuth 2017) These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls. (Citation: Microsoft OAuth 2.0 Consent Phishing 2021)", + "description": "Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place.\n\nAdversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly. Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an \"IDN homograph attack\").(Citation: CISA IDN ST05-016) URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an “@” symbol: for example, `hxxp://google.com@1157586937`.(Citation: Mandiant URL Obfuscation 2023)\n\nAdversaries may also utilize links to perform consent phishing, typically with OAuth 2.0 request URLs that when accepted by the user provide permissions/access for malicious applications, allowing adversaries to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: Trend Micro Pawn Storm OAuth 2017) These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls. (Citation: Microsoft OAuth 2.0 Consent Phishing 2021)\n\nAdversaries may also utilize spearphishing links to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s that grant immediate access to the victim environment. For example, a user may be lured through “consent phishing” into granting adversaries permissions/access via a malicious OAuth 2.0 request URL .(Citation: Trend Micro Pawn Storm OAuth 2017)(Citation: Microsoft OAuth 2.0 Consent Phishing 2021)\n\nSimilarly, malicious links may also target device-based authorization, such as OAuth 2.0 device authorization grant flow which is typically used to authenticate devices without UIs/browsers. Known as “device code phishing,” an adversary may send a link that directs the victim to a malicious authorization page where the user is tricked into entering a code/credentials that produces a device token.(Citation: SecureWorks Device Code Phishing 2021)(Citation: Netskope Device Code Phishing 2021)(Citation: Optiv Device Code Phishing 2021)", "meta": { "external_id": "T1566.002", "kill_chain": [ @@ -21812,7 +21821,10 @@ "https://us-cert.cisa.gov/ncas/tips/ST05-016", "https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf", "https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse", - "https://www.microsoft.com/security/blog/2021/07/14/microsoft-delivers-comprehensive-solution-to-battle-rise-in-consent-phishing-emails/" + "https://www.microsoft.com/security/blog/2021/07/14/microsoft-delivers-comprehensive-solution-to-battle-rise-in-consent-phishing-emails/", + "https://www.netskope.com/blog/new-phishing-attacks-exploiting-oauth-authorization-flows-part-1", + "https://www.optiv.com/insights/source-zero/blog/microsoft-365-oauth-device-code-flow-and-phishing", + "https://www.secureworks.com/blog/oauths-device-code-flow-abused-in-phishing-attacks" ] }, "related": [ @@ -21945,7 +21957,7 @@ "value": "Spearphishing Attachment - T1598.002" }, { - "description": "Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.(Citation: TechNet Services) Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.\n\nAdversaries may install a new service or modify an existing service to execute at startup in order to persist on a system. Service configurations can be set or modified using system utilities (such as sc.exe), by directly modifying the Registry, or by interacting directly with the Windows API. \n\nAdversaries may also use services to install and execute malicious drivers. For example, after dropping a driver file (ex: `.sys`) to disk, the payload can be loaded and registered via [Native API](https://attack.mitre.org/techniques/T1106) functions such as `CreateServiceW()` (or manually via functions such as `ZwLoadDriver()` and `ZwSetValueKey()`), by creating the required service Registry values (i.e. [Modify Registry](https://attack.mitre.org/techniques/T1112)), or by using command-line utilities such as `PnPUtil.exe`.(Citation: Symantec W.32 Stuxnet Dossier)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: Unit42 AcidBox June 2020) Adversaries may leverage these drivers as [Rootkit](https://attack.mitre.org/techniques/T1014)s to hide the presence of malicious activity on a system. Adversaries may also load a signed yet vulnerable driver onto a compromised machine (known as \"Bring Your Own Vulnerable Driver\" (BYOVD)) as part of [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).(Citation: ESET InvisiMole June 2020)(Citation: Unit42 AcidBox June 2020)\n\nServices may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges. Adversaries may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1569/002). To make detection analysis more challenging, malicious services may also incorporate [Masquerade Task or Service](https://attack.mitre.org/techniques/T1036/004) (ex: using a service and/or payload name related to a legitimate OS or benign software component).", + "description": "Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.(Citation: TechNet Services) Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.\n\nAdversaries may install a new service or modify an existing service to execute at startup in order to persist on a system. Service configurations can be set or modified using system utilities (such as sc.exe), by directly modifying the Registry, or by interacting directly with the Windows API. \n\nAdversaries may also use services to install and execute malicious drivers. For example, after dropping a driver file (ex: `.sys`) to disk, the payload can be loaded and registered via [Native API](https://attack.mitre.org/techniques/T1106) functions such as `CreateServiceW()` (or manually via functions such as `ZwLoadDriver()` and `ZwSetValueKey()`), by creating the required service Registry values (i.e. [Modify Registry](https://attack.mitre.org/techniques/T1112)), or by using command-line utilities such as `PnPUtil.exe`.(Citation: Symantec W.32 Stuxnet Dossier)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: Unit42 AcidBox June 2020) Adversaries may leverage these drivers as [Rootkit](https://attack.mitre.org/techniques/T1014)s to hide the presence of malicious activity on a system. Adversaries may also load a signed yet vulnerable driver onto a compromised machine (known as \"Bring Your Own Vulnerable Driver\" (BYOVD)) as part of [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).(Citation: ESET InvisiMole June 2020)(Citation: Unit42 AcidBox June 2020)\n\nServices may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges. Adversaries may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1569/002).\n\nTo make detection analysis more challenging, malicious services may also incorporate [Masquerade Task or Service](https://attack.mitre.org/techniques/T1036/004) (ex: using a service and/or payload name related to a legitimate OS or benign software component). Adversaries may also create ‘hidden’ services (i.e., [Hide Artifacts](https://attack.mitre.org/techniques/T1564)), for example by using the `sc sdset` command to set service permissions via the Service Descriptor Definition Language (SDDL). This may hide a Windows service from the view of standard service enumeration methods such as `Get-Service`, `sc query`, and `services.exe`.(Citation: SANS 1)(Citation: SANS 2)", "meta": { "external_id": "T1543.003", "kill_chain": [ @@ -21975,6 +21987,8 @@ "https://technet.microsoft.com/en-us/sysinternals/bb963902", "https://unit42.paloaltonetworks.com/acidbox-rare-malware/", "https://www.crowdstrike.com/blog/how-crowdstrike-falcon-protects-against-wiper-malware-used-in-ukraine-attacks/", + "https://www.sans.org/blog/defense-spotlight-finding-hidden-windows-services/", + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf" ] @@ -22077,7 +22091,43 @@ "value": "Launch Daemon - T1543.004" }, { - "description": "Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks. \n\nOn Windows, there are a variety of features in scripting languages in Windows, such as [PowerShell](https://attack.mitre.org/techniques/T1059/001), Jscript, and [Visual Basic](https://attack.mitre.org/techniques/T1059/005) to make windows hidden. One example of this is powershell.exe -WindowStyle Hidden. (Citation: PowerShell About 2019)\n\nSimilarly, on macOS the configurations for how applications run are listed in property list (plist) files. One of the tags in these files can be apple.awt.UIElement, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock.\n\nAdversaries may abuse these functionalities to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.(Citation: Antiquated Mac Malware)", + "description": "Adversaries may create or modify container or container cluster management tools that run as daemons, agents, or services on individual hosts. These include software for creating and managing individual containers, such as Docker and Podman, as well as container cluster node-level agents such as kubelet. By modifying these services, an adversary may be able to achieve persistence or escalate their privileges on a host.\n\nFor example, by using the `docker run` or `podman run` command with the `restart=always` directive, a container can be configured to persistently restart on the host.(Citation: AquaSec TeamTNT 2023) A user with access to the (rootful) docker command may also be able to escalate their privileges on the host.(Citation: GTFOBins Docker)\n\nIn Kubernetes environments, DaemonSets allow an adversary to persistently [Deploy Container](https://attack.mitre.org/techniques/T1610)s on all nodes, including ones added later to the cluster.(Citation: Aquasec Kubernetes Attack 2023)(Citation: Kubernetes DaemonSet) Pods can also be deployed to specific nodes using the `nodeSelector` or `nodeName` fields in the pod spec.(Citation: Kubernetes Assigning Pods to Nodes)(Citation: AppSecco Kubernetes Namespace Breakout 2020)\n\nNote that containers can also be configured to run as [Systemd Service](https://attack.mitre.org/techniques/T1543/002)s.(Citation: Podman Systemd)(Citation: Docker Systemd)", + "meta": { + "external_id": "T1543.005", + "kill_chain": [ + "mitre-attack:persistence", + "mitre-attack:privilege-escalation" + ], + "mitre_data_sources": [ + "Command: Command Execution", + "Container: Container Creation" + ], + "mitre_platforms": [ + "Containers" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1543/005", + "https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216", + "https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters", + "https://blog.aquasec.com/teamtnt-reemerged-with-new-aggressive-cloud-campaign", + "https://docs.docker.com/config/containers/start-containers-automatically/", + "https://gtfobins.github.io/gtfobins/docker/", + "https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/", + "https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/", + "https://www.redhat.com/sysadmin/podman-run-pods-systemd-services" + ] + }, + "related": [ + { + "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", + "type": "subtechnique-of" + } + ], + "uuid": "b0e54bf7-835e-4f44-bd8e-62f431b9b76a", + "value": "Container Service - T1543.005" + }, + { + "description": "Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks. \n\nAdversaries may abuse these functionalities to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.(Citation: Antiquated Mac Malware)\n\nOn macOS, the configurations for how applications run are listed in property list (plist) files. One of the tags in these files can be apple.awt.UIElement, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock.\n\nSimilarly, on Windows there are a variety of features in scripting languages, such as [PowerShell](https://attack.mitre.org/techniques/T1059/001), Jscript, and [Visual Basic](https://attack.mitre.org/techniques/T1059/005) to make windows hidden. One example of this is powershell.exe -WindowStyle Hidden.(Citation: PowerShell About 2019)\n\nIn addition, Windows supports the `CreateDesktop()` API that can create a hidden desktop window with its own corresponding explorer.exe process.(Citation: Hidden VNC)(Citation: Anatomy of an hVNC Attack) All applications running on the hidden desktop window, such as a hidden VNC (hVNC) session,(Citation: Hidden VNC) will be invisible to other desktops windows.", "meta": { "external_id": "T1564.003", "kill_chain": [ @@ -22097,7 +22147,9 @@ "refs": [ "https://attack.mitre.org/techniques/T1564/003", "https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/", - "https://docs.microsoft.com/en-us/powershell/module/Microsoft.PowerShell.Core/About/about_PowerShell_exe?view=powershell-5.1" + "https://docs.microsoft.com/en-us/powershell/module/Microsoft.PowerShell.Core/About/about_PowerShell_exe?view=powershell-5.1", + "https://securityintelligence.com/anatomy-of-an-hvnc-attack/", + "https://www.malwaretech.com/2015/09/hidden-vnc-for-beginners.html" ] }, "related": [ @@ -22110,7 +22162,7 @@ "value": "Hidden Window - T1564.003" }, { - "description": "Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.(Citation: Microsoft W32Time Feb 2018) W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients.(Citation: Microsoft TimeProvider)\n\nTime providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\.(Citation: Microsoft TimeProvider) The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed.(Citation: Microsoft TimeProvider)\n\nAdversaries may abuse this architecture to establish persistence, specifically by registering and enabling a malicious DLL as a time provider. Administrator privileges are required for time provider registration, though execution will run in context of the Local Service account.(Citation: Github W32Time Oct 2017)", + "description": "Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.(Citation: Microsoft W32Time Feb 2018) W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients.(Citation: Microsoft TimeProvider)\n\nTime providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of `HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\`.(Citation: Microsoft TimeProvider) The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed.(Citation: Microsoft TimeProvider)\n\nAdversaries may abuse this architecture to establish persistence, specifically by creating a new arbitrarily named subkey pointing to a malicious DLL in the `DllName` value. Administrator privileges are required for time provider registration, though execution will run in context of the Local Service account.(Citation: Github W32Time Oct 2017)", "meta": { "external_id": "T1547.003", "kill_chain": [ @@ -22346,7 +22398,7 @@ "value": "DNS Calculation - T1568.003" }, { - "description": "Adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)), [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567), or [Phishing](https://attack.mitre.org/techniques/T1566). Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, adversaries can make it difficult to physically tie back operations to them.", + "description": "Adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)), [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567), or [Phishing](https://attack.mitre.org/techniques/T1566). Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise.(Citation: FireEye APT29) By utilizing a web service, adversaries can make it difficult to physically tie back operations to them.", "meta": { "external_id": "T1583.006", "kill_chain": [ @@ -22360,7 +22412,8 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1583/006", - "https://threatconnect.com/blog/infrastructure-research-hunting/" + "https://threatconnect.com/blog/infrastructure-research-hunting/", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf" ] }, "related": [ @@ -22449,7 +22502,7 @@ "value": "Employee Names - T1589.003" }, { - "description": "Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may be a clone of a legitimate site (such as an online or corporate login portal) or may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an “@” symbol: for example, `hxxp://google.com@1157586937`.(Citation: Mandiant URL Obfuscation 2023)\n\nAdversaries may also link to \"web bugs\" or \"web beacons\" within phishing messages to verify the receipt of an email, while also potentially profiling and tracking victim information such as IP address.(Citation: NIST Web Bug)\n\nAdversaries may also be able to spoof a complete website using what is known as a \"browser-in-the-browser\" (BitB) attack. By generating a fake browser popup window with an HTML-based address bar that appears to contain a legitimate URL (such as an authentication portal), they may be able to prompt users to enter their credentials while bypassing typical URL verification methods.(Citation: ZScaler BitB 2020)(Citation: Mr. D0x BitB 2022)\n\nAdversaries can use phishing kits such as `EvilProxy` and `Evilginx2` to proxy the connection between the victim and the legitimate website. On a successful login, the victim is redirected to the legitimate website, while the adversary captures their session cookie (i.e., [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)) in addition to their username and password. This may enable the adversary to then bypass MFA via [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004).(Citation: Proofpoint Human Factor)\n\nFrom the fake website, information is gathered in web forms and sent to the adversary. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.", + "description": "Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may be a clone of a legitimate site (such as an online or corporate login portal) or may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an “@” symbol: for example, `hxxp://google.com@1157586937`.(Citation: Mandiant URL Obfuscation 2023)\n\nAdversaries may also embed “tracking pixels”, \"web bugs\", or \"web beacons\" within phishing messages to verify the receipt of an email, while also potentially profiling and tracking victim information such as IP address.(Citation: NIST Web Bug) (Citation: Ryte Wiki) These mechanisms often appear as small images (typically one pixel in size) or otherwise obfuscated objects and are typically delivered as HTML code containing a link to a remote server. (Citation: Ryte Wiki)(Citation: IAPP)\n\nAdversaries may also be able to spoof a complete website using what is known as a \"browser-in-the-browser\" (BitB) attack. By generating a fake browser popup window with an HTML-based address bar that appears to contain a legitimate URL (such as an authentication portal), they may be able to prompt users to enter their credentials while bypassing typical URL verification methods.(Citation: ZScaler BitB 2020)(Citation: Mr. D0x BitB 2022)\n\nAdversaries can use phishing kits such as `EvilProxy` and `Evilginx2` to perform adversary-in-the-middle phishing by proxying the connection between the victim and the legitimate website. On a successful login, the victim is redirected to the legitimate website, while the adversary captures their session cookie (i.e., [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)) in addition to their username and password. This may enable the adversary to then bypass MFA via [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004).(Citation: Proofpoint Human Factor)\n\nAdversaries may also send a malicious link in the form of Quick Response (QR) Codes (also known as “quishing”). These links may direct a victim to a credential phishing page.(Citation: QR-campaign-energy-firm) By using a QR code, the URL may not be exposed in the email and may thus go undetected by most automated email security scans.(Citation: qr-phish-agriculture) These QR codes may be scanned by or delivered directly to a user’s mobile device (i.e., [Phishing](https://attack.mitre.org/techniques/T1660)), which may be less secure in several relevant ways.(Citation: qr-phish-agriculture) For example, mobile users may not be able to notice minor differences between genuine and credential harvesting websites due to mobile’s smaller form factor.\n\nFrom the fake website, information is gathered in web forms and sent to the adversary. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.", "meta": { "external_id": "T1598.003", "kill_chain": [ @@ -22467,11 +22520,15 @@ "https://attack.mitre.org/techniques/T1598/003", "https://csrc.nist.gov/glossary/term/web_bug", "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide", + "https://en.ryte.com/wiki/Tracking_Pixel", + "https://iapp.org/resources/article/web-beacon/", "https://mrd0x.com/browser-in-the-browser-phishing-attack/", + "https://therecord.media/phishing-campaign-used-qr-codes-to-target-energy-firm", "https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf", "https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse", "https://www.pcmag.com/news/hackers-try-to-phish-united-nations-staffers-with-fake-login-pages", "https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-human-factor-report.pdf", + "https://www.proofpoint.com/us/blog/email-and-cloud-threats/cybersecurity-stop-month-qr-code-phishing", "https://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html", "https://www.zscaler.com/blogs/security-research/fake-sites-stealing-steam-credentials" ] @@ -22662,7 +22719,39 @@ "value": "Accessibility Features - T1546.008" }, { - "description": "Adversaries may compromise access to third-party web services that can be used during targeting. A variety of popular websites exist for legitimate users to register for web-based services, such as GitHub, Twitter, Dropbox, Google, SendGrid, etc. Adversaries may try to take ownership of a legitimate user's access to a web service and use that web service as infrastructure in support of cyber operations. Such web services can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)), [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567), or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Recorded Future Turla Infra 2020) Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, particularly when access is stolen from legitimate users, adversaries can make it difficult to physically tie back operations to them. Additionally, leveraging compromised web-based email services may allow adversaries to leverage the trust associated with legitimate domains.", + "description": "Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to execute malicious applications with elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA).\n\nWhen an application requests to access data or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database, located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent), for existing permissions. If permissions do not exist, then the user is prompted to grant permission. Once permissions are granted, the database stores the application's permissions and will not prompt the user again unless reset. For example, when a web browser requests permissions to the user's webcam, once granted the web browser may not explicitly prompt the user again.(Citation: welivesecurity TCC)\n\nAdversaries may manipulate the TCC database or otherwise abuse the TCC service to execute malicious content. This can be done in various ways, including using privileged system applications to execute malicious payloads or manipulating the database to grant their application TCC permissions. \n\nFor example, adversaries can use Finder, which has FDA permissions by default, to execute malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002) while preventing a user prompt. For a system without System Integrity Protection (SIP) enabled, adversaries have also manipulated the operating system to load an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation: TCC macOS bypass)(Citation: TCC Database)\n\nAdversaries may also opt to instead inject code (e.g., [Process Injection](https://attack.mitre.org/techniques/T1055)) into targeted applications with the desired TCC permissions.\n", + "meta": { + "external_id": "T1548.006", + "kill_chain": [ + "mitre-attack:defense-evasion", + "mitre-attack:privilege-escalation" + ], + "mitre_data_sources": [ + "Command: Command Execution", + "File: File Modification", + "Process: Process Creation" + ], + "mitre_platforms": [ + "macOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1548/006", + "https://interpressecurity.com/resources/return-of-the-macos-tcc/", + "https://www.sentinelone.com/labs/bypassing-macos-tcc-user-privacy-protections-by-accident-and-design/", + "https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/" + ] + }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "type": "subtechnique-of" + } + ], + "uuid": "e8a0a025-3601-4755-abfb-8d08283329fb", + "value": "TCC Manipulation - T1548.006" + }, + { + "description": "Adversaries may compromise access to third-party web services that can be used during targeting. A variety of popular websites exist for legitimate users to register for web-based services, such as GitHub, Twitter, Dropbox, Google, SendGrid, etc. Adversaries may try to take ownership of a legitimate user's access to a web service and use that web service as infrastructure in support of cyber operations. Such web services can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)), [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567), or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Recorded Future Turla Infra 2020) Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, particularly when access is stolen from legitimate users, adversaries can make it difficult to physically tie back operations to them. Additionally, leveraging compromised web-based email services may allow adversaries to leverage the trust associated with legitimate domains.", "meta": { "external_id": "T1584.006", "kill_chain": [ @@ -22853,6 +22942,35 @@ "uuid": "19401639-28d0-4c3c-adcc-bc2ba22f6421", "value": "Digital Certificates - T1588.004" }, + { + "description": "Adversaries may compromise third-party network devices that can be used during targeting. Network devices, such as small office/home office (SOHO) routers, may be compromised where the adversary's ultimate goal is not [Initial Access](https://attack.mitre.org/tactics/TA0001) to that environment -- instead leveraging these devices to support additional targeting.\n\nOnce an adversary has control, compromised network devices can be used to launch additional operations, such as hosting payloads for [Phishing](https://attack.mitre.org/techniques/T1566) campaigns (i.e., [Link Target](https://attack.mitre.org/techniques/T1608/005)) or enabling the required access to execute [Content Injection](https://attack.mitre.org/techniques/T1659) operations. Adversaries may also be able to harvest reusable credentials (i.e., [Valid Accounts](https://attack.mitre.org/techniques/T1078)) from compromised network devices.\n\nAdversaries often target Internet-facing edge devices and related network appliances that specifically do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)\n\nCompromised network devices may be used to support subsequent [Command and Control](https://attack.mitre.org/tactics/TA0011) activity, such as [Hide Infrastructure](https://attack.mitre.org/techniques/T1665) through an established [Proxy](https://attack.mitre.org/techniques/T1090) and/or [Botnet](https://attack.mitre.org/techniques/T1584/005) network.(Citation: Justice GRU 2024)", + "meta": { + "external_id": "T1584.008", + "kill_chain": [ + "mitre-attack:resource-development" + ], + "mitre_data_sources": [ + "Internet Scan: Response Content" + ], + "mitre_platforms": [ + "PRE" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1584/008", + "https://www.justice.gov/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian", + "https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem", + "https://www.wired.com/story/russia-ukraine-cyberattacks-mandiant/" + ] + }, + "related": [ + { + "dest-uuid": "7e3beebd-8bfe-4e7b-a892-e44ab06a75f9", + "type": "subtechnique-of" + } + ], + "uuid": "149b477f-f364-4824-b1b5-aa1d56115869", + "value": "Network Devices - T1584.008" + }, { "description": "Adversaries may use voice communications to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Impersonation](https://attack.mitre.org/techniques/T1656)) and/or creating a sense of urgency or alarm for the recipient.\n\nAll forms of phishing are electronically delivered social engineering. In this scenario, adversaries use phone calls to elicit sensitive information from victims. Known as voice phishing (or \"vishing\"), these communications can be manually executed by adversaries, hired call centers, or even automated via robocalls. Voice phishers may spoof their phone number while also posing as a trusted entity, such as a business partner or technical support staff.(Citation: BOA Telephone Scams)\n\nVictims may also receive phishing messages that direct them to call a phone number (\"callback phishing\") where the adversary attempts to collect confidential information.(Citation: Avertium callback phishing)\n\nAdversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to tailor pretexts to be even more persuasive and believable for the victim.", "meta": { @@ -23017,6 +23135,65 @@ "uuid": "ec4be82f-940c-4dcb-87fe-2bbdd17c692f", "value": "Scan Databases - T1596.005" }, + { + "description": "Adversaries may obtain access to generative artificial intelligence tools, such as large language models (LLMs), to aid various techniques during targeting. These tools may be used to inform, bolster, and enable a variety of malicious tasks including conducting [Reconnaissance](https://attack.mitre.org/tactics/TA0043), creating basic scripts, assisting social engineering, and even developing payloads.(Citation: MSFT-AI)\n\nFor example, by utilizing a publicly available LLM an adversary is essentially outsourcing or automating certain tasks to the tool. Using AI, the adversary may draft and generate content in a variety of written languages to be used in [Phishing](https://attack.mitre.org/techniques/T1566)/[Phishing for Information](https://attack.mitre.org/techniques/T1598) campaigns. The same publicly available tool may further enable vulnerability or other offensive research supporting [Develop Capabilities](https://attack.mitre.org/techniques/T1587). AI tools may also automate technical tasks by generating, refining, or otherwise enhancing (e.g., [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027)) malicious scripts and payloads.(Citation: OpenAI-CTI)\n", + "meta": { + "external_id": "T1588.007", + "kill_chain": [ + "mitre-attack:resource-development" + ], + "mitre_platforms": [ + "PRE" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1588/007", + "https://openai.com/blog/disrupting-malicious-uses-of-ai-by-state-affiliated-threat-actors", + "https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/" + ] + }, + "related": [ + { + "dest-uuid": "ce0687a0-e692-4b77-964a-0784a8e54ff1", + "type": "subtechnique-of" + } + ], + "uuid": "0cc222f5-c3ff-48e6-9f52-3314baf9d37e", + "value": "Artificial Intelligence - T1588.007" + }, + { + "description": "Adversaries may abuse components of the Electron framework to execute malicious code. The Electron framework hosts many common applications such as Signal, Slack, and Microsoft Teams.(Citation: Electron 2) Originally developed by GitHub, Electron is a cross-platform desktop application development framework that employs web technologies like JavaScript, HTML, and CSS.(Citation: Electron 3) The Chromium engine is used to display web content and Node.js runs the backend code.(Citation: Electron 1)\n\nDue to the functional mechanics of Electron (such as allowing apps to run arbitrary commands), adversaries may also be able to perform malicious functions in the background potentially disguised as legitimate tools within the framework.(Citation: Electron 1) For example, the abuse of `teams.exe` and `chrome.exe` may allow adversaries to execute malicious commands as child processes of the legitimate application (e.g., `chrome.exe --disable-gpu-sandbox --gpu-launcher=\"C:\\Windows\\system32\\cmd.exe /c calc.exe`).(Citation: Electron 6-8)\n\nAdversaries may also execute malicious content by planting malicious [JavaScript](https://attack.mitre.org/techniques/T1059/007) within Electron applications.(Citation: Electron Security)", + "meta": { + "external_id": "T1218.015", + "kill_chain": [ + "mitre-attack:defense-evasion" + ], + "mitre_data_sources": [ + "Command: Command Execution", + "Process: Process Creation" + ], + "mitre_platforms": [ + "macOS", + "Windows", + "Linux" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1218/015", + "https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf", + "https://www.electronjs.org/docs/latest/tutorial/using-native-node-modules", + "https://www.first.org/resources/papers/conf2023/FIRSTCON23-TLP-CLEAR-Horejsi-Abusing-Electron-Based-Applications-in-Targeted-Attacks.pdf", + "https://www.kaspersky.com/blog/electron-framework-security-issues/49035/", + "https://www.mend.io/blog/theres-a-new-stealer-variant-in-town-and-its-using-electron-to-stay-fully-undetected/" + ] + }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "type": "subtechnique-of" + } + ], + "uuid": "561ae9aa-c28a-4144-9eec-e7027a14c8c3", + "value": "Electron Applications - T1218.015" + }, { "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. (Citation: Elastic Process Injection July 2017)\n\nWithin the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses hooking to redirect the code as necessary in order to communicate with the OS. \n\nA list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in:\n\n* %WINDIR%\\AppPatch\\sysmain.sdb and\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\installedsdb\n\nCustom databases are stored in:\n\n* %WINDIR%\\AppPatch\\custom & %WINDIR%\\AppPatch\\AppPatch64\\Custom and\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\custom\n\nTo keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) (UAC and RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress).\n\nUtilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc. (Citation: FireEye Application Shimming) Shims can also be abused to establish persistence by continuously being invoked by affected programs.", "meta": { @@ -23228,7 +23405,7 @@ "value": "Login Items - T1547.015" }, { - "description": "Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.(Citation: Installer Package Scripting Rich Trouton)\n\nUsing legitimate applications, adversaries have distributed applications with modified installer scripts to execute malicious content. When a user installs the application, they may be required to grant administrative permissions to allow the installation. At the end of the installation process of the legitimate application, content such as macOS `postinstall` scripts can be executed with the inherited elevated permissions. Adversaries can use these scripts to execute a malicious executable or install other malicious components (such as a [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)) with the elevated permissions.(Citation: Application Bundle Manipulation Brandon Dalton)(Citation: wardle evilquest parti)\n\nDepending on the distribution, Linux versions of package installer scripts are sometimes called maintainer scripts or post installation scripts. These scripts can include `preinst`, `postinst`, `prerm`, `postrm` scripts and run as root when executed.\n\nFor Windows, the Microsoft Installer services uses `.msi` files to manage the installing, updating, and uninstalling of applications. Adversaries have leveraged `Prebuild` and `Postbuild` events to run commands before or after a build when installing .msi files.(Citation: Windows AppleJeus GReAT)(Citation: Debian Manual Maintainer Scripts)", + "description": "Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.(Citation: Installer Package Scripting Rich Trouton)\n\nUsing legitimate applications, adversaries have distributed applications with modified installer scripts to execute malicious content. When a user installs the application, they may be required to grant administrative permissions to allow the installation. At the end of the installation process of the legitimate application, content such as macOS `postinstall` scripts can be executed with the inherited elevated permissions. Adversaries can use these scripts to execute a malicious executable or install other malicious components (such as a [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)) with the elevated permissions.(Citation: Application Bundle Manipulation Brandon Dalton)(Citation: wardle evilquest parti)(Citation: Windows AppleJeus GReAT)(Citation: Debian Manual Maintainer Scripts)\n\nDepending on the distribution, Linux versions of package installer scripts are sometimes called maintainer scripts or post installation scripts. These scripts can include `preinst`, `postinst`, `prerm`, `postrm` scripts and run as root when executed.\n\nFor Windows, the Microsoft Installer services uses `.msi` files to manage the installing, updating, and uninstalling of applications. These installation routines may also include instructions to perform additional actions that may be abused by adversaries.(Citation: Microsoft Installation Procedures)", "meta": { "external_id": "T1546.016", "kill_chain": [ @@ -23248,6 +23425,7 @@ "refs": [ "https://attack.mitre.org/techniques/T1546/016", "https://cpb-us-e1.wpmucdn.com/sites.psu.edu/dist/4/24696/files/2019/07/psumac2019-345-Installer-Package-Scripting-Making-your-deployments-easier-one-at-a-time.pdf", + "https://learn.microsoft.com/windows/win32/msi/installation-procedure-tables-group", "https://objective-see.com/blog/blog_0x59.html", "https://redcanary.com/blog/mac-application-bundles/", "https://securelist.com/operation-applejeus/87553/", @@ -23433,7 +23611,7 @@ "value": "Virtualization/Sandbox Evasion - T1497" }, { - "description": "Adversaries may obfuscate command and control traffic to make it more difficult to detect. Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols. ", + "description": "Adversaries may obfuscate command and control traffic to make it more difficult to detect.(Citation: Bitdefender FunnyDream Campaign November 2020) Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols. ", "meta": { "external_id": "T1001", "kill_chain": [ @@ -23449,7 +23627,8 @@ ], "refs": [ "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf", - "https://attack.mitre.org/techniques/T1001" + "https://attack.mitre.org/techniques/T1001", + "https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf" ] }, "uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", @@ -23485,7 +23664,7 @@ "value": "Web Shell - T1100" }, { - "description": "Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection. \n\nWhen automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).", + "description": "Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.(Citation: ESET Gamaredon June 2020) \n\nWhen automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).", "meta": { "external_id": "T1020", "kill_chain": [ @@ -23506,7 +23685,8 @@ "Network" ], "refs": [ - "https://attack.mitre.org/techniques/T1020" + "https://attack.mitre.org/techniques/T1020", + "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/" ] }, "uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", @@ -23567,7 +23747,7 @@ "value": "Data Compressed - T1002" }, { - "description": "Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n\nData captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.\n\nNetwork sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.\n\nIn cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual Network TAP) Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)(Citation: SpecterOps AWS Traffic Mirroring) The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)\n\nOn network devices, adversaries may perform network captures using [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `monitor capture`.(Citation: US-CERT-TA18-106A)(Citation: capture_embedded_packet_on_software)", + "description": "Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n\nData captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.\n\nNetwork sniffing may reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and/or [Defense Evasion](https://attack.mitre.org/tactics/TA0005) activities. Adversaries may likely also utilize network sniffing during [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) (AiTM) to passively gain additional knowledge about the environment.\n\nIn cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual Network TAP) Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)(Citation: SpecterOps AWS Traffic Mirroring) The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)\n\nOn network devices, adversaries may perform network captures using [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `monitor capture`.(Citation: US-CERT-TA18-106A)(Citation: capture_embedded_packet_on_software)", "meta": { "external_id": "T1040", "kill_chain": [ @@ -23743,7 +23923,7 @@ "value": "Binary Padding - T1009" }, { - "description": "Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.\n\nBrute forcing credentials may take place at various points during a breach. For example, adversaries may attempt to brute force access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) within a victim environment leveraging knowledge gathered from other post-compromise behaviors such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), [Account Discovery](https://attack.mitre.org/techniques/T1087), or [Password Policy Discovery](https://attack.mitre.org/techniques/T1201). Adversaries may also combine brute forcing activity with behaviors such as [External Remote Services](https://attack.mitre.org/techniques/T1133) as part of Initial Access.", + "description": "Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.(Citation: TrendMicro Pawn Storm Dec 2020) Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism.(Citation: Dragos Crashoverride 2018) Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.\n\nBrute forcing credentials may take place at various points during a breach. For example, adversaries may attempt to brute force access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) within a victim environment leveraging knowledge gathered from other post-compromise behaviors such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), [Account Discovery](https://attack.mitre.org/techniques/T1087), or [Password Policy Discovery](https://attack.mitre.org/techniques/T1201). Adversaries may also combine brute forcing activity with behaviors such as [External Remote Services](https://attack.mitre.org/techniques/T1133) as part of Initial Access.", "meta": { "external_id": "T1110", "kill_chain": [ @@ -23767,7 +23947,9 @@ "Network" ], "refs": [ - "https://attack.mitre.org/techniques/T1110" + "https://attack.mitre.org/techniques/T1110", + "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf", + "https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html" ] }, "uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", @@ -24087,7 +24269,7 @@ "value": "Native API - T1106" }, { - "description": "Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment.\n\nContainers can be deployed by various means, such as via Docker's create and start APIs or via a web application such as the Kubernetes dashboard or Kubeflow.(Citation: Docker Containers API)(Citation: Kubernetes Dashboard)(Citation: Kubeflow Pipelines) Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.(Citation: Aqua Build Images on Hosts)", + "description": "Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020)\n\nContainers can be deployed by various means, such as via Docker's create and start APIs or via a web application such as the Kubernetes dashboard or Kubeflow. (Citation: Docker Containers API)(Citation: Kubernetes Dashboard)(Citation: Kubeflow Pipelines) In Kubernetes environments, containers may be deployed through workloads such as ReplicaSets or DaemonSets, which can allow containers to be deployed across multiple nodes.(Citation: Kubernetes Workload Management) Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.(Citation: Aqua Build Images on Hosts)", "meta": { "external_id": "T1610", "kill_chain": [ @@ -24106,8 +24288,10 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1610", + "https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216", "https://blog.aquasec.com/malicious-container-image-docker-container-host", "https://docs.docker.com/engine/api/v1.41/#tag/Container", + "https://kubernetes.io/docs/concepts/workloads/controllers/", "https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/", "https://www.kubeflow.org/docs/components/pipelines/overview/pipelines-overview/" ] @@ -24343,7 +24527,7 @@ "value": "Broadcast Receivers - T1402" }, { - "description": "An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566).\n\nWhile [User Execution](https://attack.mitre.org/techniques/T1204) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).\n\nAdversaries may also deceive users into performing actions such as enabling [Remote Access Software](https://attack.mitre.org/techniques/T1219), allowing direct control of the system to the adversary, or downloading and executing malware for [User Execution](https://attack.mitre.org/techniques/T1204). For example, tech support scams can be facilitated through [Phishing](https://attack.mitre.org/techniques/T1566), vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or [Remote Access Software](https://attack.mitre.org/techniques/T1219).(Citation: Telephone Attack Delivery)", + "description": "An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566).\n\nWhile [User Execution](https://attack.mitre.org/techniques/T1204) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).\n\nAdversaries may also deceive users into performing actions such as enabling [Remote Access Software](https://attack.mitre.org/techniques/T1219), allowing direct control of the system to the adversary; running malicious JavaScript in their browser, allowing adversaries to [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)s; or downloading and executing malware for [User Execution](https://attack.mitre.org/techniques/T1204).(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023)\n\nFor example, tech support scams can be facilitated through [Phishing](https://attack.mitre.org/techniques/T1566), vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or [Remote Access Software](https://attack.mitre.org/techniques/T1219).(Citation: Telephone Attack Delivery)", "meta": { "external_id": "T1204", "kill_chain": [ @@ -24371,6 +24555,8 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1204", + "https://blog.talosintelligence.com/roblox-scam-overview/", + "https://krebsonsecurity.com/2023/05/discord-admins-hacked-by-malicious-bookmarks/", "https://www.proofpoint.com/us/blog/threat-insight/caught-beneath-landline-411-telephone-oriented-attack-delivery" ] }, @@ -24668,13 +24854,6 @@ { "dest-uuid": "72c8d526-1247-42d4-919c-6d7a31ca8f39", "type": "related-to" - }, - { - "dest-uuid": "72c8d526-1247-42d4-919c-6d7a31ca8f39", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" } ], "uuid": "e6ca2820-a564-4b74-b42a-b6bdf052e5b6", @@ -24803,13 +24982,6 @@ { "dest-uuid": "dfe29258-ce59-421c-9dee-e85cb9fa90cd", "type": "revoked-by" - }, - { - "dest-uuid": "dfe29258-ce59-421c-9dee-e85cb9fa90cd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "revoked-by" } ], "uuid": "45dcbc83-4abc-4de1-b643-e528d1e9df09", @@ -24954,7 +25126,7 @@ "value": "Input Capture - T1056" }, { - "description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nIn Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or Get-Process via [PowerShell](https://attack.mitre.org/techniques/T1059/001). Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as CreateToolhelp32Snapshot. In Mac and Linux, this is accomplished with the ps command. Adversaries may also opt to enumerate processes via /proc.\n\nOn network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show processes` can be used to display current running processes.(Citation: US-CERT-TA18-106A)(Citation: show_processes_cisco_cmd)", + "description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Administrator or otherwise elevated access may provide better process details. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nIn Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or Get-Process via [PowerShell](https://attack.mitre.org/techniques/T1059/001). Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as CreateToolhelp32Snapshot. In Mac and Linux, this is accomplished with the ps command. Adversaries may also opt to enumerate processes via `/proc`. \n\nOn network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show processes` can be used to display current running processes.(Citation: US-CERT-TA18-106A)(Citation: show_processes_cisco_cmd)", "meta": { "external_id": "T1057", "kill_chain": [ @@ -25012,7 +25184,7 @@ "value": "Stage Capabilities - T1608" }, { - "description": "Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., [Valid Accounts](https://attack.mitre.org/techniques/T1078)).\n\nAdversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and potential misconfigurations that leak account names and roles or permissions in the targeted environment.\n\nFor examples, cloud environments typically provide easily accessible interfaces to obtain user lists. On hosts, adversaries can use default [PowerShell](https://attack.mitre.org/techniques/T1059/001) and other command line functionality to identify accounts. Information about email addresses and accounts may also be extracted by searching an infected system’s files.", + "description": "Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., [Valid Accounts](https://attack.mitre.org/techniques/T1078)).\n\nAdversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and potential misconfigurations that leak account names and roles or permissions in the targeted environment.\n\nFor examples, cloud environments typically provide easily accessible interfaces to obtain user lists.(Citation: AWS List Users)(Citation: Google Cloud - IAM Servie Accounts List API) On hosts, adversaries can use default [PowerShell](https://attack.mitre.org/techniques/T1059/001) and other command line functionality to identify accounts. Information about email addresses and accounts may also be extracted by searching an infected system’s files.", "meta": { "external_id": "T1087", "kill_chain": [ @@ -25035,6 +25207,8 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1087", + "https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/list", + "https://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html", "https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql" ] }, @@ -25109,7 +25283,7 @@ "value": "Multilayer Encryption - T1079" }, { - "description": "Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078).", + "description": "Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups.(Citation: FireEye SMOKEDHAM June 2021) These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078).", "meta": { "external_id": "T1098", "kill_chain": [ @@ -25141,6 +25315,7 @@ "https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738", "https://github.com/gentilkiwi/mimikatz/issues/92", + "https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4670" ] }, @@ -25246,13 +25421,6 @@ { "dest-uuid": "54eb2bab-125f-4d1c-b999-0c692860bafe", "type": "related-to" - }, - { - "dest-uuid": "54eb2bab-125f-4d1c-b999-0c692860bafe", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" } ], "uuid": "20a66013-8dab-4ca3-a67d-766c842c561c", @@ -25435,7 +25603,7 @@ "value": "Code Signing - T1116" }, { - "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. In cloud-based environments, adversaries may also use cloud APIs, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data. This functionality could also be built into remote access tools. \n\nThis technique may incorporate use of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) and [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570) to identify and move files, as well as [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538) and [Cloud Storage Object Discovery](https://attack.mitre.org/techniques/T1619) to identify resources in cloud environments.", + "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. \n\nIn cloud-based environments, adversaries may also use cloud APIs, data pipelines, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data.(Citation: Mandiant UNC3944 SMS Phishing 2023) \n\nThis functionality could also be built into remote access tools. \n\nThis technique may incorporate use of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) and [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570) to identify and move files, as well as [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538) and [Cloud Storage Object Discovery](https://attack.mitre.org/techniques/T1619) to identify resources in cloud environments.", "meta": { "external_id": "T1119", "kill_chain": [ @@ -25454,7 +25622,8 @@ "SaaS" ], "refs": [ - "https://attack.mitre.org/techniques/T1119" + "https://attack.mitre.org/techniques/T1119", + "https://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware" ] }, "uuid": "30208d3e-0d6b-43c8-883e-44462a514619", @@ -25492,7 +25661,7 @@ "value": "Template Injection - T1221" }, { - "description": "An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.\n\nMalware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.", + "description": "An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.(Citation: ESET Attor Oct 2019)\n\nMalware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.", "meta": { "external_id": "T1123", "kill_chain": [ @@ -25508,7 +25677,8 @@ "Windows" ], "refs": [ - "https://attack.mitre.org/techniques/T1123" + "https://attack.mitre.org/techniques/T1123", + "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf" ] }, "uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", @@ -25752,20 +25922,13 @@ { "dest-uuid": "e6ca2820-a564-4b74-b42a-b6bdf052e5b6", "type": "related-to" - }, - { - "dest-uuid": "e6ca2820-a564-4b74-b42a-b6bdf052e5b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" } ], "uuid": "72c8d526-1247-42d4-919c-6d7a31ca8f39", "value": "Obfuscate infrastructure - T1331" }, { - "description": "Adversaries may implement hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks. Adversaries may abuse operating system functionality to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.\n\n### Windows\nThere are a variety of features in scripting languages in Windows, such as [PowerShell](https://attack.mitre.org/techniques/T1086), Jscript, and VBScript to make windows hidden. One example of this is powershell.exe -WindowStyle Hidden. (Citation: PowerShell About 2019)\n\n### Mac\nThe configurations for how applications run on macOS are listed in property list (plist) files. One of the tags in these files can be apple.awt.UIElement, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock. However, adversaries can abuse this feature and hide their running window.(Citation: Antiquated Mac Malware)\n", + "description": "Adversaries may implement hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks. Adversaries may abuse operating system functionality to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.\n\n### Windows\nThere are a variety of features in scripting languages in Windows, such as [PowerShell](https://attack.mitre.org/techniques/T1086), Jscript, and VBScript to make windows hidden. One example of this is powershell.exe -WindowStyle Hidden. (Citation: PowerShell About 2019)\n\n### Mac\nThe configurations for how applications run on macOS are listed in property list (plist) files. One of the tags in these files can be apple.awt.UIElement, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock. However, adversaries can abuse this feature and hide their running window.(Citation: Antiquated Mac Malware)\n", "meta": { "external_id": "T1143", "kill_chain": [ @@ -25814,7 +25977,7 @@ "value": "Screen Capture - T1513" }, { - "description": "Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.\n\nAccounts may be created on the local system or within a domain or cloud tenant. In cloud environments, adversaries may create accounts that only have access to specific services, which can reduce the chance of detection.", + "description": "Adversaries may create an account to maintain access to victim systems.(Citation: Symantec WastedLocker June 2020) With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.\n\nAccounts may be created on the local system or within a domain or cloud tenant. In cloud environments, adversaries may create accounts that only have access to specific services, which can reduce the chance of detection.", "meta": { "external_id": "T1136", "kill_chain": [ @@ -25839,7 +26002,8 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1136", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720" + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us" ] }, "uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", @@ -26375,7 +26539,7 @@ "value": "Dylib Hijacking - T1157" }, { - "description": "Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1518) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nAdversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).", + "description": "Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1518) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nSuch software may be deployed widely across the environment for configuration management or security reasons, such as [Software Deployment Tools](https://attack.mitre.org/techniques/T1072), and may allow adversaries broad access to infect devices or move laterally.\n\nAdversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).", "meta": { "external_id": "T1518", "kill_chain": [ @@ -26390,13 +26554,9 @@ ], "mitre_platforms": [ "Windows", - "Azure AD", - "Office 365", - "SaaS", "IaaS", "Linux", - "macOS", - "Google Workspace" + "macOS" ], "refs": [ "https://attack.mitre.org/techniques/T1518" @@ -26482,7 +26642,7 @@ "value": "Call Control - T1616" }, { - "description": "Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.(Citation: Wikipedia Browser Extension)(Citation: Chrome Extensions Definition)\n\nMalicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.(Citation: Malicious Chrome Extension Numbers) Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary controlled server or manipulate the mobile configuration file to silently install additional extensions.\n\nPrevious to macOS 11, adversaries could silently install browser extensions via the command line using the profiles tool to install malicious .mobileconfig files. In macOS 11+, the use of the profiles tool can no longer install configuration profiles, however .mobileconfig files can be planted and installed with user interaction.(Citation: xorrior chrome extensions macOS)\n\nOnce the extension is installed, it can browse to websites in the background, steal all information that a user enters into a browser (including credentials), and be used as an installer for a RAT for persistence.(Citation: Chrome Extension Crypto Miner)(Citation: ICEBRG Chrome Extensions)(Citation: Banker Google Chrome Extension Steals Creds)(Citation: Catch All Chrome Extension)\n\nThere have also been instances of botnets using a persistent backdoor through malicious Chrome extensions.(Citation: Stantinko Botnet) There have also been similar examples of extensions being used for command & control.(Citation: Chrome Extension C2 Malware)", + "description": "Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.(Citation: Wikipedia Browser Extension)(Citation: Chrome Extensions Definition)\n\nMalicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.(Citation: Malicious Chrome Extension Numbers) Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary controlled server or manipulate the mobile configuration file to silently install additional extensions.\n\nPrevious to macOS 11, adversaries could silently install browser extensions via the command line using the profiles tool to install malicious .mobileconfig files. In macOS 11+, the use of the profiles tool can no longer install configuration profiles, however .mobileconfig files can be planted and installed with user interaction.(Citation: xorrior chrome extensions macOS)\n\nOnce the extension is installed, it can browse to websites in the background, steal all information that a user enters into a browser (including credentials), and be used as an installer for a RAT for persistence.(Citation: Chrome Extension Crypto Miner)(Citation: ICEBRG Chrome Extensions)(Citation: Banker Google Chrome Extension Steals Creds)(Citation: Catch All Chrome Extension)\n\nThere have also been instances of botnets using a persistent backdoor through malicious Chrome extensions for [Command and Control](https://attack.mitre.org/tactics/TA0011).(Citation: Stantinko Botnet)(Citation: Chrome Extension C2 Malware) Adversaries may also use browser extensions to modify browser permissions and components, privacy settings, and other security controls for [Defense Evasion](https://attack.mitre.org/tactics/TA0005).(Citation: Browers FriarFox)(Citation: Browser Adrozek) ", "meta": { "external_id": "T1176", "kill_chain": [ @@ -26510,6 +26670,8 @@ "https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43824.pdf", "https://www.ghacks.net/2017/09/19/first-chrome-extension-with-javascript-crypto-miner-detected/", "https://www.icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses", + "https://www.microsoft.com/en-us/security/blog/2020/12/10/widespread-malware-campaign-seeks-to-silently-inject-ads-into-search-results-affects-multiple-browsers/", + "https://www.proofpoint.com/us/blog/threat-insight/ta413-leverages-new-friarfox-browser-extension-target-gmail-accounts-global", "https://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/", "https://www.xorrior.com/No-Place-Like-Chrome/" ] @@ -26821,7 +26983,7 @@ "value": "Audio Capture - T1429" }, { - "description": "Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Bash History](https://attack.mitre.org/techniques/T1552/003)), operating system or application-specific repositories (e.g. [Credentials in Registry](https://attack.mitre.org/techniques/T1552/002)), or other specialized files/artifacts (e.g. [Private Keys](https://attack.mitre.org/techniques/T1552/004)).", + "description": "Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Bash History](https://attack.mitre.org/techniques/T1552/003)), operating system or application-specific repositories (e.g. [Credentials in Registry](https://attack.mitre.org/techniques/T1552/002)), or other specialized files/artifacts (e.g. [Private Keys](https://attack.mitre.org/techniques/T1552/004)).(Citation: Brining MimiKatz to Unix)", "meta": { "external_id": "T1552", "kill_chain": [ @@ -26848,7 +27010,8 @@ "Network" ], "refs": [ - "https://attack.mitre.org/techniques/T1552" + "https://attack.mitre.org/techniques/T1552", + "https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf" ] }, "uuid": "435dfb86-2697-4867-85b5-2fef496c0517", @@ -27049,13 +27212,6 @@ { "dest-uuid": "20a66013-8dab-4ca3-a67d-766c842c561c", "type": "related-to" - }, - { - "dest-uuid": "20a66013-8dab-4ca3-a67d-766c842c561c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" } ], "uuid": "54eb2bab-125f-4d1c-b999-0c692860bafe", @@ -27076,7 +27232,7 @@ "value": "Port redirector - T1363" }, { - "description": "Adversaries may use internal spearphishing to gain access to additional information or exploit other users within the same organization after they already have access to accounts or systems within the environment. Internal spearphishing is multi-staged campaign where an email account is owned either by controlling the user's device with previously installed malware or by compromising the account credentials of the user. Adversaries attempt to take advantage of a trusted internal account to increase the likelihood of tricking the target into falling for the phish attempt.(Citation: Trend Micro When Phishing Starts from the Inside 2017)\n\nAdversaries may leverage [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) or [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) as part of internal spearphishing to deliver a payload or redirect to an external site to capture credentials through [Input Capture](https://attack.mitre.org/techniques/T1056) on sites that mimic email login interfaces.\n\nThere have been notable incidents where internal spearphishing has been used. The Eye Pyramid campaign used phishing emails with malicious attachments for lateral movement between victims, compromising nearly 18,000 email accounts in the process.(Citation: Trend Micro When Phishing Starts from the Inside 2017) The Syrian Electronic Army (SEA) compromised email accounts at the Financial Times (FT) to steal additional account credentials. Once FT learned of the campaign and began warning employees of the threat, the SEA sent phishing emails mimicking the Financial Times IT department and were able to compromise even more users.(Citation: THE FINANCIAL TIMES LTD 2019.)", + "description": "After they already have access to accounts or systems within the environment, adversaries may use internal spearphishing to gain access to additional information or compromise other users within the same organization. Internal spearphishing is multi-staged campaign where a legitimate account is initially compromised either by controlling the user's device or by compromising the account credentials of the user. Adversaries may then attempt to take advantage of the trusted internal account to increase the likelihood of tricking more victims into falling for phish attempts, often incorporating [Impersonation](https://attack.mitre.org/techniques/T1656).(Citation: Trend Micro - Int SP)\n\nFor example, adversaries may leverage [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) or [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) as part of internal spearphishing to deliver a payload or redirect to an external site to capture credentials through [Input Capture](https://attack.mitre.org/techniques/T1056) on sites that mimic login interfaces.\n\nAdversaries may also leverage internal chat apps, such as Microsoft Teams, to spread malicious content or engage users in attempts to capture sensitive information and/or credentials.(Citation: Int SP - chat apps)", "meta": { "external_id": "T1534", "kill_chain": [ @@ -27098,7 +27254,8 @@ "refs": [ "https://attack.mitre.org/techniques/T1534", "https://blog.trendmicro.com/phishing-starts-inside/", - "https://labs.ft.com/2013/05/a-sobering-day/?mhq5j=e6" + "https://www.microsoft.com/en-us/security/blog/2023/08/02/midnight-blizzard-conducts-targeted-social-engineering-over-microsoft-teams/", + "https://www.trendmicro.com/en_us/research.html" ] }, "uuid": "9e7452df-5144-4b6e-b04a-b66dd4016747", @@ -27150,7 +27307,7 @@ "value": "Power Settings - T1653" }, { - "description": "Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.", + "description": "Adversaries may employ an encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.", "meta": { "external_id": "T1573", "kill_chain": [ @@ -27162,7 +27319,8 @@ "mitre_platforms": [ "Linux", "macOS", - "Windows" + "Windows", + "Network" ], "refs": [ "http://www.sans.org/reading-room/whitepapers/analyst/finding-hidden-threats-decrypting-ssl-34840", @@ -27175,7 +27333,7 @@ "value": "Encrypted Channel - T1573" }, { - "description": "Adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Additionally, botnets are available for rent or purchase.\n\nUse of these infrastructure solutions allows adversaries to stage, launch, and execute operations. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contacting third-party web services or acquiring infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090), including from residential proxy services.(Citation: amnesty_nso_pegasus)(Citation: FBI Proxies Credential Stuffing)(Citation: Mandiant APT29 Microsoft 365 2022) Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.", + "description": "Adversaries may buy, lease, rent, or obtain infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Some infrastructure providers offer free trial periods, enabling infrastructure acquisition at limited to no cost.(Citation: Free Trial PurpleUrchin) Additionally, botnets are available for rent or purchase.\n\nUse of these infrastructure solutions allows adversaries to stage, launch, and execute operations. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contacting third-party web services or acquiring infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090), including from residential proxy services.(Citation: amnesty_nso_pegasus)(Citation: FBI Proxies Credential Stuffing)(Citation: Mandiant APT29 Microsoft 365 2022) Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.", "meta": { "external_id": "T1583", "kill_chain": [ @@ -27196,6 +27354,7 @@ "https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf", "https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2", "https://threatconnect.com/blog/infrastructure-research-hunting/", + "https://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources/", "https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/", "https://www.ic3.gov/Media/News/2022/220818.pdf", "https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft", @@ -27320,7 +27479,7 @@ "value": "Log Enumeration - T1654" }, { - "description": "Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.\n\nUse of compromised infrastructure allows adversaries to stage, launch, and execute operations. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. For example, adversaries may leverage compromised infrastructure (potentially also in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004)) to further blend in and support staged information gathering and/or [Phishing](https://attack.mitre.org/techniques/T1566) campaigns.(Citation: FireEye DNS Hijack 2019) Additionally, adversaries may also compromise infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090) and/or proxyware services.(Citation: amnesty_nso_pegasus)(Citation: Sysdig Proxyjacking)\n\nBy using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig)", + "description": "Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, network devices, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.\n\nUse of compromised infrastructure allows adversaries to stage, launch, and execute operations. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. For example, adversaries may leverage compromised infrastructure (potentially also in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004)) to further blend in and support staged information gathering and/or [Phishing](https://attack.mitre.org/techniques/T1566) campaigns.(Citation: FireEye DNS Hijack 2019) Additionally, adversaries may also compromise infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090) and/or proxyware services.(Citation: amnesty_nso_pegasus)(Citation: Sysdig Proxyjacking)\n\nBy using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig)", "meta": { "external_id": "T1584", "kill_chain": [ @@ -27461,6 +27620,7 @@ "Command: Command Execution", "File: File Creation", "Network Traffic: Network Connection Creation", + "Network Traffic: Network Traffic Content", "Network Traffic: Network Traffic Flow", "Process: Process Creation", "Sensor Health: Host Status" @@ -27474,7 +27634,7 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1496", - "https://blog.cloudsploit.com/the-danger-of-unused-aws-regions-af0bf1b878fc", + "https://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc", "https://securelist.com/lazarus-under-the-hood/77908/", "https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/", "https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/", @@ -27518,7 +27678,7 @@ "value": "Service Stop - T1489" }, { - "description": "Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.\n\nThe type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.", + "description": "Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: Sygnia Elephant Beetle Jan 2022) By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.\n\nThe type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.", "meta": { "external_id": "T1565", "kill_chain": [ @@ -27539,7 +27699,8 @@ "Windows" ], "refs": [ - "https://attack.mitre.org/techniques/T1565" + "https://attack.mitre.org/techniques/T1565", + "https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia-%20Elephant%20Beetle_Jan2022.pdf?__hstc=147695848.3e8f1a482c8f8d4531507747318e660b.1680005306711.1680005306711.1680005306711.1&__hssc=147695848.1.1680005306711&__hsfp=3000179024&hsCtaTracking=189ec409-ae2d-4909-8bf1-62dcdd694372%7Cca91d317-8f10-4a38-9f80-367f551ad64d" ] }, "uuid": "ac9e6b22-11bf-45d7-9181-c1cb08360931", @@ -27566,7 +27727,7 @@ "value": "Native API - T1575" }, { - "description": "Adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)\n\nFor operations incorporating social engineering, the utilization of an online persona may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, GitHub, Docker Hub, etc.). Establishing a persona may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)\n\nEstablishing accounts can also include the creation of accounts with email providers, which may be directly leveraged for [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant APT1)", + "description": "Adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)\n\nFor operations incorporating social engineering, the utilization of an online persona may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, GitHub, Docker Hub, etc.). Establishing a persona may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)\n\nEstablishing accounts can also include the creation of accounts with email providers, which may be directly leveraged for [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant APT1) In addition, establishing accounts may allow adversaries to abuse free services, such as registering for trial periods to [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) for malicious purposes.(Citation: Free Trial PurpleUrchin)\n", "meta": { "external_id": "T1585", "kill_chain": [ @@ -27582,6 +27743,7 @@ "refs": [ "http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf", "https://attack.mitre.org/techniques/T1585", + "https://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources/", "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", "https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation" ] @@ -27613,7 +27775,43 @@ "value": "Active Scanning - T1595" }, { - "description": "Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims. Financial theft is the ultimate objective of several popular campaign types including extortion by ransomware,(Citation: FBI-ransomware) business email compromise (BEC) and fraud,(Citation: FBI-BEC) \"pig butchering,\"(Citation: wired-pig butchering) bank hacking,(Citation: DOJ-DPRK Heist) and exploiting cryptocurrency networks.(Citation: BBC-Ronin) \n\nAdversaries may [Compromise Accounts](https://attack.mitre.org/techniques/T1586) to conduct unauthorized transfers of funds.(Citation: Internet crime report 2022) In the case of business email compromise or email fraud, an adversary may utilize [Impersonation](https://attack.mitre.org/techniques/T1656) of a trusted entity. Once the social engineering is successful, victims can be deceived into sending money to financial accounts controlled by an adversary.(Citation: FBI-BEC) This creates the potential for multiple victims (i.e., compromised accounts as well as the ultimate monetary loss) in incidents involving financial theft.(Citation: VEC)\n\nExtortion by ransomware may occur, for example, when an adversary demands payment from a victim after [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) (Citation: NYT-Colonial) and [Exfiltration](https://attack.mitre.org/tactics/TA0010) of data, followed by threatening public exposure unless payment is made to the adversary.(Citation: Mandiant-leaks)\n\nDue to the potentially immense business impact of financial theft, an adversary may abuse the possibility of financial theft and seeking monetary gain to divert attention from their true goals such as [Data Destruction](https://attack.mitre.org/techniques/T1485) and business disruption.(Citation: AP-NotPetya)", + "description": "Adversaries may manipulate network traffic in order to hide and evade detection of their C2 infrastructure. This can be accomplished in various ways including by identifying and filtering traffic from defensive tools,(Citation: TA571) masking malicious domains to obfuscate the true destination from both automated scanning tools and security researchers,(Citation: Schema-abuse)(Citation: Facad1ng)(Citation: Browser-updates) and otherwise hiding malicious artifacts to delay discovery and prolong the effectiveness of adversary infrastructure that could otherwise be identified, blocked, or taken down entirely.\n\nC2 networks may include the use of [Proxy](https://attack.mitre.org/techniques/T1090) or VPNs to disguise IP addresses, which can allow adversaries to blend in with normal network traffic and bypass conditional access policies or anti-abuse protections. For example, an adversary may use a virtual private cloud to spoof their IP address to closer align with a victim's IP address ranges. This may also bypass security measures relying on geolocation of the source IP address.(Citation: sysdig)(Citation: Orange Residential Proxies)\n\nAdversaries may also attempt to filter network traffic in order to evade defensive tools in numerous ways, including blocking/redirecting common incident responder or security appliance user agents.(Citation: mod_rewrite)(Citation: SocGholish-update) Filtering traffic based on IP and geo-fencing may also avoid automated sandboxing or researcher activity (i.e., [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497)).(Citation: TA571)(Citation: mod_rewrite)\n\nHiding C2 infrastructure may also be supported by [Resource Development](https://attack.mitre.org/tactics/TA0042) activities such as [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) and [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584). For example, using widely trusted hosting services or domains such as prominent URL shortening providers or marketing services for C2 networks may enable adversaries to present benign content that later redirects victims to malicious web pages or infrastructure once specific conditions are met.(Citation: StarBlizzard)(Citation: QR-cofense)", + "meta": { + "external_id": "T1665", + "kill_chain": [ + "mitre-attack:command-and-control" + ], + "mitre_data_sources": [ + "Domain Name: Domain Registration", + "Internet Scan: Response Content", + "Internet Scan: Response Metadata", + "Network Traffic: Network Traffic Content" + ], + "mitre_platforms": [ + "macOS", + "Windows", + "Linux", + "Network" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1665", + "https://bluescreenofjeff.com/2016-04-12-combatting-incident-responders-with-apache-mod_rewrite/", + "https://cofense.com/blog/major-energy-company-targeted-in-large-qr-code-campaign/", + "https://github.com/spyboy-productions/Facad1ng", + "https://sysdig.com/content/c/pf-2023-global-cloud-threat-report?x=u_WFRi&xs=524303#page=1", + "https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse", + "https://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/", + "https://www.orangecyberdefense.com/global/blog/research/residential-proxies", + "https://www.proofpoint.com/us/blog/threat-insight/are-you-sure-your-browser-date-current-landscape-fake-browser-updates", + "https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update", + "https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta571-delivers-icedid-forked-loader" + ] + }, + "uuid": "eb897572-8979-4242-a089-56f294f4c91d", + "value": "Hide Infrastructure - T1665" + }, + { + "description": "Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims. Financial theft is the ultimate objective of several popular campaign types including extortion by ransomware,(Citation: FBI-ransomware) business email compromise (BEC) and fraud,(Citation: FBI-BEC) \"pig butchering,\"(Citation: wired-pig butchering) bank hacking,(Citation: DOJ-DPRK Heist) and exploiting cryptocurrency networks.(Citation: BBC-Ronin) \n\nAdversaries may [Compromise Accounts](https://attack.mitre.org/techniques/T1586) to conduct unauthorized transfers of funds.(Citation: Internet crime report 2022) In the case of business email compromise or email fraud, an adversary may utilize [Impersonation](https://attack.mitre.org/techniques/T1656) of a trusted entity. Once the social engineering is successful, victims can be deceived into sending money to financial accounts controlled by an adversary.(Citation: FBI-BEC) This creates the potential for multiple victims (i.e., compromised accounts as well as the ultimate monetary loss) in incidents involving financial theft.(Citation: VEC)\n\nExtortion by ransomware may occur, for example, when an adversary demands payment from a victim after [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) (Citation: NYT-Colonial) and [Exfiltration](https://attack.mitre.org/tactics/TA0010) of data, followed by threatening to leak sensitive data to the public unless payment is made to the adversary.(Citation: Mandiant-leaks) Adversaries may use dedicated leak sites to distribute victim data.(Citation: Crowdstrike-leaks)\n\nDue to the potentially immense business impact of financial theft, an adversary may abuse the possibility of financial theft and seeking monetary gain to divert attention from their true goals such as [Data Destruction](https://attack.mitre.org/techniques/T1485) and business disruption.(Citation: AP-NotPetya)", "meta": { "external_id": "T1657", "kill_chain": [ @@ -27636,6 +27834,7 @@ "https://www.bbc.com/news/technology-60933174", "https://www.cisa.gov/sites/default/files/Ransomware_Trifold_e-version.pdf", "https://www.cloudflare.com/learning/email-security/what-is-vendor-email-compromise/#:~:text=Vendor%20email%20compromise%2C%20also%20referred,steal%20from%20that%20vendor%27s%20customers.", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", "https://www.fbi.gov/file-repository/fy-2022-fbi-congressional-report-business-email-compromise-and-real-estate-wire-fraud-111422.pdf/view", "https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf", "https://www.justice.gov/usao-cdca/pr/3-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyber-attacks-and", @@ -27811,7 +28010,7 @@ "value": "Obtain Capabilities - T1588" }, { - "description": "Adversaries may attempt to position themselves between two or more networked devices to support follow-on behaviors such as [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002) or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642). \n\n \n\n[Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1638) can be achieved through several mechanisms, such as a malicious application registering itself as a VPN client. By doing this, the adversary can effectively redirect device traffic to wherever they want. However, registering as a VPN client requires user consent on both Android and iOS. Additionally, on iOS, the application requires a special entitlement that must be granted by Apple. Alternatively, if an application is able to escalate privileges, it can potentially utilize those privileges to gain access to network traffic. \n\n \n\nOutside of a mobile device, adversaries may be able to capture traffic by employing a rogue base station or Wi-Fi access point. These devices will allow adversaries to capture network traffic after it has left the device, while it is flowing to its destination. On a local network, enterprise techniques could be used, such as DNS redirection or DNS poisoning. \n\n \n\nIf applications properly encrypt their network traffic, sensitive data may not be accessible an adversary, depending on the point of capture. ", + "description": "Adversaries may attempt to position themselves between two or more networked devices to support follow-on behaviors such as [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002) or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642). \n\n \n\n[Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1638) can be achieved through several mechanisms. For example, a malicious application may register itself as a VPN client, effectively redirecting device traffic to adversary-owned resources. Registering as a VPN client requires user consent on both Android and iOS; additionally, a special entitlement granted by Apple is needed for iOS devices. Alternatively, a malicious application with escalation privileges may utilize those privileges to gain access to network traffic. \n\n\n Specific to Android devices, adversary-in-the-disk is a type of AiTM attack where adversaries monitor and manipulate data that is exchanged between applications and external storage.(Citation: mitd_kaspersky)(Citation: mitd_checkpoint)(Citation: mitd_checkpoint_research) To accomplish this, a malicious application firsts requests for access to multimedia files on the device (`READ_EXTERNAL STORAGE` and `WRITE_EXTERNAL_STORAGE`), then the application reads data on the device and/or writes malware to the device. Though the request for access is common, when used maliciously, adversaries may access files and other sensitive data due to abusing the permission. Multiple applications were shown to be vulnerable against this attack; however, scrutiny of permissions and input validations may mitigate this attack. \n\nOutside of a mobile device, adversaries may be able to capture traffic by employing a rogue base station or Wi-Fi access point. These devices will allow adversaries to capture network traffic after it has left the device, while it is flowing to its destination. On a local network, enterprise techniques could be used, such as [ARP Cache Poisoning](https://attack.mitre.org/techniques/T1557/002) or [DHCP Spoofing](https://attack.mitre.org/techniques/T1557/003). \n\n \n\nIf applications properly encrypt their network traffic, sensitive data may not be accessible to adversaries, depending on the point of capture. For example, properly implementing Apple’s Application Transport Security (ATS) and Android’s Network Security Configuration (NSC) may prevent sensitive data leaks.(Citation: NSC_Android)", "meta": { "external_id": "T1638", "kill_chain": [ @@ -27823,18 +28022,22 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1638", + "https://blog.checkpoint.com/security/man-in-the-disk-a-new-attack-surface-for-android-apps/", "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-0.html", "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html", "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-8.html", "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-3.html", - "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-12.html" + "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-12.html", + "https://research.checkpoint.com/androids-man-in-the-disk/", + "https://usa.kaspersky.com/blog/man-in-the-disk/16089/", + "https://www.nowsecure.com/blog/2018/08/15/a-security-analysts-guide-to-network-security-configuration-in-android-p/" ] }, "uuid": "08e22979-d320-48ed-8711-e7bf94aabb13", "value": "Adversary-in-the-Middle - T1638" }, { - "description": "Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002), or replay attacks ([Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212)). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)\n\nFor example, adversaries may manipulate victim DNS settings to enable other malicious activities such as preventing/redirecting users from accessing legitimate sites and/or pushing additional malware.(Citation: ttint_rat)(Citation: dns_changer_trojans)(Citation: ad_blocker_with_miner) Adversaries may also manipulate DNS and leverage their position in order to intercept user credentials and session cookies.(Citation: volexity_0day_sophos_FW) [Downgrade Attack](https://attack.mitre.org/techniques/T1562/010)s can also be used to establish an AiTM position, such as by negotiating a less secure, deprecated, or weaker version of communication protocol (SSL/TLS) or encryption algorithm.(Citation: mitm_tls_downgrade_att)(Citation: taxonomy_downgrade_att_tls)(Citation: tlseminar_downgrade_att)\n\nAdversaries may also leverage the AiTM position to attempt to monitor and/or modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can setup a position similar to AiTM to prevent traffic from flowing to the appropriate destination, potentially to [Impair Defenses](https://attack.mitre.org/techniques/T1562) and/or in support of a [Network Denial of Service](https://attack.mitre.org/techniques/T1498).", + "description": "Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002), or replay attacks ([Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212)). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)\n\nFor example, adversaries may manipulate victim DNS settings to enable other malicious activities such as preventing/redirecting users from accessing legitimate sites and/or pushing additional malware.(Citation: ttint_rat)(Citation: dns_changer_trojans)(Citation: ad_blocker_with_miner) Adversaries may also manipulate DNS and leverage their position in order to intercept user credentials, including access tokens ([Steal Application Access Token](https://attack.mitre.org/techniques/T1528)) and session cookies ([Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)).(Citation: volexity_0day_sophos_FW)(Citation: Token tactics) [Downgrade Attack](https://attack.mitre.org/techniques/T1562/010)s can also be used to establish an AiTM position, such as by negotiating a less secure, deprecated, or weaker version of communication protocol (SSL/TLS) or encryption algorithm.(Citation: mitm_tls_downgrade_att)(Citation: taxonomy_downgrade_att_tls)(Citation: tlseminar_downgrade_att)\n\nAdversaries may also leverage the AiTM position to attempt to monitor and/or modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can setup a position similar to AiTM to prevent traffic from flowing to the appropriate destination, potentially to [Impair Defenses](https://attack.mitre.org/techniques/T1562) and/or in support of a [Network Denial of Service](https://attack.mitre.org/techniques/T1498).", "meta": { "external_id": "T1557", "kill_chain": [ @@ -27860,6 +28063,7 @@ "https://blog.netlab.360.com/ttint-an-iot-remote-control-trojan-spread-through-2-0-day-vulnerabilities/", "https://securelist.com/ad-blocker-with-miner-included/101105/", "https://tlseminar.github.io/downgrade-attacks/", + "https://www.microsoft.com/en-us/security/blog/2022/11/16/token-tactics-how-to-prevent-detect-and-respond-to-cloud-token-theft/", "https://www.praetorian.com/blog/man-in-the-middle-tls-ssl-protocol-downgrade-attack/", "https://www.rapid7.com/fundamentals/man-in-the-middle-attacks/", "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/125/how-dns-changer-trojans-direct-users-to-threats", @@ -28171,7 +28375,8 @@ "mitre_platforms": [ "Linux", "macOS", - "Windows" + "Windows", + "Network" ], "refs": [ "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf", @@ -28335,7 +28540,7 @@ "value": "Steganography - T1027.003" }, { - "description": "Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.\n\nScripts can be run from the command-line via osascript /path/to/script or osascript -e \"script here\". Aside from the command line, scripts can be executed in numerous ways including Mail rules, Calendar.app alarms, and Automator workflows. AppleScripts can also be executed as plain text shell scripts by adding #!/usr/bin/osascript to the start of the script file.(Citation: SentinelOne AppleScript)\n\nAppleScripts do not need to call osascript to execute. However, they may be executed from within mach-O binaries by using the macOS [Native API](https://attack.mitre.org/techniques/T1106)s NSAppleScript or OSAScript, both of which execute code independent of the /usr/bin/osascript command line utility.\n\nAdversaries may abuse AppleScript to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally), but they can interact with applications if they're already running remotely. On macOS 10.10 Yosemite and higher, AppleScript has the ability to execute [Native API](https://attack.mitre.org/techniques/T1106)s, which otherwise would require compilation and execution in a mach-O binary file format.(Citation: SentinelOne macOS Red Team) Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via [Python](https://attack.mitre.org/techniques/T1059/006).(Citation: Macro Malware Targets Macs)", + "description": "Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.\n\nScripts can be run from the command-line via osascript /path/to/script or osascript -e \"script here\". Aside from the command line, scripts can be executed in numerous ways including Mail rules, Calendar.app alarms, and Automator workflows. AppleScripts can also be executed as plain text shell scripts by adding #!/usr/bin/osascript to the start of the script file.(Citation: SentinelOne AppleScript)\n\nAppleScripts do not need to call osascript to execute. However, they may be executed from within mach-O binaries by using the macOS [Native API](https://attack.mitre.org/techniques/T1106)s NSAppleScript or OSAScript, both of which execute code independent of the /usr/bin/osascript command line utility.\n\nAdversaries may abuse AppleScript to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally), but they can interact with applications if they're already running remotely. On macOS 10.10 Yosemite and higher, AppleScript has the ability to execute [Native API](https://attack.mitre.org/techniques/T1106)s, which otherwise would require compilation and execution in a mach-O binary file format.(Citation: SentinelOne macOS Red Team) Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via [Python](https://attack.mitre.org/techniques/T1059/006).(Citation: Macro Malware Targets Macs)", "meta": { "external_id": "T1059.002", "kill_chain": [ @@ -28453,7 +28658,7 @@ "value": "Launchd - T1053.004" }, { - "description": "Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the python.exe interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.\n\nPython comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.", + "description": "Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the python.exe interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.(Citation: Zscaler APT31 Covid-19 October 2020)\n\nPython comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.", "meta": { "external_id": "T1059.006", "kill_chain": [ @@ -28469,7 +28674,8 @@ "macOS" ], "refs": [ - "https://attack.mitre.org/techniques/T1059/006" + "https://attack.mitre.org/techniques/T1059/006", + "https://www.zscaler.com/blogs/security-research/apt-31-leverages-covid-19-vaccine-theme-and-abuses-legitimate-online" ] }, "related": [ @@ -28698,6 +28904,41 @@ "uuid": "0c4b4fda-9062-47da-98b9-ceae2dcf052a", "value": "Sharepoint - T1213.002" }, + { + "description": "Adversaries may abuse SyncAppvPublishingServer.vbs to proxy execution of malicious [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands. SyncAppvPublishingServer.vbs is a Visual Basic script associated with how Windows virtualizes applications (Microsoft Application Virtualization, or App-V).(Citation: 1 - appv) For example, Windows may render Win32 applications to users as virtual applications, allowing users to launch and interact with them as if they were installed locally.(Citation: 2 - appv)(Citation: 3 - appv)\n \nThe SyncAppvPublishingServer.vbs script is legitimate, may be signed by Microsoft, and is commonly executed from `\\System32` through the command line via `wscript.exe`.(Citation: 4 - appv)(Citation: 5 - appv)\n\nAdversaries may abuse SyncAppvPublishingServer.vbs to bypass [PowerShell](https://attack.mitre.org/techniques/T1059/001) execution restrictions and evade defensive counter measures by \"living off the land.\"(Citation: 6 - appv)(Citation: 4 - appv) Proxying execution may function as a trusted/signed alternative to directly invoking `powershell.exe`.(Citation: 7 - appv)\n\nFor example, [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands may be invoked using:(Citation: 5 - appv)\n\n`SyncAppvPublishingServer.vbs \"n; {PowerShell}\"`", + "meta": { + "external_id": "T1216.002", + "kill_chain": [ + "mitre-attack:defense-evasion" + ], + "mitre_data_sources": [ + "Command: Command Execution", + "Process: Process Creation", + "Script: Script Execution" + ], + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1216/002", + "https://learn.microsoft.com/en-us/windows/application-management/app-v/appv-getting-started", + "https://lolbas-project.github.io/lolbas/Scripts/Syncappvpublishingserver/", + "https://securelist.com/bluenoroff-methods-bypass-motw/108383/", + "https://strontic.github.io/xcyclopedia/library/SyncAppvPublishingServer.exe-3C291419F60CDF9C2E4E19AD89944FA3.html", + "https://twitter.com/monoxgas/status/895045566090010624", + "https://www.hackingarticles.in/indirect-command-execution-defense-evasion-t1202/", + "https://www.trellix.com/en-ca/about/newsroom/stories/research/suspected-darkhotel-apt-activity-update/" + ] + }, + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "type": "subtechnique-of" + } + ], + "uuid": "e6f19759-dde3-47fc-99cc-d9f5fa4ade60", + "value": "SyncAppvPublishingServer - T1216.002" + }, { "description": "Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.\n\nAdversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010) / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017) and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate binary that may be signed by Microsoft.\n\nCMSTP.exe can also be abused to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018)", "meta": { @@ -28943,7 +29184,7 @@ "value": "Keychain - T1634.001" }, { - "description": "Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.\n\nAdversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute \"IDN homograph attacks,\" creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing)\n\nAdversaries may also acquire and repurpose expired domains, which may be potentially already allowlisted/trusted by defenders based on an existing reputation/history.(Citation: Categorisation_not_boundary)(Citation: Domain_Steal_CC)(Citation: Redirectors_Domain_Fronting)(Citation: bypass_webproxy_filtering)\n\nDomain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1)", + "description": "Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.\n\nAdversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute \"IDN homograph attacks,\" creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing) Different URIs/URLs may also be dynamically generated to uniquely serve malicious content to victims.(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique)\n\nAdversaries may also acquire and repurpose expired domains, which may be potentially already allowlisted/trusted by defenders based on an existing reputation/history.(Citation: Categorisation_not_boundary)(Citation: Domain_Steal_CC)(Citation: Redirectors_Domain_Fronting)(Citation: bypass_webproxy_filtering)\n\nDomain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1)", "meta": { "external_id": "T1583.001", "kill_chain": [ @@ -28961,17 +29202,21 @@ "https://attack.mitre.org/techniques/T1583/001", "https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html", "https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html", + "https://docs.ostorlab.co/kb/IPA_URL_SCHEME_HIJACKING/index.html", "https://krebsonsecurity.com/2018/11/that-domain-you-forgot-to-renew-yeah-its-now-stealing-credit-cards/", + "https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF", "https://threatconnect.com/blog/infrastructure-research-hunting/", "https://us-cert.cisa.gov/ncas/alerts/aa20-258a", "https://us-cert.cisa.gov/ncas/tips/ST05-016", "https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf", "https://web.archive.org/web/20171223000420/https://www.riskiq.com/blog/labs/lazarus-group-cryptocurrency/", "https://web.archive.org/web/20220527112908/https://www.riskiq.com/blog/labs/ukraine-malware-infrastructure/", + "https://www.blackhat.com/presentations/bh-dc-08/McFeters-Rios-Carter/Presentation/bh-dc-08-mcfeters-rios-carter.pdf", "https://www.blackhillsinfosec.com/bypass-web-proxy-filtering/", "https://www.cobaltstrike.com/blog/high-reputation-redirectors-and-domain-fronting/", "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", "https://www.mdsec.co.uk/2017/07/categorisation-is-not-a-security-boundary/", + "https://www.techtarget.com/searchsecurity/tip/Preparing-for-uniform-resource-identifier-URI-exploits", "https://www.zdnet.com/article/paypal-alert-beware-the-paypai-scam-5000109103/" ] }, @@ -29402,7 +29647,7 @@ "value": "Tool - T1588.002" }, { - "description": "Adversaries may buy, lease, or rent physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Adversaries may use web servers to support support watering hole operations, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), or email servers to support [Phishing](https://attack.mitre.org/techniques/T1566) operations. Instead of compromising a third-party [Server](https://attack.mitre.org/techniques/T1584/004) or renting a [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may opt to configure and run their own servers in support of operations.\n\nAdversaries may only need a lightweight setup if most of their activities will take place using online infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems.(Citation: NYTStuxnet)", + "description": "Adversaries may buy, lease, rent, or obtain physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, such as watering hole operations in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), enabling [Phishing](https://attack.mitre.org/techniques/T1566) operations, or facilitating [Command and Control](https://attack.mitre.org/tactics/TA0011). Instead of compromising a third-party [Server](https://attack.mitre.org/techniques/T1584/004) or renting a [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may opt to configure and run their own servers in support of operations. Free trial periods of cloud servers may also be abused.(Citation: Free Trial PurpleUrchin)(Citation: Freejacked) \n\nAdversaries may only need a lightweight setup if most of their activities will take place using online infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems.(Citation: NYTStuxnet)", "meta": { "external_id": "T1583.004", "kill_chain": [ @@ -29418,7 +29663,9 @@ "refs": [ "https://attack.mitre.org/techniques/T1583/004", "https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2", + "https://sysdig.com/blog/googles-vertex-ai-platform-freejacked/", "https://threatconnect.com/blog/infrastructure-research-hunting/", + "https://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources/", "https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation", "https://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html" ] @@ -29433,7 +29680,7 @@ "value": "Server - T1583.004" }, { - "description": "Adversaries may buy, lease, or rent a network of compromised systems that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Adversaries may purchase a subscription to use an existing botnet from a booter/stresser service. With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).(Citation: Imperva DDoS for Hire)(Citation: Krebs-Anna)(Citation: Krebs-Bazaar)(Citation: Krebs-Booter)", + "description": "Adversaries may buy, lease, or rent a network of compromised systems that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Adversaries may purchase a subscription to use an existing botnet from a booter/stresser service. With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).(Citation: Imperva DDoS for Hire)(Citation: Krebs-Anna)(Citation: Krebs-Bazaar)(Citation: Krebs-Booter)", "meta": { "external_id": "T1583.005", "kill_chain": [ @@ -29554,7 +29801,7 @@ "value": "Malvertising - T1583.008" }, { - "description": "Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a [Server](https://attack.mitre.org/techniques/T1583/004) or [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may compromise third-party servers in support of operations.\n\nAdversaries may also compromise web servers to support watering hole operations, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), or email servers to support [Phishing](https://attack.mitre.org/techniques/T1566) operations.", + "description": "Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control.(Citation: TrendMicro EarthLusca 2022) Instead of purchasing a [Server](https://attack.mitre.org/techniques/T1583/004) or [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may compromise third-party servers in support of operations.\n\nAdversaries may also compromise web servers to support watering hole operations, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), or email servers to support [Phishing](https://attack.mitre.org/techniques/T1566) operations.", "meta": { "external_id": "T1584.004", "kill_chain": [ @@ -29571,7 +29818,8 @@ "https://attack.mitre.org/techniques/T1584/004", "https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2", "https://threatconnect.com/blog/infrastructure-research-hunting/", - "https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation" + "https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf" ] }, "related": [ @@ -29617,7 +29865,7 @@ "value": "Trap - T1546.005" }, { - "description": "Adversaries may compromise numerous third-party systems to form a botnet that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Instead of purchasing/renting a botnet from a booter/stresser service, adversaries may build their own botnet by compromising numerous third-party systems.(Citation: Imperva DDoS for Hire) Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers.(Citation: Dell Dridex Oct 2015) With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).", + "description": "Adversaries may compromise numerous third-party systems to form a botnet that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Instead of purchasing/renting a botnet from a booter/stresser service, adversaries may build their own botnet by compromising numerous third-party systems.(Citation: Imperva DDoS for Hire) Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers.(Citation: Dell Dridex Oct 2015) With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).", "meta": { "external_id": "T1584.005", "kill_chain": [ @@ -30008,6 +30256,40 @@ "uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", "value": "Emond - T1546.014" }, + { + "description": "Adversaries may execute their own malicious payloads by hijacking how the .NET `AppDomainManager` loads assemblies. The .NET framework uses the `AppDomainManager` class to create and manage one or more isolated runtime environments (called application domains) inside a process to host the execution of .NET applications. Assemblies (`.exe` or `.dll` binaries compiled to run as .NET code) may be loaded into an application domain as executable code.(Citation: Microsoft App Domains) \n\nKnown as \"AppDomainManager injection,\" adversaries may execute arbitrary code by hijacking how .NET applications load assemblies. For example, malware may create a custom application domain inside a target process to load and execute an arbitrary assembly. Alternatively, configuration files (`.config`) or process environment variables that define .NET runtime settings may be tampered with to instruct otherwise benign .NET applications to load a malicious assembly (identified by name) into the target process.(Citation: PenTestLabs AppDomainManagerInject)(Citation: PwC Yellow Liderc)(Citation: Rapid7 AppDomain Manager Injection)", + "meta": { + "external_id": "T1574.014", + "kill_chain": [ + "mitre-attack:persistence", + "mitre-attack:privilege-escalation", + "mitre-attack:defense-evasion" + ], + "mitre_data_sources": [ + "File: File Creation", + "Module: Module Load", + "Process: Process Creation" + ], + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1574/014", + "https://learn.microsoft.com/dotnet/framework/app-domains/application-domains", + "https://pentestlaboratories.com/2020/05/26/appdomainmanager-injection-and-detection/", + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html", + "https://www.rapid7.com/blog/post/2023/05/05/appdomain-manager-injection-new-techniques-for-red-teams/" + ] + }, + "related": [ + { + "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", + "type": "subtechnique-of" + } + ], + "uuid": "356662f7-e315-4759-86c9-6214e2a50ff8", + "value": "AppDomainManager - T1574.014" + }, { "description": "During the boot process, macOS executes source /etc/rc.common, which is a shell script containing various utility functions. This file also defines routines for processing command-line arguments and for gathering system settings, and is thus recommended to include in the start of Startup Item Scripts (Citation: Startup Items). In macOS and OS X, this is now a deprecated technique in favor of launch agents and launch daemons, but is currently still used.\n\nAdversaries can use the rc.common file as a way to hide code for persistence that will execute on each reboot as the root user (Citation: Methods of Mac Malware Persistence).", "meta": { @@ -30252,7 +30534,7 @@ "value": "Kerberoasting - T1208" }, { - "description": "Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.\n\nRenaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site) Masquerading may also include the use of [Proxy](https://attack.mitre.org/techniques/T1090) or VPNs to disguise IP addresses, which can allow adversaries to blend in with normal network traffic and bypass conditional access policies or anti-abuse protections.", + "description": "Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.\n\nRenaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site)", "meta": { "external_id": "T1036", "kill_chain": [ @@ -30932,5 +31214,5 @@ "value": "Keychain - T1579" } ], - "version": 27 + "version": 28 } diff --git a/clusters/mitre-course-of-action.json b/clusters/mitre-course-of-action.json index 89220bcd..3fa29485 100644 --- a/clusters/mitre-course-of-action.json +++ b/clusters/mitre-course-of-action.json @@ -22,15 +22,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "8b36d944-f274-4d46-9acd-dbba6927ce7a", "value": "Registry Run Keys / Startup Folder Mitigation - T1060" }, @@ -43,15 +35,7 @@ "https://attack.mitre.org/mitigations/T1041" ] }, - "related": [ - { - "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "92c28497-2820-445e-9f3e-a03dd77dc0c8", "value": "Exfiltration Over Command and Control Channel Mitigation - T1041" }, @@ -126,6 +110,10 @@ "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", "type": "mitigates" }, + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "type": "mitigates" + }, { "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", "type": "mitigates" @@ -158,6 +146,10 @@ "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", "type": "mitigates" }, + { + "dest-uuid": "561ae9aa-c28a-4144-9eec-e7027a14c8c3", + "type": "mitigates" + }, { "dest-uuid": "5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5", "type": "mitigates" @@ -367,6 +359,10 @@ "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "type": "mitigates" }, + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "type": "mitigates" + }, { "dest-uuid": "56e0d8b8-3e25-49dd-9050-3aa252f5aa92", "type": "mitigates" @@ -379,6 +375,10 @@ "dest-uuid": "7b50a1d3-4ca7-45d1-989d-a6503f04bfe1", "type": "mitigates" }, + { + "dest-uuid": "7f0ca133-88c4-40c6-a62f-b3083a7fbc2e", + "type": "mitigates" + }, { "dest-uuid": "800f9819-7007-4540-a520-40e655876800", "type": "mitigates" @@ -420,15 +420,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "d9727aee-48b8-4fdb-89e2-4c49746ba4dd", "value": "Data from Network Shared Drive Mitigation - T1039" }, @@ -441,15 +433,7 @@ "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf" ] }, - "related": [ - { - "dest-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "0bc3ce00-83bc-4a92-a042-79ffbc6af259", "value": "Windows Management Instrumentation Event Subscription Mitigation - T1084" }, @@ -462,15 +446,7 @@ "https://attack.mitre.org/mitigations/T1094" ] }, - "related": [ - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "f3d0c735-330f-43c2-8e8e-51bcfa51e8c3", "value": "Custom Command and Control Protocol Mitigation - T1094" }, @@ -486,15 +462,7 @@ "https://attack.mitre.org/mitigations/T1183" ] }, - "related": [ - { - "dest-uuid": "62166220-e498-410f-a90a-19d4339d4e99", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "33f76731-b840-446f-bee0-53687dad24d9", "value": "Image File Execution Options Injection Mitigation - T1183" }, @@ -507,15 +475,7 @@ "https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf" ] }, - "related": [ - { - "dest-uuid": "72b5ef57-325c-411b-93ca-a3ca6fa17e31", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "ef273807-c465-4728-9cee-5823422f42ee", "value": "SIP and Trust Provider Hijacking Mitigation - T1198" }, @@ -528,15 +488,7 @@ "https://attack.mitre.org/mitigations/T1095" ] }, - "related": [ - { - "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "399d9038-b100-43ef-b28d-a5065106b935", "value": "Standard Non-Application Layer Protocol Mitigation - T1095" }, @@ -553,15 +505,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "d01f473f-3cdc-4867-9e55-1de9cf1986f0", "value": "Deobfuscate/Decode Files or Information Mitigation - T1140" }, @@ -609,13 +553,6 @@ { "dest-uuid": "ccde43e4-78f9-4f32-b401-c081e7db71ea", "type": "mitigates" - }, - { - "dest-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" } ], "uuid": "cf2cccb1-cab8-431a-8ecf-f7874d05f433", @@ -630,15 +567,7 @@ "https://attack.mitre.org/mitigations/T1030" ] }, - "related": [ - { - "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "ba06d68a-4891-4eb5-b634-152e05ec60ee", "value": "Data Transfer Size Limits Mitigation - T1030" }, @@ -655,15 +584,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "7ee0879d-ce4f-4f54-a96b-c532dfb98ffd", "value": "Data from Local System Mitigation - T1005" }, @@ -680,15 +601,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "0c8ab3eb-df48-4b9c-ace7-beacaac81cc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "902286b2-96cc-4dd7-931f-e7340c9961da", "value": "File System Logical Offsets Mitigation - T1006" }, @@ -700,15 +613,7 @@ "https://attack.mitre.org/mitigations/M1007" ] }, - "related": [ - { - "dest-uuid": "8e27551a-5080-4148-a584-c64348212e4f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "e944670c-d03a-4e93-a21c-b3d4c53ec4c9", "value": "Caution with Device Administrator Access - M1007" }, @@ -720,15 +625,7 @@ "https://attack.mitre.org/mitigations/T1070" ] }, - "related": [ - { - "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "6cac62ce-550b-4793-8ee6-6a1b8836edb0", "value": "Indicator Removal on Host Mitigation - T1070" }, @@ -743,15 +640,7 @@ "https://en.wikipedia.org/wiki/Control-flow_integrity" ] }, - "related": [ - { - "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "14b63e6b-7531-4476-9e60-02cc5db48b62", "value": "Exploitation of Remote Services Mitigation - T1210" }, @@ -768,15 +657,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "684feec3-f9ba-4049-9d8f-52d52f3e0e40", "value": "System Network Configuration Discovery Mitigation - T1016" }, @@ -795,15 +676,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "effb83a0-ead1-4b36-b7f6-b7bdf9c4616e", "value": "Replication Through Removable Media Mitigation - T1091" }, @@ -872,6 +745,14 @@ "dest-uuid": "34e793de-0274-4982-9c1a-246ed1c19dee", "type": "mitigates" }, + { + "dest-uuid": "356662f7-e315-4759-86c9-6214e2a50ff8", + "type": "mitigates" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "mitigates" + }, { "dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a", "type": "mitigates" @@ -1024,6 +905,10 @@ "dest-uuid": "e0232cb0-ded5-4c2e-9dc7-2893142a5c11", "type": "mitigates" }, + { + "dest-uuid": "e8a0a025-3601-4755-abfb-8d08283329fb", + "type": "mitigates" + }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "mitigates" @@ -1056,15 +941,7 @@ "https://en.wikipedia.org/wiki/Control-flow_integrity" ] }, - "related": [ - { - "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "f2dcee22-c275-405e-87fd-48630a19dfba", "value": "Exploitation for Client Execution Mitigation - T1203" }, @@ -1082,15 +959,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "68c96494-1a50-403e-8844-69a6af278c68", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "d7c49196-b40e-42bc-8eed-b803113692ed", "value": "Change Default File Association Mitigation - T1042" }, @@ -1107,15 +976,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "39706d54-0d06-4a25-816a-78cc43455100", "value": "Data from Removable Media Mitigation - T1025" }, @@ -1129,15 +990,7 @@ "https://technet.microsoft.com/en-us/library/cc772540(v=ws.10).aspx" ] }, - "related": [ - { - "dest-uuid": "e6415f09-df0e-48de-9aba-928c902b7549", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "e547ed6a-f1ca-40df-8613-2ce27927f145", "value": "Exfiltration Over Physical Medium Mitigation - T1052" }, @@ -1151,15 +1004,7 @@ "https://technet.microsoft.com/en-us/library/cc772540(v=ws.10).aspx" ] }, - "related": [ - { - "dest-uuid": "64196062-5210-42c3-9a02-563a0d1797ef", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "b8d57b16-d8e2-428c-a645-1083795b3445", "value": "Communication Through Removable Media Mitigation - T1092" }, @@ -1176,15 +1021,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "2ace01f8-67c8-43eb-b7b1-a7b9f1fe67e1", "value": "File and Directory Discovery Mitigation - T1083" }, @@ -1202,15 +1039,7 @@ "https://github.com/mattifestation/PowerSploit" ] }, - "related": [ - { - "dest-uuid": "46944654-fcc1-4f63-9dad-628102376586", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "96913243-2b5e-4483-a65c-bb152ddd2f04", "value": "DLL Search Order Hijacking Mitigation - T1038" }, @@ -1227,15 +1056,7 @@ "https://github.com/mattifestation/PowerSploit" ] }, - "related": [ - { - "dest-uuid": "0ca7beef-9bbc-4e35-97cf-437384ddce6a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "1022138b-497c-40e6-b53a-13351cbd4090", "value": "File System Permissions Weakness Mitigation - T1044" }, @@ -1252,15 +1073,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "c1676218-c16a-41c9-8f7a-023779916e39", "value": "System Network Connections Discovery Mitigation - T1049" }, @@ -1275,15 +1088,7 @@ "https://attack.mitre.org/mitigations/T1058" ] }, - "related": [ - { - "dest-uuid": "39a130e1-6ab7-434a-8bd2-418e7d9d6427", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "9378f139-10ef-4e4b-b679-2255a0818902", "value": "Service Registry Permissions Weakness Mitigation - T1058" }, @@ -1300,15 +1105,7 @@ "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm" ] }, - "related": [ - { - "dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "4b998a71-7b8f-4dcc-8f3f-277f2e740271", "value": "Indicator Removal from Tools Mitigation - T1066" }, @@ -1323,15 +1120,7 @@ "https://en.wikipedia.org/wiki/Control-flow_integrity" ] }, - "related": [ - { - "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "92e6d080-ca3f-4f95-bc45-172a32c4e502", "value": "Exploitation for Privilege Escalation Mitigation - T1068" }, @@ -1344,15 +1133,7 @@ "https://github.com/hfiref0x/UACME" ] }, - "related": [ - { - "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "beb45abb-11e8-4aef-9778-1f9ac249784f", "value": "Bypass User Account Control Mitigation - T1088" }, @@ -1367,15 +1148,7 @@ "https://en.wikipedia.org/wiki/Control-flow_integrity" ] }, - "related": [ - { - "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "37a3f3f5-76e6-43fe-b935-f1f494c95725", "value": "Exploitation for Defense Evasion Mitigation - T1211" }, @@ -1392,15 +1165,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "52f3d5a6-8a0f-4f82-977e-750abf90d0b0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "cba5667e-e3c6-44a4-811c-266dbc00e440", "value": "Extra Window Memory Injection Mitigation - T1181" }, @@ -1415,15 +1180,7 @@ "https://en.wikipedia.org/wiki/Control-flow_integrity" ] }, - "related": [ - { - "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "06160d81-62be-46e5-aa37-4b9c645ffa31", "value": "Exploitation for Credential Access Mitigation - T1212" }, @@ -1440,15 +1197,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "ff5d862a-ae6b-4833-8c15-e235d654d28e", "value": "Component Object Model Hijacking Mitigation - T1122" }, @@ -1460,15 +1209,7 @@ "https://attack.mitre.org/mitigations/T1213" ] }, - "related": [ - { - "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "13cad982-35e3-4340-9095-7124b653df4b", "value": "Data from Information Repositories Mitigation - T1213" }, @@ -1483,15 +1224,7 @@ "https://patchwork.kernel.org/patch/8754821/" ] }, - "related": [ - { - "dest-uuid": "6be14413-578e-46c1-8304-310762b3ecd5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "44155d14-ca75-4fdf-b033-ab3d732e2884", "value": "Kernel Modules and Extensions Mitigation - T1215" }, @@ -1508,15 +1241,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "e7eab98d-ae11-4491-bd28-a53ba875865a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "94e95eeb-7cdb-4bd7-afba-f32fda303dbb", "value": "Network Share Connection Removal Mitigation - T1126" }, @@ -1528,15 +1253,7 @@ "https://attack.mitre.org/mitigations/T1216" ] }, - "related": [ - { - "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "51048ba0-a5aa-41e7-bf5d-993cd217dfb2", "value": "Signed Script Proxy Execution Mitigation - T1216" }, @@ -1548,15 +1265,7 @@ "https://attack.mitre.org/mitigations/T1129" ] }, - "related": [ - { - "dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "cfd2cd3b-93e7-4b3e-ab46-f8bcafdbdfcf", "value": "Execution through Module Load Mitigation - T1129" }, @@ -1573,15 +1282,7 @@ "https://technet.microsoft.com/library/cc771387.aspx" ] }, - "related": [ - { - "dest-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "910482b1-6749-4934-abcb-3e34d58294fc", "value": "Distributed Component Object Model Mitigation - T1175" }, @@ -1593,15 +1294,7 @@ "https://attack.mitre.org/mitigations/T1185" ] }, - "related": [ - { - "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "94f6b4f5-b528-4f50-91d5-f66457c2f8f7", "value": "Man in the Browser Mitigation - T1185" }, @@ -1613,15 +1306,7 @@ "https://attack.mitre.org/mitigations/T1158" ] }, - "related": [ - { - "dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "84d633a4-dd93-40ca-8510-40238c021931", "value": "Hidden Files and Directories Mitigation - T1158" }, @@ -1677,15 +1362,7 @@ "https://attack.mitre.org/mitigations/T1190" ] }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "65da1eb6-d35d-4853-b280-98a76c0aef53", "value": "Exploit Public-Facing Application Mitigation - T1190" }, @@ -1702,15 +1379,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "dd43c543-bb85-4a6f-aa6e-160d90d06a49", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "e8d22ec6-2236-48de-954b-974d17492782", "value": "Two-Factor Authentication Interception Mitigation - T1111" }, @@ -1722,15 +1391,7 @@ "https://attack.mitre.org/mitigations/T1156" ] }, - "related": [ - { - "dest-uuid": "01df3350-ce05-4bdf-bdf8-0a919a66d4a8", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "4f170666-7edb-4489-85c2-9affa28a72e0", "value": ".bash_profile and .bashrc Mitigation - T1156" }, @@ -1747,22 +1408,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "16f144e4-c780-4ed2-98b4-55d14e2dfa44", "value": "System Owner/User Discovery Mitigation - T1033" }, @@ -1779,15 +1425,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "25d5e1d8-c6fb-4735-bc57-115a21222f4b", "value": "Application Window Discovery Mitigation - T1010" }, @@ -1824,6 +1462,10 @@ "dest-uuid": "0c8ab3eb-df48-4b9c-ace7-beacaac81cc5", "type": "mitigates" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "mitigates" + }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "mitigates" @@ -2007,15 +1649,7 @@ "https://attack.mitre.org/mitigations/T1004" ] }, - "related": [ - { - "dest-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "313c8b20-4d49-40c1-9ac0-4c573aca28f3", "value": "Winlogon Helper DLL Mitigation - T1004" }, @@ -2129,6 +1763,10 @@ "dest-uuid": "acf8fd2a-dc98-43b4-8d37-64e10728e591", "type": "mitigates" }, + { + "dest-uuid": "be63612f-a48f-44f2-a7a6-1763509fcf80", + "type": "mitigates" + }, { "dest-uuid": "c4b96c0b-cb58-497a-a1c2-bb447d79d692", "type": "mitigates" @@ -2176,20 +1814,6 @@ { "dest-uuid": "fcb11f06-ce0e-490b-bcc1-04a1623579f0", "type": "mitigates" - }, - { - "dest-uuid": "a0464539-e1b7-4455-a355-12495987c300", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "2204c371-6100-4ae0-82f3-25c07c29772a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" } ], "uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", @@ -2208,15 +1832,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "d8787791-d22e-45bb-a9a8-251d8d0a1ff2", "value": "System Service Discovery Mitigation - T1007" }, @@ -2233,15 +1849,7 @@ "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm" ] }, - "related": [ - { - "dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "f0a42cad-9b1f-44da-a672-718f18381018", "value": "Taint Shared Content Mitigation - T1080" }, @@ -2255,15 +1863,7 @@ "https://technet.microsoft.com/en-us/library/dn408187.aspx" ] }, - "related": [ - { - "dest-uuid": "6c174520-beea-43d9-aac6-28fb77f3e446", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "9e57c770-5a39-49a2-bb91-253ba629e3ac", "value": "Security Support Provider Mitigation - T1101" }, @@ -2280,15 +1880,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "1881da33-fdf2-4eea-afd0-e04caf9c000f", "value": "Peripheral Device Discovery Mitigation - T1120" }, @@ -2301,15 +1893,7 @@ "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements" ] }, - "related": [ - { - "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "49961e75-b493-423a-9ec7-ac2d6f55384a", "value": "Password Policy Discovery Mitigation - T1201" }, @@ -2323,15 +1907,7 @@ "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec" ] }, - "related": [ - { - "dest-uuid": "d519cfd5-f3a8-43a9-a846-ed0bb40672b1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "23061b40-a7b6-454f-8950-95d5ff80331c", "value": "Install Root Certificate Mitigation - T1130" }, @@ -2347,15 +1923,7 @@ "https://github.com/mattifestation/PowerSploit" ] }, - "related": [ - { - "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "fe0aeb41-1a51-4152-8467-628256ea6adf", "value": "Modify Existing Service Mitigation - T1031" }, @@ -2368,15 +1936,7 @@ "https://attack.mitre.org/mitigations/T1105" ] }, - "related": [ - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "cdecc44a-1dbf-4c1f-881c-f21e3f47272a", "value": "Remote File Copy Mitigation - T1105" }, @@ -2393,15 +1953,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "a6525aec-acc4-47fe-92f9-b9b4de4b9228", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "aaa92b37-f96c-4a0a-859c-b1cb6faeb13d", "value": "Graphical User Interface Mitigation - T1061" }, @@ -2413,15 +1965,7 @@ "https://attack.mitre.org/mitigations/T1017" ] }, - "related": [ - { - "dest-uuid": "327f3cc5-eea1-42d4-a6cd-ed34b7ce8f61", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "c88151a5-fe3f-4773-8147-d801587065a4", "value": "Application Deployment Software Mitigation - T1017" }, @@ -2434,15 +1978,7 @@ "https://attack.mitre.org/mitigations/T1081" ] }, - "related": [ - { - "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "0472af99-f25c-4abe-9fce-010fa3450e72", "value": "Credentials in Files Mitigation - T1081" }, @@ -2459,15 +1995,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "9a902722-cecd-4fbe-a6c9-49333aa0f8c2", "value": "Remote System Discovery Mitigation - T1018" }, @@ -2485,15 +2013,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "1e614ba5-2fc5-4464-b512-2ceafb14d76d", "value": "Indirect Command Execution Mitigation - T1202" }, @@ -2518,15 +2038,7 @@ "https://attack.mitre.org/mitigations/T1032" ] }, - "related": [ - { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "a766ce73-5583-48f3-b7c0-0bb43c6ef8c7", "value": "Standard Cryptographic Protocol Mitigation - T1032" }, @@ -2539,15 +2051,7 @@ "https://attack.mitre.org/mitigations/T1024" ] }, - "related": [ - { - "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "a569295c-a093-4db4-9fb4-7105edef85ad", "value": "Custom Cryptographic Protocol Mitigation - T1024" }, @@ -2564,15 +2068,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "c620e3a1-fff5-424f-abea-d2b0f3616f67", "value": "System Information Discovery Mitigation - T1082" }, @@ -2585,15 +2081,7 @@ "https://attack.mitre.org/mitigations/T1028" ] }, - "related": [ - { - "dest-uuid": "c3bce4f4-9795-46c6-976e-8676300bbc39", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "3e9f8875-d2f7-4380-a578-84393bd3b025", "value": "Windows Remote Management Mitigation - T1028" }, @@ -2606,15 +2094,7 @@ "https://attack.mitre.org/mitigations/T1043" ] }, - "related": [ - { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "7c1796c7-9fc3-4c3e-9416-527295bf5d95", "value": "Commonly Used Port Mitigation - T1043" }, @@ -2631,15 +2111,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "bd2554b8-634f-4434-a986-9b49c29da2ae", "value": "Security Software Discovery Mitigation - T1063" }, @@ -2656,15 +2128,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "d256cb63-b021-4b4a-bb6d-1b42eea179a3", "value": "Network Service Scanning Mitigation - T1046" }, @@ -2760,15 +2224,7 @@ "https://attack.mitre.org/mitigations/T1065" ] }, - "related": [ - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "a0d8db1d-a731-4428-8209-c07175f4b1fe", "value": "Uncommonly Used Port Mitigation - T1065" }, @@ -2781,15 +2237,7 @@ "https://github.com/iadgov/Secure-Host-Baseline/blob/master/Windows/Group%20Policy%20Templates/en-US/SecGuide.adml" ] }, - "related": [ - { - "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "bcee7b05-89a6-41a5-b7aa-fce4da7ede9e", "value": "Pass the Hash Mitigation - T1075" }, @@ -2803,15 +2251,7 @@ "https://technet.microsoft.com/en-us/library/cc754272(v=ws.11).aspx" ] }, - "related": [ - { - "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "53b3b027-bed3-480c-9101-1247047d0fe6", "value": "Remote Desktop Protocol Mitigation - T1076" }, @@ -2831,15 +2271,7 @@ "https://www.symantec.com/connect/articles/what-you-need-know-about-alternate-data-streams-windows-your-data-secure-can-you-restore" ] }, - "related": [ - { - "dest-uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "ac008435-af58-4f77-988a-c9b96c5920f5", "value": "NTFS File Attributes Mitigation - T1096" }, @@ -2856,15 +2288,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "dd9a85ad-6a92-4986-a215-b01d0ce7b987", "value": "Permission Groups Discovery Mitigation - T1069" }, @@ -2881,15 +2305,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "308855d1-078b-47ad-8d2a-8f9b2713ffb5", "value": "Windows Admin Shares Mitigation - T1077" }, @@ -2908,15 +2324,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "3a476d83-43eb-4fad-9b75-b1febd834e3d", "value": "Pass the Ticket Mitigation - T1097" }, @@ -2928,15 +2336,7 @@ "https://attack.mitre.org/mitigations/T1089" ] }, - "related": [ - { - "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "388606d3-f38f-45bf-885d-a9dc9df3c8a8", "value": "Disabling Security Tools Mitigation - T1089" }, @@ -2948,15 +2348,7 @@ "https://attack.mitre.org/mitigations/T1151" ] }, - "related": [ - { - "dest-uuid": "e2907cea-4b43-4ed7-a570-0fdf0fbeea00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "02f0f92a-0a51-4c94-9bda-6437b9a93f22", "value": "Space after Filename Mitigation - T1151" }, @@ -2968,15 +2360,7 @@ "https://attack.mitre.org/mitigations/T1214" ] }, - "related": [ - { - "dest-uuid": "2edd9d6a-5674-4326-a600-ba56de467286", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "4490fee2-5c70-4db3-8db5-8d88767dbd55", "value": "Credentials in Registry Mitigation - T1214" }, @@ -2993,15 +2377,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "82d8e990-c901-4aed-8596-cc002e7eb307", "value": "System Time Discovery Mitigation - T1124" }, @@ -3018,15 +2394,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "1c0b39f9-a0c5-42b2-abd8-dc8f1eb74e67", "value": "Browser Bookmark Discovery Mitigation - T1217" }, @@ -3041,15 +2409,7 @@ "https://attack.mitre.org/mitigations/T1128" ] }, - "related": [ - { - "dest-uuid": "bb0e0cb5-f3e4-4118-a4cb-6bf13bfbc9f2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "624d063d-cda8-4616-b4e4-54c04e427aec", "value": "Netsh Helper DLL Mitigation - T1128" }, @@ -3061,15 +2421,7 @@ "https://attack.mitre.org/mitigations/T1219" ] }, - "related": [ - { - "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "af093bc8-7b59-4e2a-9da8-8e839b4c50c6", "value": "Remote Access Tools Mitigation - T1219" }, @@ -3081,15 +2433,7 @@ "https://attack.mitre.org/mitigations/T1133" ] }, - "related": [ - { - "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "d4fd04e0-d1a4-4b5a-a5bb-16683cdbcce2", "value": "External Remote Services Mitigation - T1133" }, @@ -3103,15 +2447,7 @@ "https://docs.microsoft.com/windows/device-security/security-policy-settings/replace-a-process-level-token" ] }, - "related": [ - { - "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "c61fee9f-16fb-4f8c-bbf0-869093fcd4a6", "value": "Access Token Manipulation Mitigation - T1134" }, @@ -3128,15 +2464,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "1f34230d-b6ae-4dc7-8599-78c18820bd21", "value": "Network Share Discovery Mitigation - T1135" }, @@ -3155,15 +2483,7 @@ "https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-dde-feature-in-word-to-prevent-further-malware-attacks/" ] }, - "related": [ - { - "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "80c91478-ac87-434f-bee7-11f37aec4d74", "value": "Dynamic Data Exchange Mitigation - T1173" }, @@ -3176,15 +2496,7 @@ "https://attack.mitre.org/mitigations/T1146" ] }, - "related": [ - { - "dest-uuid": "d3046a90-580c-4004-8208-66915bc29830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "3e7018e9-7389-48e7-9208-0bdbcbba9483", "value": "Clear Command History Mitigation - T1146" }, @@ -3197,15 +2509,7 @@ "https://msdn.microsoft.com/library/windows/desktop/ms721766.aspx" ] }, - "related": [ - { - "dest-uuid": "b8c5c9dd-a662-479d-9428-ae745872537c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "00d7d21b-69d6-4797-88a2-c86f3fc97651", "value": "Password Filter DLL Mitigation - T1174" }, @@ -3217,15 +2521,7 @@ "https://attack.mitre.org/mitigations/T1194" ] }, - "related": [ - { - "dest-uuid": "d3df754e-997b-4cf9-97d4-70feb3120847", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "c861bcb1-946f-450d-ab75-d4e3c1103a56", "value": "Spearphishing via Service Mitigation - T1194" }, @@ -3240,15 +2536,7 @@ "https://www.mitre.org/sites/default/files/publications/se-guide-book-interactive.pdf" ] }, - "related": [ - { - "dest-uuid": "3f18edba-28f4-4bb9-82c3-8aa60dcac5f7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "97d8eadb-0459-4c1d-bf1a-e053bd75df61", "value": "Supply Chain Compromise Mitigation - T1195" }, @@ -3260,15 +2548,7 @@ "https://attack.mitre.org/mitigations/T1166" ] }, - "related": [ - { - "dest-uuid": "c0df6533-30ee-4a4a-9c6d-17af5abdf0b2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "073cc04d-ac46-4f5a-85d7-83a91ecd6a19", "value": "Setuid and Setgid Mitigation - T1166" }, @@ -3280,15 +2560,7 @@ "https://attack.mitre.org/mitigations/T1168" ] }, - "related": [ - { - "dest-uuid": "c0a384a4-9a25-40e1-97b6-458388474bc8", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "c47a9b55-8f61-4b82-b833-1db6242c754e", "value": "Local Job Scheduling Mitigation - T1168" }, @@ -3304,15 +2576,7 @@ "https://msdn.microsoft.com/library/windows/desktop/dn742497.aspx" ] }, - "related": [ - { - "dest-uuid": "8df54627-376c-487c-a09c-7d2b5620f56e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "3a41b366-cfd6-4af2-a6e7-3c6e3c4ebcef", "value": "Control Panel Items Mitigation - T1196" }, @@ -3412,15 +2676,7 @@ "https://docs.microsoft.com/en-us/previous-versions/system-center/operations-manager-2005/cc180803(v=technet.10)" ] }, - "related": [ - { - "dest-uuid": "0dbf5f1b-a560-4d51-ac1b-d70caab3e1f0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "54246e2e-683f-4bf2-be4c-d7d5a60e7d22", "value": "LLMNR/NBT-NS Poisoning Mitigation - T1171" }, @@ -3457,6 +2713,10 @@ "dest-uuid": "43c9bc06-715b-42db-972f-52d25c09a20c", "type": "mitigates" }, + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "type": "mitigates" + }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "type": "mitigates" @@ -3542,15 +2802,7 @@ "https://attack.mitre.org/mitigations/T1104" ] }, - "related": [ - { - "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "514e7371-a344-4de7-8ec3-3aa42b801d52", "value": "Multi-Stage Channels Mitigation - T1104" }, @@ -3562,15 +2814,7 @@ "https://attack.mitre.org/mitigations/T1072" ] }, - "related": [ - { - "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "160af6af-e733-4b6a-a04a-71c620ac0930", "value": "Third-party Software Mitigation - T1072" }, @@ -3582,15 +2826,7 @@ "https://attack.mitre.org/mitigations/T1073" ] }, - "related": [ - { - "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "7a14d974-f3d9-4e4e-9b7d-980385762908", "value": "DLL Side-Loading Mitigation - T1073" }, @@ -3603,15 +2839,7 @@ "https://support.apple.com/en-us/HT204005" ] }, - "related": [ - { - "dest-uuid": "6a3be63a-64c5-4678-a036-03ff8fc35300", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "61d02387-351a-453e-a575-160a9abc3e04", "value": "Re-opened Applications Mitigation - T1164" }, @@ -3627,15 +2855,7 @@ "https://technet.microsoft.com/library/cc835085.aspx" ] }, - "related": [ - { - "dest-uuid": "1df0326d-2fbc-4d08-a16b-48365f1e742d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "b91c2f9e-c1a0-44df-95f0-9e7c9d1d5e55", "value": "SID-History Injection Mitigation - T1178" }, @@ -3647,15 +2867,7 @@ "https://attack.mitre.org/mitigations/T1188" ] }, - "related": [ - { - "dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "752db800-ea54-4e7a-b4c1-2a0292350ea7", "value": "Multi-hop Proxy Mitigation - T1188" }, @@ -3671,15 +2883,7 @@ "https://en.wikipedia.org/wiki/Control-flow_integrity" ] }, - "related": [ - { - "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "7a4d0054-53cd-476f-88af-955dddc80ee0", "value": "Drive-by Compromise Mitigation - T1189" }, @@ -3692,15 +2896,7 @@ "https://attack.mitre.org/mitigations/T1001" ] }, - "related": [ - { - "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "d0fcf37a-b6c4-4745-9c43-4fcdb8bfc88e", "value": "Data Obfuscation Mitigation - T1001" }, @@ -3713,15 +2909,7 @@ "https://www.us-cert.gov/ncas/alerts/TA15-314A" ] }, - "related": [ - { - "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "bcc91b8c-f104-4710-964e-1d5409666736", "value": "Web Shell Mitigation - T1100" }, @@ -3738,15 +2926,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "2497ac92-e751-4391-82c6-1b86e34d0294", "value": "Automated Exfiltration Mitigation - T1020" }, @@ -3759,15 +2939,7 @@ "https://en.wikipedia.org/wiki/IEEE_802.1X" ] }, - "related": [ - { - "dest-uuid": "d40239b3-05ff-46d8-9bdd-b46d13463ef9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "54e8722d-2faf-4b1b-93b6-6cbf9551669f", "value": "Hardware Additions Mitigation - T1200" }, @@ -3784,15 +2956,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "28adf6fd-ab6c-4553-9aa7-cef18a191f33", "value": "Data Compressed Mitigation - T1002" }, @@ -3816,15 +2980,7 @@ "https://technet.microsoft.com/library/jj865668.aspx" ] }, - "related": [ - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "aeff5887-8f9e-48d5-a523-9b395e2ce80a", "value": "Credential Dumping Mitigation - T1003" }, @@ -3864,13 +3020,6 @@ { "dest-uuid": "c6e17ca2-08b5-4379-9786-89bd05241831", "type": "mitigates" - }, - { - "dest-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" } ], "uuid": "7b1cf46f-784b-405a-a8dd-4624c19d8321", @@ -3889,15 +3038,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "46b7ef91-4e1d-43c5-a2eb-00fa9444f6f4", "value": "Network Sniffing Mitigation - T1040" }, @@ -3914,15 +3055,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "b7b2c89c-09c1-4b71-ae7c-000ec2893aab", "value": "New Service Mitigation - T1050" }, @@ -3935,15 +3068,7 @@ "https://attack.mitre.org/mitigations/T1008" ] }, - "related": [ - { - "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "515f6584-fa98-44fe-a4e8-e428c7188514", "value": "Fallback Channels Mitigation - T1008" }, @@ -3960,15 +3085,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "519630c5-f03f-4882-825c-3af924935817", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "16a8ac85-a06f-460f-ad22-910167bd7332", "value": "Binary Padding Mitigation - T1009" }, @@ -3988,17 +3105,7 @@ "type": "mitigates" }, { - "dest-uuid": "393e8c12-a416-4575-ba90-19cc85656796", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "a5de0540-73e7-4c67-96da-4143afedc7ed", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], + "dest-uuid": "45a5fe76-eda3-4d40-8f22-c186efd6278d", "type": "mitigates" } ], @@ -4014,15 +3121,7 @@ "https://pages.nist.gov/800-63-3/sp800-63b.html" ] }, - "related": [ - { - "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "4a99fecc-680b-448e-8fe7-8144c60d272c", "value": "Brute Force Mitigation - T1110" }, @@ -4039,15 +3138,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "0640214c-95af-4c04-a574-2a1ba6dda00b", "value": "Query Registry Mitigation - T1012" }, @@ -4060,15 +3151,7 @@ "https://attack.mitre.org/mitigations/T1102" ] }, - "related": [ - { - "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "4689b9fb-dca4-473e-831b-34717ad50c97", "value": "Web Service Mitigation - T1102" }, @@ -4085,10 +3168,22 @@ "dest-uuid": "08ea902d-ecb5-47ed-a453-2798057bb2d3", "type": "mitigates" }, + { + "dest-uuid": "09b008a9-b4eb-462a-a751-a0eb58050cd9", + "type": "mitigates" + }, { "dest-uuid": "0d95940f-9583-4e0f-824c-a42c1be47fad", "type": "mitigates" }, + { + "dest-uuid": "191cc6af-1bb2-4344-ab5f-28e496638720", + "type": "mitigates" + }, + { + "dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8", + "type": "mitigates" + }, { "dest-uuid": "233fe2c0-cb41-4765-b454-e0087597fbce", "type": "mitigates" @@ -4097,6 +3192,14 @@ "dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "type": "mitigates" }, + { + "dest-uuid": "3f18edba-28f4-4bb9-82c3-8aa60dcac5f7", + "type": "mitigates" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "type": "mitigates" + }, { "dest-uuid": "70910fbd-58dc-4c1c-8c48-814d11fcd022", "type": "mitigates" @@ -4150,10 +3253,7 @@ "type": "mitigates" }, { - "dest-uuid": "29e07491-8947-43a3-8d4e-9a787c45f3d3", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], + "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", "type": "mitigates" } ], @@ -4171,15 +3271,7 @@ "https://attack.mitre.org/mitigations/T1103" ] }, - "related": [ - { - "dest-uuid": "317fefa6-46c7-4062-adb6-2008cf6bcb41", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "10571bf2-8073-4edf-a71c-23bad225532e", "value": "AppInit DLLs Mitigation - T1103" }, @@ -4425,15 +3517,7 @@ "https://attack.mitre.org/mitigations/T1013" ] }, - "related": [ - { - "dest-uuid": "1f47e2fd-fa77-4f2f-88ee-e85df308f125", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "1c6bc7f3-d517-4971-aed4-8f939090846b", "value": "Port Monitors Mitigation - T1013" }, @@ -4595,6 +3679,10 @@ "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", "type": "mitigates" }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "type": "mitigates" + }, { "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", "type": "mitigates" @@ -4654,15 +3742,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "c085476e-1964-4d7f-86e1-d8657a7741e8", "value": "Accessibility Features Mitigation - T1015" }, @@ -4674,15 +3754,7 @@ "https://attack.mitre.org/mitigations/T1150" ] }, - "related": [ - { - "dest-uuid": "06780952-177c-4247-b978-79c357fb311f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "2d704e56-e689-4011-b989-bf4e025a8727", "value": "Plist Modification Mitigation - T1150" }, @@ -4708,15 +3780,7 @@ "https://www.acunetix.com/websitesecurity/webserver-security/" ] }, - "related": [ - { - "dest-uuid": "804c042c-cfe6-449e-bc1a-ba0a998a70db", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "43b366a4-b5ff-4d4e-8a3b-f09a9d2faff5", "value": "Shared Webroot Mitigation - T1051" }, @@ -4728,15 +3792,7 @@ "https://attack.mitre.org/mitigations/T1160" ] }, - "related": [ - { - "dest-uuid": "e99ec083-abdd-48de-ad87-4dbf6f8ba2a4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "402e92cd-5608-4f4b-9a34-a2c962e4bcd7", "value": "Launch Daemon Mitigation - T1160" }, @@ -4753,15 +3809,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "34efb2fd-4dc2-40d4-a564-0c147c85034d", "value": "File Deletion Mitigation - T1107" }, @@ -4942,6 +3990,10 @@ "dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979", "type": "mitigates" }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "type": "mitigates" + }, { "dest-uuid": "74d2a63f-3c7b-4852-92da-02d8fbab16da", "type": "mitigates" @@ -5054,6 +4106,10 @@ "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", "type": "mitigates" }, + { + "dest-uuid": "b0e54bf7-835e-4f44-bd8e-62f431b9b76a", + "type": "mitigates" + }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "type": "mitigates" @@ -5078,6 +4134,10 @@ "dest-uuid": "cacc40da-4c9e-462c-80d5-fd70a178b12d", "type": "mitigates" }, + { + "dest-uuid": "ceaeb6d8-95ee-4da2-9d42-dc6aa6ca43ae", + "type": "mitigates" + }, { "dest-uuid": "cf1c2504-433f-4c4e-a1f8-91de45a0318c", "type": "mitigates" @@ -5184,15 +4244,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "f9b3e5d9-7454-4b7d-bce6-27620e19924e", "value": "Redundant Access Mitigation - T1108" }, @@ -5217,15 +4269,7 @@ "https://attack.mitre.org/mitigations/T1019" ] }, - "related": [ - { - "dest-uuid": "6856ddd6-2df3-4379-8b87-284603c189c3", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "25e53928-6f33-49b7-baee-8180578286f6", "value": "System Firmware Mitigation - T1019" }, @@ -5275,15 +4319,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "2a8de25c-f743-4348-b101-3ee33ab5871b", "value": "Data Encrypted Mitigation - T1022" }, @@ -5301,15 +4337,7 @@ "https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2015-06-25/finding/V-26482" ] }, - "related": [ - { - "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "a13e35cc-8c90-4d77-a965-5461042c1612", "value": "Shortcut Modification Mitigation - T1023" }, @@ -5321,15 +4349,7 @@ "https://attack.mitre.org/mitigations/T1204" ] }, - "related": [ - { - "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "548bf7ad-e19c-4d74-84bf-84ac4e57f505", "value": "User Execution Mitigation - T1204" }, @@ -5516,15 +4536,7 @@ "https://attack.mitre.org/mitigations/T1205" ] }, - "related": [ - { - "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "f6b7c116-0821-4eb7-9b24-62bd09b3e575", "value": "Port Knocking Mitigation - T1205" }, @@ -5557,6 +4569,10 @@ "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "type": "mitigates" }, + { + "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", + "type": "mitigates" + }, { "dest-uuid": "1126cab1-c700-412f-a510-61f4937bb096", "type": "mitigates" @@ -5833,10 +4849,18 @@ "dest-uuid": "b46a801b-fd98-491c-a25a-bca25d6e3001", "type": "mitigates" }, + { + "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db", + "type": "mitigates" + }, { "dest-uuid": "b8017880-4b1e-42de-ad10-ae7ac6705166", "type": "mitigates" }, + { + "dest-uuid": "b83e166d-13d7-4b52-8677-dff90c548fd7", + "type": "mitigates" + }, { "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", "type": "mitigates" @@ -5901,6 +4925,10 @@ "dest-uuid": "e74de37c-a829-446c-937d-56a44f0e9306", "type": "mitigates" }, + { + "dest-uuid": "e8a0a025-3601-4755-abfb-8d08283329fb", + "type": "mitigates" + }, { "dest-uuid": "ea016b56-ae0e-47fe-967a-cc0ad51af67f", "type": "mitigates" @@ -5978,15 +5006,7 @@ "https://attack.mitre.org/mitigations/T1026" ] }, - "related": [ - { - "dest-uuid": "99709758-2b96-48f2-a68a-ad7fbd828091", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "da987565-27b6-4b31-bbcd-74b909847116", "value": "Multiband Communication Mitigation - T1026" }, @@ -5998,15 +5018,7 @@ "https://attack.mitre.org/mitigations/T1206" ] }, - "related": [ - { - "dest-uuid": "2169ba87-1146-4fc7-a118-12b72251db7e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "dbf0186e-722d-4a0a-af6a-b3460f162f84", "value": "Sudo Caching Mitigation - T1206" }, @@ -6248,15 +5260,7 @@ "https://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings" ] }, - "related": [ - { - "dest-uuid": "dce31a00-1e90-4655-b0f9-e2e71a748a87", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "a1482e43-f3ff-4fbd-94de-ad1244738166", "value": "Time Providers Mitigation - T1209" }, @@ -6269,15 +5273,7 @@ "https://attack.mitre.org/mitigations/T1029" ] }, - "related": [ - { - "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "1c0711c8-2a73-48a1-893d-ff88bcd23824", "value": "Scheduled Transfer Mitigation - T1029" }, @@ -6298,14 +5294,30 @@ "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", "type": "mitigates" }, + { + "dest-uuid": "191cc6af-1bb2-4344-ab5f-28e496638720", + "type": "mitigates" + }, + { + "dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8", + "type": "mitigates" + }, { "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8", "type": "mitigates" }, + { + "dest-uuid": "3f18edba-28f4-4bb9-82c3-8aa60dcac5f7", + "type": "mitigates" + }, { "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", "type": "mitigates" }, + { + "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", + "type": "mitigates" + }, { "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "type": "mitigates" @@ -6411,15 +5423,7 @@ "https://skanthak.homepage.t-online.de/sentinel.html" ] }, - "related": [ - { - "dest-uuid": "c4ad009b-6e13-4419-8d21-918a1652de02", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "e0703d4f-3972-424a-8277-84004817e024", "value": "Path Interception Mitigation - T1034" }, @@ -6436,15 +5440,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "d5dce4b9-f1fa-4c03-aff9-ce177246cb64", "value": "Service Execution Mitigation - T1035" }, @@ -6464,15 +5460,7 @@ "https://technet.microsoft.com/library/jj852168.aspx" ] }, - "related": [ - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "f2cb6ce2-188d-4162-8feb-594f949b13dd", "value": "Scheduled Task Mitigation - T1053" }, @@ -6570,6 +5558,10 @@ "dest-uuid": "3298ce88-1628-43b1-87d9-0b5336b193d7", "type": "mitigates" }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "type": "mitigates" + }, { "dest-uuid": "36b2a1d7-e09e-49bf-b45e-477076c2ec01", "type": "mitigates" @@ -6590,6 +5582,10 @@ "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", "type": "mitigates" }, + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "type": "mitigates" + }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "type": "mitigates" @@ -6701,15 +5697,7 @@ "https://attack.mitre.org/mitigations/T1037" ] }, - "related": [ - { - "dest-uuid": "03259939-0b57-482f-8eb5-87c0e0d54334", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "9ab7de33-99b2-4d8d-8cf3-182fa0015cc2", "value": "Logon Scripts Mitigation - T1037" }, @@ -6747,15 +5735,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "7c39ebbf-244e-4d1c-b0ac-b282453ece43", "value": "Process Hollowing Mitigation - T1093" }, @@ -6810,15 +5790,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "c95c8b5c-b431-43c9-9557-f494805e2502", "value": "Software Packing Mitigation - T1045" }, @@ -6830,15 +5802,7 @@ "https://attack.mitre.org/mitigations/T1074" ] }, - "related": [ - { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "4320b080-9ae9-4541-9b8b-bcd0961dbbbd", "value": "Data Staged Mitigation - T1074" }, @@ -6917,6 +5881,10 @@ "dest-uuid": "a3e1e6c5-9c74-4fc0-a16c-a9d228c17829", "type": "mitigates" }, + { + "dest-uuid": "d4bdbdea-eaec-4071-b4f9-5105e12ea4b6", + "type": "mitigates" + }, { "dest-uuid": "e6415f09-df0e-48de-9aba-928c902b7549", "type": "mitigates" @@ -6942,17 +5910,26 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, + "related": [], + "uuid": "f6469191-1814-4dbe-a081-2a6daf83a10b", + "value": "Process Discovery Mitigation - T1057" + }, + { + "description": "This category is to associate techniques that mitigation might increase risk of compromise and therefore mitigation is not recommended.", + "meta": { + "external_id": "M1059", + "refs": [ + "https://attack.mitre.org/mitigations/M1059" + ] + }, "related": [ { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], + "dest-uuid": "ea132c68-b518-4478-ae8d-1763cda26ee3", "type": "mitigates" } ], - "uuid": "f6469191-1814-4dbe-a081-2a6daf83a10b", - "value": "Process Discovery Mitigation - T1057" + "uuid": "76a32151-5233-465f-a607-7e576c62c932", + "value": "Do Not Mitigate - M1059" }, { "description": "Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located HKLM\\ SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\CredUI\\EnumerateAdministrators. It can be disabled through GPO: Computer Configuration > [Policies] > Administrative Templates > Windows Components > Credential User Interface: E numerate administrator accounts on elevation. (Citation: UCF STIG Elevation Account Enumeration)\n\nIdentify unnecessary system utilities or potentially malicious software that may be used to acquire information about system and domain accounts, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", @@ -6968,15 +5945,7 @@ "https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-CC-000077" ] }, - "related": [ - { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "5c49bc54-9929-48ca-b581-7018219b5a97", "value": "Account Discovery Mitigation - T1087" }, @@ -6992,15 +5961,7 @@ "https://www.us-cert.gov/ncas/alerts/TA13-175A" ] }, - "related": [ - { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "d45f03a8-790a-4f90-b956-cd7e5b8886bf", "value": "Valid Accounts Mitigation - T1078" }, @@ -7013,15 +5974,7 @@ "https://attack.mitre.org/mitigations/T1079" ] }, - "related": [ - { - "dest-uuid": "428ca9f8-0e33-442a-be87-f869cb4cf73e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "24478001-2eb3-4b06-a02e-96b3d61d27ec", "value": "Multilayer Encryption Mitigation - T1079" }, @@ -7038,15 +5991,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "ed202147-4026-4330-b5bd-1e8dfa8cf7cc", "value": "Modify Registry Mitigation - T1112" }, @@ -7060,15 +6005,7 @@ "https://technet.microsoft.com/en-us/library/dn408187.aspx" ] }, - "related": [ - { - "dest-uuid": "52d40641-c480-4ad5-81a3-c80ccaddf82d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "943d370b-2054-44df-8be2-ab4139bde1c5", "value": "Authentication Package Mitigation - T1131" }, @@ -7085,15 +6022,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "51b37302-b844-4c08-ac98-ae6955ed1f55", "value": "Screen Capture Mitigation - T1113" }, @@ -7110,15 +6039,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "383caaa3-c46a-4f61-b2e3-653eb132f0e7", "value": "Email Collection Mitigation - T1114" }, @@ -7130,15 +6051,7 @@ "https://attack.mitre.org/mitigations/T1141" ] }, - "related": [ - { - "dest-uuid": "91ce1ede-107f-4d8b-bf4c-735e8789c94b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "8a61f6b9-6b7a-4cf2-8e08-f1e26434f6df", "value": "Input Prompt Mitigation - T1141" }, @@ -7155,15 +6068,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "19edfa02-1a5f-47e4-ad82-3288f57f64cf", "value": "Clipboard Data Mitigation - T1115" }, @@ -7175,15 +6080,7 @@ "https://attack.mitre.org/mitigations/T1161" ] }, - "related": [ - { - "dest-uuid": "04ef4356-8926-45e2-9441-634b6f3dcecb", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "77fd4d73-6b79-4593-82e7-e4a439cc7604", "value": "LC_LOAD_DYLIB Addition Mitigation - T1161" }, @@ -7198,15 +6095,7 @@ "https://technet.microsoft.com/en-us/library/cc733026.aspx" ] }, - "related": [ - { - "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "82fbc58b-171d-4a2d-9a20-c6b2a716bd08", "value": "Code Signing Mitigation - T1116" }, @@ -7223,15 +6112,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "8bd1ae32-a686-48f4-a6f8-470287f76152", "value": "Automated Collection Mitigation - T1119" }, @@ -7262,15 +6143,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "16dd03c6-0dfb-4d77-89cd-9ff3ee6e533d", "value": "Audio Capture Mitigation - T1123" }, @@ -7283,15 +6156,7 @@ "https://attack.mitre.org/mitigations/T1132" ] }, - "related": [ - { - "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "fcbe8424-eb3e-4794-b76d-e743f5a49b8b", "value": "Data Encoding Mitigation - T1132" }, @@ -7308,15 +6173,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "d9f4b5fa-2a39-4bdf-b40a-ea998933cd6d", "value": "Video Capture Mitigation - T1125" }, @@ -7329,15 +6186,7 @@ "https://support.apple.com/en-us/HT204005" ] }, - "related": [ - { - "dest-uuid": "36675cd3-fe00-454c-8516-aebecacbe9d9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "06824aa2-94a5-474c-97f6-57c2e983d885", "value": "Login Item Mitigation - T1162" }, @@ -7351,15 +6200,7 @@ "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html" ] }, - "related": [ - { - "dest-uuid": "1ce03c65-5946-4ac9-9d4d-66db87e024bd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "62ae52c9-7197-4f5b-be1d-10d2e1df2c96", "value": "Domain Fronting Mitigation - T1172" }, @@ -7374,15 +6215,7 @@ "https://attack.mitre.org/mitigations/T1182" ] }, - "related": [ - { - "dest-uuid": "4bf5845d-a814-4490-bc5c-ccdee6043025", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "95c29444-49f9-49f7-8b20-bcd68d8fcaa6", "value": "AppCert DLLs Mitigation - T1182" }, @@ -7394,15 +6227,7 @@ "https://attack.mitre.org/mitigations/T1192" ] }, - "related": [ - { - "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "ad7f983d-d5a8-4fce-a38c-b68eda61bf4e", "value": "Spearphishing Link Mitigation - T1192" }, @@ -7414,15 +6239,7 @@ "https://attack.mitre.org/mitigations/T1143" ] }, - "related": [ - { - "dest-uuid": "04ee0cb7-dac3-4c6c-9387-4c6aa096f4cf", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "fae44eea-caa7-42b7-a2e2-0c815ba81b9a", "value": "Hidden Window Mitigation - T1143" }, @@ -7434,15 +6251,7 @@ "https://attack.mitre.org/mitigations/T1136" ] }, - "related": [ - { - "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "9a5b7194-88e0-4579-b82f-e3c27b8cca80", "value": "Create Account Mitigation - T1136" }, @@ -7454,15 +6263,7 @@ "https://attack.mitre.org/mitigations/T1138" ] }, - "related": [ - { - "dest-uuid": "7c93aa74-4bc0-4a9e-90ea-f25f86301566", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "cfc2d2fc-14ff-495f-bd99-585be47b804f", "value": "Application Shimming Mitigation - T1138" }, @@ -7474,15 +6275,7 @@ "https://attack.mitre.org/mitigations/T1193" ] }, - "related": [ - { - "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "8f6b5ca6-263a-4ea9-98f3-afd2a3cd8119", "value": "Spearphishing Attachment Mitigation - T1193" }, @@ -7494,15 +6287,7 @@ "https://attack.mitre.org/mitigations/T1139" ] }, - "related": [ - { - "dest-uuid": "44dca04b-808d-46ca-b25f-d85236d4b9f8", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "ace4daee-f914-4707-be75-843f16da2edf", "value": "Bash History Mitigation - T1139" }, @@ -7514,15 +6299,7 @@ "https://attack.mitre.org/mitigations/T1144" ] }, - "related": [ - { - "dest-uuid": "6fb6408c-0db3-41d9-a3a1-a32e5f16454e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "1a7f5bd3-f6ee-4bd7-b949-2f3632ad6158", "value": "Gatekeeper Bypass Mitigation - T1144" }, @@ -7534,15 +6311,7 @@ "https://attack.mitre.org/mitigations/T1145" ] }, - "related": [ - { - "dest-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "f27ef4f2-71fe-48b6-b7f4-02dcac14320e", "value": "Private Keys Mitigation - T1145" }, @@ -7554,15 +6323,7 @@ "https://attack.mitre.org/mitigations/T1147" ] }, - "related": [ - { - "dest-uuid": "ce73ea43-8e77-47ba-9c11-5e9c9c58b9ff", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "12cba7de-0a22-4a56-b51e-c514c67c3b43", "value": "Hidden Users Mitigation - T1147" }, @@ -7575,15 +6336,7 @@ "https://www.symantec.com/connect/articles/ssh-and-ssh-agent" ] }, - "related": [ - { - "dest-uuid": "c1b11bf7-c68e-4fbf-a95b-28efbe7953bb", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "41cff8e9-fd05-408e-b3d5-d98c54c20bcf", "value": "SSH Hijacking Mitigation - T1184" }, @@ -7595,15 +6348,7 @@ "https://attack.mitre.org/mitigations/T1149" ] }, - "related": [ - { - "dest-uuid": "a0a189c8-d3bd-4991-bf6f-153d185ee373", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "6e7db820-9735-4545-bc64-039bc4ce354b", "value": "LC_MAIN Hijacking Mitigation - T1149" }, @@ -7615,15 +6360,7 @@ "https://attack.mitre.org/mitigations/T1165" ] }, - "related": [ - { - "dest-uuid": "2ba5aa71-9d15-4b22-b726-56af06d9ad2f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "94927849-03e3-4a07-8f4c-9ee21b626719", "value": "Startup Items Mitigation - T1165" }, @@ -7635,15 +6372,7 @@ "https://attack.mitre.org/mitigations/T1157" ] }, - "related": [ - { - "dest-uuid": "aa8bfbc9-78dc-41a4-a03b-7453e0fdccda", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "dc43c2fe-355e-4a79-9570-3267b0992784", "value": "Dylib Hijacking Mitigation - T1157" }, @@ -7655,15 +6384,7 @@ "https://attack.mitre.org/mitigations/T1159" ] }, - "related": [ - { - "dest-uuid": "dd901512-6e37-4155-943b-453e3777b125", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "121b2863-5b97-4538-acb3-f8aae070ec13", "value": "Launch Agent Mitigation - T1159" }, @@ -7676,15 +6397,7 @@ "https://attack.mitre.org/mitigations/T1176" ] }, - "related": [ - { - "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "b52f41b9-ccf6-4da7-a6c0-167eeb71fbd8", "value": "Browser Extensions Mitigation - T1176" }, @@ -7701,15 +6414,7 @@ "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm" ] }, - "related": [ - { - "dest-uuid": "c1a452f3-6499-4c12-b7e9-a6a0a102af76", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "34d6a2ef-370e-4d21-a34b-6208b7c78f31", "value": "Process Doppelgänging Mitigation - T1186" }, @@ -7725,15 +6430,7 @@ "https://technet.microsoft.com/library/dn408187.aspx" ] }, - "related": [ - { - "dest-uuid": "6e6845c2-347a-4a6f-a2d1-b74a18ebd352", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "7a6e5ca3-562f-4185-a323-f3b62b5b2e6b", "value": "LSASS Driver Mitigation - T1177" }, @@ -7747,15 +6444,7 @@ "https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices" ] }, - "related": [ - { - "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "7009ba4d-83d4-4851-9fbb-e09e28497765", "value": "Forced Authentication Mitigation - T1187" }, @@ -7770,15 +6459,7 @@ "https://www.symantec.com/connect/blogs/malware-update-windows-update" ] }, - "related": [ - { - "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "cb825b86-3f3b-4686-ba99-44878f5d3173", "value": "BITS Jobs Mitigation - T1197" }, @@ -7790,15 +6471,7 @@ "https://attack.mitre.org/mitigations/T1199" ] }, - "related": [ - { - "dest-uuid": "9fa07bef-9c81-421e-a8e5-ad4366c5a925", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "797312d4-8a84-4daf-9c56-57da4133c322", "value": "Trusted Relationship Mitigation - T1199" }, @@ -8006,6 +6679,10 @@ "dest-uuid": "d245808a-7086-4310-984a-a84aaaa43f8f", "type": "mitigates" }, + { + "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", + "type": "mitigates" + }, { "dest-uuid": "d4b96d2c-1032-4b22-9235-2b5b649d0605", "type": "mitigates" @@ -8050,15 +6727,7 @@ "https://attack.mitre.org/mitigations/T1163" ] }, - "related": [ - { - "dest-uuid": "18d4ab39-12ed-4a16-9fdb-ae311bba4a0f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "c3cf2312-3aab-4aaf-86e6-ab3505430482", "value": "Rc.common Mitigation - T1163" }, @@ -8099,15 +6768,7 @@ "https://attack.mitre.org/mitigations/T1121" ] }, - "related": [ - { - "dest-uuid": "215190a9-9f02-4e83-bb5f-e0589965a302", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "a90da496-b460-47e8-92e7-cc36eb00bd9a", "value": "Regsvcs/Regasm Mitigation - T1121" }, @@ -8160,6 +6821,10 @@ "dest-uuid": "667e5707-3843-4da8-bd34-88b922526f0d", "type": "mitigates" }, + { + "dest-uuid": "6ecbc2eb-e85a-440a-ab68-4d98f8d56fbe", + "type": "mitigates" + }, { "dest-uuid": "8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", "type": "mitigates" @@ -8187,20 +6852,6 @@ { "dest-uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57", "type": "mitigates" - }, - { - "dest-uuid": "f296fc9c-2ff5-43ee-941e-6b49c438270a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "3b0b604f-10db-41a0-b54c-493124d455b9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" } ], "uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", @@ -8226,20 +6877,6 @@ { "dest-uuid": "667e5707-3843-4da8-bd34-88b922526f0d", "type": "mitigates" - }, - { - "dest-uuid": "46d818a5-67fa-4585-a7fc-ecf15376c8d5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "667e5707-3843-4da8-bd34-88b922526f0d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" } ], "uuid": "8ccd428d-39da-4e8f-a55b-d48ea1d56e58", @@ -8410,22 +7047,7 @@ "https://attack.mitre.org/mitigations/M1005" ] }, - "related": [ - { - "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "1553b156-6767-47f7-9eb4-2a692505666d", "value": "Application Vetting - M1005" }, @@ -8454,6 +7076,10 @@ "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "type": "mitigates" }, + { + "dest-uuid": "561ae9aa-c28a-4144-9eec-e7027a14c8c3", + "type": "mitigates" + }, { "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", "type": "mitigates" @@ -8635,6 +7261,10 @@ "dest-uuid": "defc1257-4db1-4fb3-8ef5-bb77f63146df", "type": "mitigates" }, + { + "dest-uuid": "dfafc230-5465-4993-8dc5-f51fa9fec002", + "type": "mitigates" + }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "mitigates" @@ -8666,20 +7296,6 @@ { "dest-uuid": "fcb11f06-ce0e-490b-bcc1-04a1623579f0", "type": "mitigates" - }, - { - "dest-uuid": "a0464539-e1b7-4455-a355-12495987c300", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "6f86d346-f092-4abc-80df-8558a90c426a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" } ], "uuid": "653492e3-27be-4a0e-b08c-938dd2b7e0e1", @@ -8754,6 +7370,10 @@ "dest-uuid": "dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "type": "mitigates" }, + { + "dest-uuid": "dfafc230-5465-4993-8dc5-f51fa9fec002", + "type": "mitigates" + }, { "dest-uuid": "dfe29258-ce59-421c-9dee-e85cb9fa90cd", "type": "mitigates" @@ -8761,27 +7381,6 @@ { "dest-uuid": "fcb11f06-ce0e-490b-bcc1-04a1623579f0", "type": "mitigates" - }, - { - "dest-uuid": "51aedbd6-2837-4d15-aeb0-cb09f2bf22ac", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "2204c371-6100-4ae0-82f3-25c07c29772a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" } ], "uuid": "649f7268-4c12-483b-ac84-4b7bca9fe2ee", @@ -8804,20 +7403,6 @@ { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "mitigates" - }, - { - "dest-uuid": "fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "52651225-0b3a-482d-aa7e-10618fd063b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" } ], "uuid": "e829ee51-1caf-4665-ba15-7f8979634124", @@ -8836,15 +7421,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "95ddb356-7ba0-4bd9-a889-247262b8946f", "value": "Rootkit Mitigation - T1014" }, @@ -8901,6 +7478,10 @@ "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "type": "mitigates" }, + { + "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "type": "mitigates" + }, { "dest-uuid": "42fe883a-21ea-4cfb-b94a-78b6476dcc83", "type": "mitigates" @@ -8913,6 +7494,10 @@ "dest-uuid": "52759bf1-fe12-4052-ace6-c5b0cf7dd7fd", "type": "mitigates" }, + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "type": "mitigates" + }, { "dest-uuid": "791481f8-e96a-41be-b089-a088763083d4", "type": "mitigates" @@ -8949,6 +7534,10 @@ "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "mitigates" }, + { + "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db", + "type": "mitigates" + }, { "dest-uuid": "bd369cd9-abb8-41ce-b5bb-fff23ee86c00", "type": "mitigates" @@ -8973,6 +7562,10 @@ "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "mitigates" }, + { + "dest-uuid": "e8a0a025-3601-4755-abfb-8d08283329fb", + "type": "mitigates" + }, { "dest-uuid": "ee7ff928-801c-4f34-8a99-3df965e581a5", "type": "mitigates" @@ -9030,15 +7623,7 @@ "https://attack.mitre.org/mitigations/T1170" ] }, - "related": [ - { - "dest-uuid": "a127c32c-cbb0-4f9d-be07-881a792408ec", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "d2dce10b-3562-4d61-b2f5-7c6384b038e2", "value": "Mshta Mitigation - T1170" }, @@ -9252,15 +7837,7 @@ "https://technet.microsoft.com/library/cc938799.aspx" ] }, - "related": [ - { - "dest-uuid": "2892b9ee-ca9f-4723-b332-0dc6e843a8ae", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "9da16278-c6c5-4410-8a6b-9c16ce8005b3", "value": "Screensaver Mitigation - T1180" }, @@ -9273,15 +7850,7 @@ "https://github.com/iadgov/Secure-Host-Baseline/tree/master/EMET" ] }, - "related": [ - { - "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "8c918d8a-11c5-4ffd-af10-e74bc06bdfae", "value": "Rundll32 Mitigation - T1085" }, @@ -9293,15 +7862,7 @@ "https://attack.mitre.org/mitigations/T1062" ] }, - "related": [ - { - "dest-uuid": "4be89c7c-ace6-4876-9377-c8d54cef3d63", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "2c3ce852-06a2-40ee-8fe6-086f6402a739", "value": "Hypervisor Mitigation - T1062" }, @@ -9313,15 +7874,7 @@ "https://attack.mitre.org/mitigations/T1207" ] }, - "related": [ - { - "dest-uuid": "564998d8-ab3e-4123-93fb-eccaa6b9714a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "b70627f7-3b43-4c6f-8fc0-c918c41f8f72", "value": "DCShadow Mitigation - T1207" }, @@ -9398,10 +7951,22 @@ "dest-uuid": "4ffc1794-ec3b-45be-9e52-42dbcb2af2de", "type": "mitigates" }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "type": "mitigates" + }, + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "type": "mitigates" + }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "mitigates" }, + { + "dest-uuid": "5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5", + "type": "mitigates" + }, { "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf", "type": "mitigates" @@ -9474,10 +8039,6 @@ "dest-uuid": "d273434a-448e-4598-8e14-607f4a0d5e27", "type": "mitigates" }, - { - "dest-uuid": "d4bdbdea-eaec-4071-b4f9-5105e12ea4b6", - "type": "mitigates" - }, { "dest-uuid": "d50955c2-272d-4ac8-95da-10c29dda1c48", "type": "mitigates" @@ -9523,15 +8084,7 @@ "https://attack.mitre.org/mitigations/T1208" ] }, - "related": [ - { - "dest-uuid": "b39d03cb-7b98-41c4-a878-c40c1a913dc0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "a3e12b04-8598-4909-8855-2c97c1e7d549", "value": "Kerberoasting Mitigation - T1208" }, @@ -9597,15 +8150,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "45e7f570-6a0b-4095-bf02-4bca05da6bae", "value": "Masquerading Mitigation - T1036" }, @@ -9686,6 +8231,10 @@ "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "mitigates" }, + { + "dest-uuid": "3a32740a-11b0-4bcf-b0a9-3abd0f6d3cd5", + "type": "mitigates" + }, { "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", "type": "mitigates" @@ -9722,6 +8271,10 @@ "dest-uuid": "55bb4471-ff1f-43b4-88c1-c9384ec47abf", "type": "mitigates" }, + { + "dest-uuid": "561ae9aa-c28a-4144-9eec-e7027a14c8c3", + "type": "mitigates" + }, { "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", "type": "mitigates" @@ -9862,10 +8415,18 @@ "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "mitigates" }, + { + "dest-uuid": "e6f19759-dde3-47fc-99cc-d9f5fa4ade60", + "type": "mitigates" + }, { "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", "type": "mitigates" }, + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "type": "mitigates" + }, { "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", "type": "mitigates" @@ -9903,6 +8464,10 @@ "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", "type": "mitigates" }, + { + "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", + "type": "mitigates" + }, { "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", "type": "mitigates" @@ -9975,6 +8540,10 @@ "dest-uuid": "acd0ba37-7ba9-4cc5-ac61-796586cd856d", "type": "mitigates" }, + { + "dest-uuid": "b0e54bf7-835e-4f44-bd8e-62f431b9b76a", + "type": "mitigates" + }, { "dest-uuid": "b83e166d-13d7-4b52-8677-dff90c548fd7", "type": "mitigates" @@ -9991,6 +8560,10 @@ "dest-uuid": "cca0ccb6-a068-4574-a722-b1556f86833a", "type": "mitigates" }, + { + "dest-uuid": "d4bdbdea-eaec-4071-b4f9-5105e12ea4b6", + "type": "mitigates" + }, { "dest-uuid": "ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a", "type": "mitigates" @@ -10121,6 +8694,10 @@ "dest-uuid": "39131305-9282-45e4-ac3b-591d2d4fc3ef", "type": "mitigates" }, + { + "dest-uuid": "3f18edba-28f4-4bb9-82c3-8aa60dcac5f7", + "type": "mitigates" + }, { "dest-uuid": "565275d5-fcc3-4b66-b4e7-928e4cac6b8c", "type": "mitigates" @@ -10163,15 +8740,7 @@ "https://cloudblogs.microsoft.com/microsoftsecure/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/" ] }, - "related": [ - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "57019a80-8523-46b6-be7d-f763a15a2cc6", "value": "Scripting Mitigation - T1064" }, @@ -10185,15 +8754,7 @@ "https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process" ] }, - "related": [ - { - "dest-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "96150c35-466f-4f0a-97a9-ae87ee27f751", "value": "Bootkit Mitigation - T1067" }, @@ -10206,15 +8767,7 @@ "https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/" ] }, - "related": [ - { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "d0415180-51e9-40ce-b57c-c332b0b441f2", "value": "PowerShell Mitigation - T1086" }, @@ -10231,15 +8784,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "5c167af7-c2cb-42c8-ae67-3fb275bf8488", "value": "Timestomp Mitigation - T1099" }, @@ -10252,15 +8797,7 @@ "https://github.com/iadgov/Secure-Host-Baseline/tree/master/EMET" ] }, - "related": [ - { - "dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "12c13879-b7bd-4bc5-8def-aacec386d432", "value": "Regsvr32 Mitigation - T1117" }, @@ -10272,15 +8809,7 @@ "https://attack.mitre.org/mitigations/T1118" ] }, - "related": [ - { - "dest-uuid": "f792d02f-813d-402b-86a5-ab98cb391d3b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "ec418d1b-4963-439f-b055-f914737ef362", "value": "InstallUtil Mitigation - T1118" }, @@ -10293,15 +8822,7 @@ "https://msitpros.com/?p=3960" ] }, - "related": [ - { - "dest-uuid": "7d6f590f-544b-45b4-9a42-e0805f342af3", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "91816292-3686-4a6e-83c4-4c08513b9b57", "value": "CMSTP Mitigation - T1191" }, @@ -10313,15 +8834,7 @@ "https://attack.mitre.org/mitigations/T1142" ] }, - "related": [ - { - "dest-uuid": "9e09ddb2-1746-4448-9cad-7f8b41777d6d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "56648de3-8947-4559-90c4-eda10acc0f5a", "value": "Keychain Mitigation - T1142" }, @@ -10333,15 +8846,7 @@ "https://attack.mitre.org/mitigations/T1152" ] }, - "related": [ - { - "dest-uuid": "53bfc8bf-8f76-4cd7-8958-49a884ddb3ee", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "e333cf16-5bfa-453e-8e6a-3a4c63d6bfcc", "value": "Launchctl Mitigation - T1152" }, @@ -10353,15 +8858,7 @@ "https://attack.mitre.org/mitigations/T1153" ] }, - "related": [ - { - "dest-uuid": "45d84c8b-c1e2-474d-a14d-69b5de0a2bc0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "5391ece4-8866-415d-9b5e-8dc5944f612a", "value": "Source Mitigation - T1153" }, @@ -10373,15 +8870,7 @@ "https://attack.mitre.org/mitigations/T1154" ] }, - "related": [ - { - "dest-uuid": "b53dbcc6-147d-48bb-9df4-bcb8bb808ff6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "809b79cd-be78-4597-88d1-5496d1d9993a", "value": "Trap Mitigation - T1154" }, @@ -10394,15 +8883,7 @@ "https://attack.mitre.org/mitigations/T1148" ] }, - "related": [ - { - "dest-uuid": "086952c4-5b90-4185-b573-02bad8e11953", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "03c0c586-50ed-45a7-95f4-f496d7eb5330", "value": "HISTCONTROL Mitigation - T1148" }, @@ -10428,15 +8909,7 @@ "https://www.engadget.com/2013/10/23/applescript-and-automator-gain-new-features-in-os-x-mavericks/" ] }, - "related": [ - { - "dest-uuid": "5ad95aaa-49c1-4784-821d-2e83f47b079b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "1e4ef2c7-ee96-4484-9baa-3b5777561301", "value": "AppleScript Mitigation - T1155" }, @@ -10448,15 +8921,7 @@ "https://attack.mitre.org/mitigations/T1169" ] }, - "related": [ - { - "dest-uuid": "9e80ddfb-ce32-4961-a778-ca6a10cfae72", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "23bff3ce-021c-4e7a-9aee-60fd40bc7c6c", "value": "Sudo Mitigation - T1169" }, @@ -10468,15 +8933,7 @@ "https://attack.mitre.org/mitigations/T1179" ] }, - "related": [ - { - "dest-uuid": "66f73398-8394-4711-85e5-34c8540b22a5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "7aee8ea0-0baa-4232-b379-5d9ce98352cf", "value": "Hooking Mitigation - T1179" }, @@ -10509,6 +8966,10 @@ "dest-uuid": "0a241b6c-7bb2-48f9-98f7-128145b4d27f", "type": "mitigates" }, + { + "dest-uuid": "0cc222f5-c3ff-48e6-9f52-3314baf9d37e", + "type": "mitigates" + }, { "dest-uuid": "0dda99f0-4701-48ca-9774-8504922e92d3", "type": "mitigates" @@ -10517,6 +8978,10 @@ "dest-uuid": "0ff59227-8aa8-4c09-bf1f-925605bd07ea", "type": "mitigates" }, + { + "dest-uuid": "149b477f-f364-4824-b1b5-aa1d56115869", + "type": "mitigates" + }, { "dest-uuid": "155207c0-7f53-4f13-a06b-0a9907ef5096", "type": "mitigates" @@ -10834,10 +9299,22 @@ "dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1", "type": "mitigates" }, + { + "dest-uuid": "09b008a9-b4eb-462a-a751-a0eb58050cd9", + "type": "mitigates" + }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "mitigates" + }, { "dest-uuid": "208884f1-7b83-4473-ac22-4e1cf6c41471", "type": "mitigates" }, + { + "dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8", + "type": "mitigates" + }, { "dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c", "type": "mitigates" @@ -10911,6 +9388,10 @@ ] }, "related": [ + { + "dest-uuid": "6ecbc2eb-e85a-440a-ab68-4d98f8d56fbe", + "type": "mitigates" + }, { "dest-uuid": "defc1257-4db1-4fb3-8ef5-bb77f63146df", "type": "mitigates" @@ -10979,13 +9460,6 @@ { "dest-uuid": "ccde43e4-78f9-4f32-b401-c081e7db71ea", "type": "mitigates" - }, - { - "dest-uuid": "46d818a5-67fa-4585-a7fc-ecf15376c8d5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" } ], "uuid": "ff4821f6-5afb-481b-8c0f-26c28c0d666c", @@ -11104,6 +9578,10 @@ "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", "type": "mitigates" }, + { + "dest-uuid": "3fc01293-ef5e-41c6-86ce-61f10706b64a", + "type": "mitigates" + }, { "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", "type": "mitigates" @@ -11120,6 +9598,10 @@ "dest-uuid": "4fd8a28b-4b3a-4cd6-a8cf-85ba5f824a7f", "type": "mitigates" }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "type": "mitigates" + }, { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "type": "mitigates" @@ -11128,6 +9610,10 @@ "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "mitigates" }, + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "type": "mitigates" + }, { "dest-uuid": "54ca26f3-c172-4231-93e5-ccebcac2161f", "type": "mitigates" @@ -11192,6 +9678,10 @@ "dest-uuid": "7de1f7ac-5d0c-4c9c-8873-627202205331", "type": "mitigates" }, + { + "dest-uuid": "7f0ca133-88c4-40c6-a62f-b3083a7fbc2e", + "type": "mitigates" + }, { "dest-uuid": "800f9819-7007-4540-a520-40e655876800", "type": "mitigates" @@ -11236,6 +9726,10 @@ "dest-uuid": "a0e6614a-7740-4b24-bd65-f1bde09fc365", "type": "mitigates" }, + { + "dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", + "type": "mitigates" + }, { "dest-uuid": "a6557c75-798f-42e4-be70-ab4502e0a3bc", "type": "mitigates" @@ -11292,6 +9786,10 @@ "dest-uuid": "e0033c16-a07e-48aa-8204-7c3ca669998c", "type": "mitigates" }, + { + "dest-uuid": "e8a0a025-3601-4755-abfb-8d08283329fb", + "type": "mitigates" + }, { "dest-uuid": "ea071aa0-8f17-416f-ab0d-2bab7e79003d", "type": "mitigates" @@ -11329,5 +9827,5 @@ "value": "Audit - M1047" } ], - "version": 28 + "version": 29 } diff --git a/clusters/mitre-data-component.json b/clusters/mitre-data-component.json index 4ec2d794..34621e88 100644 --- a/clusters/mitre-data-component.json +++ b/clusters/mitre-data-component.json @@ -179,6 +179,10 @@ "dest-uuid": "7de1f7ac-5d0c-4c9c-8873-627202205331", "type": "detects" }, + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "type": "detects" + }, { "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", "type": "detects" @@ -199,6 +203,10 @@ "dest-uuid": "c63a348e-ffc2-486a-b9d9-d7f11ec54d99", "type": "detects" }, + { + "dest-uuid": "ceaeb6d8-95ee-4da2-9d42-dc6aa6ca43ae", + "type": "detects" + }, { "dest-uuid": "d50955c2-272d-4ac8-95da-10c29dda1c48", "type": "detects" @@ -867,6 +875,10 @@ "dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8", "type": "detects" }, + { + "dest-uuid": "24769ab5-14bd-4f4e-a752-cfb185da53ee", + "type": "detects" + }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "detects" @@ -1051,6 +1063,10 @@ "dest-uuid": "b2d03cea-aec1-45ca-9744-9ee583c1e1cc", "type": "detects" }, + { + "dest-uuid": "b4409cd8-0da9-46e1-a401-a241afd4d1cc", + "type": "detects" + }, { "dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a", "type": "detects" @@ -1099,6 +1115,10 @@ "dest-uuid": "d456de47-a16f-4e46-8980-e67478a12dcb", "type": "detects" }, + { + "dest-uuid": "d4bdbdea-eaec-4071-b4f9-5105e12ea4b6", + "type": "detects" + }, { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "type": "detects" @@ -1115,6 +1135,10 @@ "dest-uuid": "e848506b-8484-4410-8017-3d235a52f5b3", "type": "detects" }, + { + "dest-uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d", + "type": "detects" + }, { "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", "type": "detects" @@ -2487,6 +2511,10 @@ "dest-uuid": "cacc40da-4c9e-462c-80d5-fd70a178b12d", "type": "detects" }, + { + "dest-uuid": "ceaeb6d8-95ee-4da2-9d42-dc6aa6ca43ae", + "type": "detects" + }, { "dest-uuid": "e52d89f9-1710-4708-88a5-cbef77c4cd5e", "type": "included-in" @@ -2494,6 +2522,10 @@ { "dest-uuid": "e848506b-8484-4410-8017-3d235a52f5b3", "type": "detects" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "type": "detects" } ], "uuid": "e52d89f9-1710-4708-88a5-cbef77c4cd5e", @@ -2877,6 +2909,10 @@ "dest-uuid": "cca0ccb6-a068-4574-a722-b1556f86833a", "type": "detects" }, + { + "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", + "type": "detects" + }, { "dest-uuid": "cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8", "type": "detects" @@ -2921,6 +2957,10 @@ "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "detects" }, + { + "dest-uuid": "eb897572-8979-4242-a089-56f294f4c91d", + "type": "detects" + }, { "dest-uuid": "ee7ff928-801c-4f34-8a99-3df965e581a5", "type": "detects" @@ -3601,6 +3641,24 @@ "uuid": "b9a1578e-8653-4103-be23-cb52e0b1816e", "value": "Named Pipe Metadata" }, + { + "description": "Additional assets included with an application", + "meta": { + "refs": [] + }, + "related": [ + { + "dest-uuid": "613788f2-ad72-43f5-b5f7-a93e2adc70fa", + "type": "included-in" + }, + { + "dest-uuid": "dfafc230-5465-4993-8dc5-f51fa9fec002", + "type": "detects" + } + ], + "uuid": "613788f2-ad72-43f5-b5f7-a93e2adc70fa", + "value": "Application Assets" + }, { "description": "API calls utilized by an application that could indicate malicious activity", "meta": { @@ -4153,6 +4211,10 @@ "refs": [] }, "related": [ + { + "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", + "type": "detects" + }, { "dest-uuid": "1126cab1-c700-412f-a510-61f4937bb096", "type": "detects" @@ -4180,6 +4242,10 @@ { "dest-uuid": "b0c74ef9-c61e-4986-88cb-78da98a355ec", "type": "detects" + }, + { + "dest-uuid": "b0e54bf7-835e-4f44-bd8e-62f431b9b76a", + "type": "detects" } ], "uuid": "a5ae90ca-0c4b-481c-959f-0eb18a7ff953", @@ -4539,6 +4605,10 @@ "dest-uuid": "3975dbb5-0e1e-4f5b-bae1-cf2ab84b46dc", "type": "detects" }, + { + "dest-uuid": "3a32740a-11b0-4bcf-b0a9-3abd0f6d3cd5", + "type": "detects" + }, { "dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a", "type": "detects" @@ -4663,6 +4733,10 @@ "dest-uuid": "55bb4471-ff1f-43b4-88c1-c9384ec47abf", "type": "detects" }, + { + "dest-uuid": "561ae9aa-c28a-4144-9eec-e7027a14c8c3", + "type": "detects" + }, { "dest-uuid": "562e9b64-7239-493d-80f4-2bff900d9054", "type": "detects" @@ -5039,6 +5113,10 @@ "dest-uuid": "b0c74ef9-c61e-4986-88cb-78da98a355ec", "type": "detects" }, + { + "dest-uuid": "b0e54bf7-835e-4f44-bd8e-62f431b9b76a", + "type": "detects" + }, { "dest-uuid": "b22e5153-ac28-4cc6-865c-2054e36285cb", "type": "detects" @@ -5275,6 +5353,14 @@ "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "detects" }, + { + "dest-uuid": "e6f19759-dde3-47fc-99cc-d9f5fa4ade60", + "type": "detects" + }, + { + "dest-uuid": "e8a0a025-3601-4755-abfb-8d08283329fb", + "type": "detects" + }, { "dest-uuid": "ea071aa0-8f17-416f-ab0d-2bab7e79003d", "type": "detects" @@ -5385,6 +5471,14 @@ "dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1", "type": "detects" }, + { + "dest-uuid": "09b008a9-b4eb-462a-a751-a0eb58050cd9", + "type": "detects" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "type": "detects" + }, { "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", "type": "detects" @@ -5397,6 +5491,10 @@ "dest-uuid": "0cfe31a7-81fc-472c-bc45-e2808d1066a3", "type": "detects" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "detects" + }, { "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", "type": "detects" @@ -5477,6 +5575,10 @@ "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", "type": "detects" }, + { + "dest-uuid": "356662f7-e315-4759-86c9-6214e2a50ff8", + "type": "detects" + }, { "dest-uuid": "359b00ad-9425-420b-bba5-6de8d600cbc0", "type": "detects" @@ -5553,6 +5655,10 @@ "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", "type": "detects" }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "detects" + }, { "dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979", "type": "detects" @@ -5597,6 +5703,10 @@ "dest-uuid": "90c4a591-d02d-490b-92aa-619d9701ac04", "type": "detects" }, + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "type": "detects" + }, { "dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", "type": "detects" @@ -6123,6 +6233,10 @@ "dest-uuid": "1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf", "type": "detects" }, + { + "dest-uuid": "1f9c2bae-b441-4f66-a8af-b65946ee72f2", + "type": "detects" + }, { "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "type": "detects" @@ -6239,6 +6353,10 @@ "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "detects" }, + { + "dest-uuid": "356662f7-e315-4759-86c9-6214e2a50ff8", + "type": "detects" + }, { "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "type": "detects" @@ -6263,6 +6381,14 @@ "dest-uuid": "3975dbb5-0e1e-4f5b-bae1-cf2ab84b46dc", "type": "detects" }, + { + "dest-uuid": "3a32740a-11b0-4bcf-b0a9-3abd0f6d3cd5", + "type": "detects" + }, + { + "dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a", + "type": "detects" + }, { "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", "type": "detects" @@ -6383,6 +6509,10 @@ "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", "type": "detects" }, + { + "dest-uuid": "561ae9aa-c28a-4144-9eec-e7027a14c8c3", + "type": "detects" + }, { "dest-uuid": "565275d5-fcc3-4b66-b4e7-928e4cac6b8c", "type": "detects" @@ -6447,6 +6577,10 @@ "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", "type": "detects" }, + { + "dest-uuid": "6836813e-8ec8-4375-b459-abb388cb1a35", + "type": "detects" + }, { "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", "type": "detects" @@ -6487,6 +6621,10 @@ "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "type": "detects" }, + { + "dest-uuid": "74d2a63f-3c7b-4852-92da-02d8fbab16da", + "type": "detects" + }, { "dest-uuid": "7610cada-1499-41a4-b3dd-46467b68d177", "type": "detects" @@ -6891,6 +7029,14 @@ "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "detects" }, + { + "dest-uuid": "e6f19759-dde3-47fc-99cc-d9f5fa4ade60", + "type": "detects" + }, + { + "dest-uuid": "e8a0a025-3601-4755-abfb-8d08283329fb", + "type": "detects" + }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "type": "detects" @@ -6919,6 +7065,10 @@ "dest-uuid": "f244b8dd-af6c-4391-a497-fc03627ce995", "type": "detects" }, + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "type": "detects" + }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "detects" @@ -7033,6 +7183,10 @@ "dest-uuid": "0dcbbf4f-929c-489a-b66b-9b820d3f7f0e", "type": "included-in" }, + { + "dest-uuid": "149b477f-f364-4824-b1b5-aa1d56115869", + "type": "detects" + }, { "dest-uuid": "155207c0-7f53-4f13-a06b-0a9907ef5096", "type": "detects" @@ -7121,6 +7275,10 @@ "dest-uuid": "e5d550f3-2202-4634-85f2-4a200a1d49b3", "type": "detects" }, + { + "dest-uuid": "eb897572-8979-4242-a089-56f294f4c91d", + "type": "detects" + }, { "dest-uuid": "edadea33-549c-4ed1-9783-8f5a5853cbdf", "type": "detects" @@ -7595,6 +7753,10 @@ "dest-uuid": "7e3beebd-8bfe-4e7b-a892-e44ab06a75f9", "type": "detects" }, + { + "dest-uuid": "eb897572-8979-4242-a089-56f294f4c91d", + "type": "detects" + }, { "dest-uuid": "f9cc4d06-775f-4ee1-b401-4e2cc0da30ba", "type": "detects" @@ -7895,6 +8057,10 @@ "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "detects" }, + { + "dest-uuid": "e6f19759-dde3-47fc-99cc-d9f5fa4ade60", + "type": "detects" + }, { "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", "type": "detects" @@ -7961,6 +8127,10 @@ "dest-uuid": "09b130a2-a77e-4af0-a361-f46f9aad1345", "type": "detects" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "detects" + }, { "dest-uuid": "10ff21b9-5a01-4268-a1b5-3b55015f1847", "type": "detects" @@ -8593,6 +8763,10 @@ "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "detects" }, + { + "dest-uuid": "e8a0a025-3601-4755-abfb-8d08283329fb", + "type": "detects" + }, { "dest-uuid": "ea071aa0-8f17-416f-ab0d-2bab7e79003d", "type": "detects" @@ -8743,6 +8917,10 @@ "dest-uuid": "670a4d75-103b-4b14-8a9e-4652fa795edd", "type": "detects" }, + { + "dest-uuid": "6ecbc2eb-e85a-440a-ab68-4d98f8d56fbe", + "type": "detects" + }, { "dest-uuid": "74d2a63f-3c7b-4852-92da-02d8fbab16da", "type": "detects" @@ -9017,6 +9195,10 @@ "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "type": "detects" }, + { + "dest-uuid": "356662f7-e315-4759-86c9-6214e2a50ff8", + "type": "detects" + }, { "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", "type": "detects" @@ -9452,6 +9634,10 @@ { "dest-uuid": "e196b5c5-8118-4a1c-ab8a-936586ce3db5", "type": "detects" + }, + { + "dest-uuid": "eb897572-8979-4242-a089-56f294f4c91d", + "type": "detects" } ], "uuid": "1067aa74-5796-4d9b-b4f1-a4c9eb6fd9da", @@ -9763,6 +9949,10 @@ "dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "type": "detects" }, + { + "dest-uuid": "45a5fe76-eda3-4d40-8f22-c186efd6278d", + "type": "detects" + }, { "dest-uuid": "498e7b81-238d-404c-aa5e-332904d63286", "type": "detects" @@ -9811,6 +10001,10 @@ "dest-uuid": "b1e0bb80-23d4-44f2-b919-7e9c54898f43", "type": "included-in" }, + { + "dest-uuid": "be63612f-a48f-44f2-a7a6-1763509fcf80", + "type": "detects" + }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "detects" @@ -10058,5 +10252,5 @@ "value": "System Settings" } ], - "version": 1 + "version": 2 } diff --git a/clusters/mitre-data-source.json b/clusters/mitre-data-source.json index 1f3bbf2b..e0820f87 100644 --- a/clusters/mitre-data-source.json +++ b/clusters/mitre-data-source.json @@ -225,6 +225,10 @@ "dest-uuid": "5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "type": "includes" }, + { + "dest-uuid": "613788f2-ad72-43f5-b5f7-a93e2adc70fa", + "type": "includes" + }, { "dest-uuid": "6c62144a-cd5c-401c-ada9-58c4c74cd9d2", "type": "includes" @@ -1251,5 +1255,5 @@ "value": "Certificate - DS0037" } ], - "version": 1 + "version": 2 } diff --git a/clusters/mitre-intrusion-set.json b/clusters/mitre-intrusion-set.json index a1bef124..f49f0b7a 100644 --- a/clusters/mitre-intrusion-set.json +++ b/clusters/mitre-intrusion-set.json @@ -172,6 +172,10 @@ "dest-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "type": "uses" @@ -395,10 +399,6 @@ "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "b63970b7-ddfb-4aee-97b1-80d335e033a8", "type": "uses" @@ -478,27 +478,6 @@ { "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", "type": "uses" - }, - { - "dest-uuid": "f1b9f7d6-6ab1-404b-91a6-a1ed1845c045", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "4af45fea-72d3-11e8-846c-d37699506c8d", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", @@ -541,13 +520,6 @@ { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" - }, - { - "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "d519164e-f5fa-4b8c-a1fb-cf0172ad0983", @@ -588,6 +560,7 @@ "external_id": "G0030", "refs": [ "https://attack.mitre.org/groups/G0030", + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://securelist.com/the-spring-dragon-apt/70726/", "https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf", "https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html" @@ -595,7 +568,9 @@ "synonyms": [ "Lotus Blossom", "DRAGONFISH", - "Spring Dragon" + "Spring Dragon", + "RADIUM", + "Raspberry Typhoon" ] }, "related": [ @@ -613,13 +588,6 @@ { "dest-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", "type": "uses" - }, - { - "dest-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "88b7dbc2-32d3-4e31-af2f-3fc24e1582d7", @@ -865,13 +833,6 @@ { "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", @@ -894,6 +855,10 @@ "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" @@ -930,10 +895,6 @@ "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "type": "uses" @@ -1255,31 +1216,98 @@ { "dest-uuid": "fbb470da-1d44-4f29-bbb3-9efbe20f94a3", "type": "uses" - }, - { - "dest-uuid": "103ebfd8-4280-4027-b61a-69bd9967ad6c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", "value": "Deep Panda - G0009" }, + { + "description": "[Mustard Tempest](https://attack.mitre.org/groups/G1020) is an initial access broker that has operated the [SocGholish](https://attack.mitre.org/software/S1124) distribution network since at least 2017. [Mustard Tempest](https://attack.mitre.org/groups/G1020) has partnered with [Indrik Spider](https://attack.mitre.org/groups/G0119) to provide access for the download of additional malware including LockBit, [WastedLocker](https://attack.mitre.org/software/S0612), and remote access tools.(Citation: Microsoft Ransomware as a Service)(Citation: Microsoft Threat Actor Naming July 2023)(Citation: Secureworks Gold Prelude Profile)(Citation: SocGholish-update)", + "meta": { + "external_id": "G1020", + "refs": [ + "https://attack.mitre.org/groups/G1020", + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", + "https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", + "https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update", + "https://www.secureworks.com/research/threat-profiles/gold-prelude" + ], + "synonyms": [ + "Mustard Tempest", + "DEV-0206", + "TA569", + "GOLD PRELUDE", + "UNC1543" + ] + }, + "related": [ + { + "dest-uuid": "155207c0-7f53-4f13-a06b-0a9907ef5096", + "type": "uses" + }, + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "type": "uses" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "uses" + }, + { + "dest-uuid": "31fe0ba2-62fd-4fd9-9293-4043d84f7fe9", + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "uses" + }, + { + "dest-uuid": "3ee16395-03f0-4690-a32e-69ce9ada0f9e", + "type": "uses" + }, + { + "dest-uuid": "5911d2ca-64f6-49b3-b94f-29b5d185085c", + "type": "uses" + }, + { + "dest-uuid": "60c4b628-4807-4b0b-bbf5-fdac8643c337", + "type": "uses" + }, + { + "dest-uuid": "a7881f21-e978-4fe4-af56-92c9416a2616", + "type": "uses" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "type": "uses" + }, + { + "dest-uuid": "e5d550f3-2202-4634-85f2-4a200a1d49b3", + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "type": "uses" + }, + { + "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", + "type": "uses" + }, + { + "dest-uuid": "f9cc4d06-775f-4ee1-b401-4e2cc0da30ba", + "type": "uses" + } + ], + "uuid": "0d4ac089-ced4-4cc4-a989-174d08e6d030", + "value": "Mustard Tempest - G1020" + }, { "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse aresenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)", "meta": { "external_id": "G0102", "refs": [ "https://attack.mitre.org/groups/G0102", + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/", "https://us-cert.cisa.gov/ncas/alerts/aa20-302a", "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", @@ -1298,7 +1326,8 @@ "FIN12", "GOLD BLACKBURN", "ITG23", - "Periwinkle Tempest" + "Periwinkle Tempest", + "DEV-0193" ] }, "related": [ @@ -1406,6 +1435,10 @@ "dest-uuid": "4dea7d8e-af94-4bfb-afe4-7ff54f59308b", "type": "uses" }, + { + "dest-uuid": "4e9bdf9a-4957-47f6-87b3-c76898d3f623", + "type": "uses" + }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "type": "uses" @@ -1418,6 +1451,10 @@ "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, + { + "dest-uuid": "5f1d4579-4e8f-48e7-860e-2da773ae432e", + "type": "uses" + }, { "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", "type": "uses" @@ -1774,13 +1811,6 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "ae41895a-243f-4a65-b99b-d85022326c31", @@ -1817,20 +1847,6 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8", @@ -1842,12 +1858,17 @@ "external_id": "G1006", "refs": [ "https://attack.mitre.org/groups/G1006", + "https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf", + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf" ], "synonyms": [ "Earth Lusca", - "TAG-22" + "TAG-22", + "Charcoal Typhoon", + "CHROMIUM", + "ControlX" ] }, "related": [ @@ -2153,6 +2174,10 @@ "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" @@ -2201,10 +2226,6 @@ "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "type": "uses" @@ -2263,6 +2284,10 @@ "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" @@ -2355,10 +2380,6 @@ "dest-uuid": "a3e1e6c5-9c74-4fc0-a16c-a9d228c17829", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", "type": "uses" @@ -2445,14 +2466,21 @@ "external_id": "G1009", "refs": [ "https://attack.mitre.org/groups/G1009", + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/", "https://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations" ], "synonyms": [ - "Moses Staff" + "Moses Staff", + "DEV-0500", + "Marigold Sandstorm" ] }, "related": [ + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", "type": "uses" @@ -2501,10 +2529,6 @@ "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" @@ -2522,13 +2546,14 @@ "value": "Moses Staff - G1009" }, { - "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau.(Citation: US-CERT HIDDEN COBRA June 2017)(Citation: Treasury North Korean Cyber Groups September 2019) The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by [Lazarus Group](https://attack.mitre.org/groups/G0032) correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. (Citation: Novetta Blockbuster)\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups, such as [Andariel](https://attack.mitre.org/groups/G0138), [APT37](https://attack.mitre.org/groups/G0067), [APT38](https://attack.mitre.org/groups/G0082), and [Kimsuky](https://attack.mitre.org/groups/G0094). ", + "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau.(Citation: US-CERT HIDDEN COBRA June 2017)(Citation: Treasury North Korean Cyber Groups September 2019) The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by [Lazarus Group](https://attack.mitre.org/groups/G0032) correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.(Citation: Novetta Blockbuster)\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups, such as [Andariel](https://attack.mitre.org/groups/G0138), [APT37](https://attack.mitre.org/groups/G0067), [APT38](https://attack.mitre.org/groups/G0082), and [Kimsuky](https://attack.mitre.org/groups/G0094). ", "meta": { "external_id": "G0032", "refs": [ "https://attack.mitre.org/groups/G0032", "https://blogs.microsoft.com/on-the-issues/2017/12/19/microsoft-facebook-disrupt-zinc-malware-attack-protect-customers-internet-ongoing-cyberthreats/", "https://home.treasury.gov/news/press-releases/sm774", + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", "https://web.archive.org/web/20210723190317/https://adversary.crowdstrike.com/en-US/adversary/labyrinth-chollima/", "https://www.secureworks.com/about/press/media-alert-secureworks-discovers-north-korean-cyber-threat-group-lazarus-spearphishing", @@ -2541,7 +2566,8 @@ "HIDDEN COBRA", "Guardians of Peace", "ZINC", - "NICKEL ACADEMY" + "NICKEL ACADEMY", + "Diamond Sleet" ] }, "related": [ @@ -2581,6 +2607,10 @@ "dest-uuid": "0af0ca99-357d-4ba1-805f-674fdfb7bef9", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "11e36d5b-6a92-4bf9-8eb7-85eb24f59e22", "type": "uses" @@ -2884,10 +2914,6 @@ "dest-uuid": "b1ccd744-3f78-4a0e-9bb2-2002057f7928", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "bd0536d7-b081-43ae-a773-cfb057c5b988", "type": "uses" @@ -3015,20 +3041,6 @@ { "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", "type": "uses" - }, - { - "dest-uuid": "027a1428-6e79-4a4b-82b9-e698e8525c2b", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", @@ -3057,6 +3069,10 @@ ], "type": "similar" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a", "type": "uses" @@ -3077,10 +3093,6 @@ "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "e8268361-a599-4e45-bd3f-71c8c7e700c0", "type": "uses" @@ -3088,13 +3100,6 @@ { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" - }, - { - "dest-uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45", @@ -3139,13 +3144,6 @@ { "dest-uuid": "dfb5fa9b-3051-4b97-8035-08f80aef945b", "type": "uses" - }, - { - "dest-uuid": "dfb5fa9b-3051-4b97-8035-08f80aef945b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "c5574ca0-d5a4-490a-b207-e4658e5fd1d7", @@ -3202,13 +3200,6 @@ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" - }, - { - "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "7ecc3b4f-5cdb-457e-b55a-df376b359446", @@ -3222,6 +3213,8 @@ "https://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia//index.html", "https://attack.mitre.org/groups/G0034", "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf", + "https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/", + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/", "https://www.dragos.com/resource/electrum/", "https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html", @@ -3241,7 +3234,9 @@ "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", - "IRIDIUM" + "IRIDIUM", + "Seashell Blizzard", + "FROZENBARENTS" ] }, "related": [ @@ -3257,10 +3252,18 @@ "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, + { + "dest-uuid": "0458aab9-ad42-4eac-9e22-706a95bafee2", + "type": "uses" + }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, + { + "dest-uuid": "04cecafd-cb5f-4daf-aa1f-73899116c4a2", + "type": "uses" + }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" @@ -3285,6 +3288,10 @@ "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "type": "uses" }, + { + "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", + "type": "uses" + }, { "dest-uuid": "11194d8b-fdce-45d2-8047-df15bb8f16bd", "type": "uses" @@ -3317,6 +3324,10 @@ "dest-uuid": "26c87906-d750-42c5-946c-d4162c73fc7b", "type": "uses" }, + { + "dest-uuid": "274770e0-2612-4ccf-a678-ef8e7bad365d", + "type": "uses" + }, { "dest-uuid": "2b5aa86b-a0df-4382-848d-30abea443327", "type": "uses" @@ -3361,6 +3372,10 @@ "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "type": "uses" + }, { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "type": "uses" @@ -3369,6 +3384,10 @@ "dest-uuid": "40f5caa0-4cb7-4117-89fc-d421bb493df3", "type": "uses" }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "type": "uses" + }, { "dest-uuid": "4800d0f9-00aa-47cd-a4d2-92198585b8fd", "type": "uses" @@ -3533,6 +3552,10 @@ "dest-uuid": "c675646d-e204-4aa8-978d-e3d6d65885c4", "type": "uses" }, + { + "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", + "type": "uses" + }, { "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", "type": "uses" @@ -3545,6 +3568,10 @@ "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, + { + "dest-uuid": "defc1257-4db1-4fb3-8ef5-bb77f63146df", + "type": "uses" + }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" @@ -3553,6 +3580,10 @@ "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, + { + "dest-uuid": "e196b5c5-8118-4a1c-ab8a-936586ce3db5", + "type": "uses" + }, { "dest-uuid": "e221eb77-1502-4129-af1d-fe1ad55e7ec6", "type": "uses" @@ -3591,27 +3622,6 @@ { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" - }, - { - "dest-uuid": "b47250ec-2094-4d06-b658-11456e05fe89", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "feac86e4-6bb2-4ba0-ac99-806aeb0a776c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "381fcf73-60f6-4ab2-9991-6af3cbc35192", @@ -3700,13 +3710,6 @@ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" - }, - { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "894aab42-3371-47b1-8859-a4a074c804c8", @@ -3772,34 +3775,6 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "24110866-cb22-4c85-a7d2-0413e126694b", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "090242d7-73fc-4738-af68-20162f7a5aae", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff", @@ -3812,6 +3787,7 @@ "refs": [ "https://attack.mitre.org/groups/G0047", "https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/", + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine", "https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/", @@ -3827,7 +3803,8 @@ "ACTINIUM", "Armageddon", "Shuckworm", - "DEV-0157" + "DEV-0157", + "Aqua Blizzard" ] }, "related": [ @@ -4045,13 +4022,6 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", @@ -4088,6 +4058,7 @@ "https://blog.certfa.com/posts/charming-kitten-christmas-gift/", "https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/", "https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphorus-t20-munich-security-conference/", + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://noticeofpleadings.com/phosphorus/files/Complaint.pdf", "https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/", "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", @@ -4108,7 +4079,8 @@ "ITG18", "Phosphorus", "Newscaster", - "APT35" + "APT35", + "Mint Sandstorm" ] }, "related": [ @@ -4144,6 +4116,10 @@ "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "0dda99f0-4701-48ca-9774-8504922e92d3", "type": "uses" @@ -4377,10 +4353,6 @@ "dest-uuid": "b1ccd744-3f78-4a0e-9bb2-2002057f7928", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a", "type": "uses" @@ -4520,27 +4492,6 @@ { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" - }, - { - "dest-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", @@ -4774,6 +4725,143 @@ "uuid": "129f2f77-1ab2-4c35-bd5e-21260cee92af", "value": "EXOTIC LILY - G1011" }, + { + "description": "[Cinnamon Tempest](https://attack.mitre.org/groups/G1021) is a China-based threat group that has been active since at least 2021 deploying multiple strains of ransomware based on the leaked [Babuk](https://attack.mitre.org/software/S0638) source code. [Cinnamon Tempest](https://attack.mitre.org/groups/G1021) does not operate their ransomware on an affiliate model or purchase access but appears to act independently in all stages of the attack lifecycle. Based on victimology, the short lifespan of each ransomware variant, and use of malware attributed to government-sponsored threat groups, [Cinnamon Tempest](https://attack.mitre.org/groups/G1021) may be motivated by intellectual property theft or cyberespionage rather than financial gain.(Citation: Microsoft Ransomware as a Service)(Citation: Microsoft Threat Actor Naming July 2023)(Citation: Trend Micro Cheerscrypt May 2022)(Citation: SecureWorks BRONZE STARLIGHT Ransomware Operations June 2022)", + "meta": { + "external_id": "G1021", + "refs": [ + "https://attack.mitre.org/groups/G1021", + "https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group", + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", + "https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", + "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader", + "https://www.secureworks.com/research/threat-profiles/bronze-starlight", + "https://www.trendmicro.com/en_se/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html" + ], + "synonyms": [ + "Cinnamon Tempest", + "DEV-0401", + "Emperor Dragonfly", + "BRONZE STARLIGHT" + ] + }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "type": "uses" + }, + { + "dest-uuid": "11f8d7eb-1927-4806-9267-3a11d4d4d6be", + "type": "uses" + }, + { + "dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c", + "type": "uses" + }, + { + "dest-uuid": "26c87906-d750-42c5-946c-d4162c73fc7b", + "type": "uses" + }, + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "type": "uses" + }, + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "uses" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "type": "uses" + }, + { + "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", + "type": "uses" + }, + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "type": "uses" + }, + { + "dest-uuid": "54089fba-8662-4f37-9a44-6ad25a5f630a", + "type": "uses" + }, + { + "dest-uuid": "59096109-a1dd-463b-87e7-a8d110fe3a79", + "type": "uses" + }, + { + "dest-uuid": "5d2be8b9-d24c-4e98-83bf-2f5f79477163", + "type": "uses" + }, + { + "dest-uuid": "5d3fa1db-5041-4560-b87b-8f61cc225c52", + "type": "uses" + }, + { + "dest-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", + "type": "uses" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "type": "uses" + }, + { + "dest-uuid": "851e071f-208d-4c79-adc6-5974c85c78f3", + "type": "uses" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "type": "uses" + }, + { + "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", + "type": "uses" + }, + { + "dest-uuid": "a545456a-f9a7-47ad-9ea6-8b017def38d1", + "type": "uses" + }, + { + "dest-uuid": "a7881f21-e978-4fe4-af56-92c9416a2616", + "type": "uses" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "uses" + }, + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "type": "uses" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "uses" + }, + { + "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", + "type": "uses" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "type": "uses" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "type": "uses" + } + ], + "uuid": "8b1e16f6-e7c8-4b7a-a5df-f81232c13e2f", + "value": "Cinnamon Tempest - G1021" + }, { "description": "[Tonto Team](https://attack.mitre.org/groups/G0131) is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009; by 2020 they expanded operations to include other Asian as well as Eastern European countries. [Tonto Team](https://attack.mitre.org/groups/G0131) has targeted government, military, energy, mining, financial, education, healthcare, and technology organizations, including through the Heartbeat Campaign (2009-2012) and Operation Bitter Biscuit (2017).(Citation: Kaspersky CactusPete Aug 2020)(Citation: ESET Exchange Mar 2021)(Citation: FireEye Chinese Espionage October 2019)(Citation: ARS Technica China Hack SK April 2017)(Citation: Trend Micro HeartBeat Campaign January 2013)(Citation: Talos Bisonal 10 Years March 2020)", "meta": { @@ -4953,40 +5041,185 @@ "value": "GOLD SOUTHFIELD - G0115" }, { - "description": "[Scattered Spider](https://attack.mitre.org/groups/G1015) is a cybercriminal group that has been active since at least 2022 targeting customer relationship management and business-process outsourcing (BPO) firms as well as telecommunications and technology companies. During campaigns [Scattered Spider](https://attack.mitre.org/groups/G1015) has leveraged targeted social-engineering techniques and attempted to bypass popular endpoint security tools.(Citation: CrowdStrike Scattered Spider Profile)(Citation: CrowdStrike Scattered Spider BYOVD January 2023)(Citation: Crowdstrike TELCO BPO Campaign December 2022)", + "description": "[Scattered Spider](https://attack.mitre.org/groups/G1015) is a native English-speaking cybercriminal group that has been active since at least 2022.(Citation: CrowdStrike Scattered Spider Profile)(Citation: MSTIC Octo Tempest Operations October 2023) The group initially targeted customer relationship management and business-process outsourcing (BPO) firms as well as telecommunications and technology companies. Beginning in 2023, [Scattered Spider](https://attack.mitre.org/groups/G1015) expanded its operations to compromise victims in the gaming, hospitality, retail, MSP, manufacturing, and financial sectors.(Citation: MSTIC Octo Tempest Operations October 2023) During campaigns, [Scattered Spider](https://attack.mitre.org/groups/G1015) has leveraged targeted social-engineering techniques, attempted to bypass popular endpoint security tools, and more recently, deployed ransomware for financial gain.(Citation: CISA Scattered Spider Advisory November 2023)(Citation: CrowdStrike Scattered Spider BYOVD January 2023)(Citation: CrowdStrike Scattered Spider Profile)(Citation: MSTIC Octo Tempest Operations October 2023)(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "meta": { "external_id": "G1015", "refs": [ "https://attack.mitre.org/groups/G1015", + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a", "https://www.crowdstrike.com/adversaries/scattered-spider/", "https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/", - "https://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic/" + "https://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic/", + "https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/" ], "synonyms": [ "Scattered Spider", - "Roasted 0ktapus" + "Roasted 0ktapus", + "Octo Tempest", + "Storm-0875" ] }, "related": [ + { + "dest-uuid": "0c8ab3eb-df48-4b9c-ace7-beacaac81cc5", + "type": "uses" + }, + { + "dest-uuid": "0cf55441-b176-4332-89e7-2c4c7799d0ff", + "type": "uses" + }, { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "type": "uses" }, + { + "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", + "type": "uses" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "uses" + }, + { + "dest-uuid": "24769ab5-14bd-4f4e-a752-cfb185da53ee", + "type": "uses" + }, + { + "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", + "type": "uses" + }, + { + "dest-uuid": "2f7f03bb-f367-4a5a-ad9b-310a12a48906", + "type": "uses" + }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, + { + "dest-uuid": "3298ce88-1628-43b1-87d9-0b5336b193d7", + "type": "uses" + }, + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "type": "uses" + }, + { + "dest-uuid": "50c44c34-3abb-48ae-9433-a2337de5b0bc", + "type": "uses" + }, + { + "dest-uuid": "57a3d31a-d04f-4663-b2da-7df8ec3f8c9d", + "type": "uses" + }, + { + "dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7", + "type": "uses" + }, + { + "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf", + "type": "uses" + }, + { + "dest-uuid": "6a5d222a-a7e0-4656-b110-782c33098289", + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "type": "uses" + }, + { + "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", + "type": "uses" + }, + { + "dest-uuid": "851e071f-208d-4c79-adc6-5974c85c78f3", + "type": "uses" + }, + { + "dest-uuid": "8861073d-d1b8-4941-82ce-dce621d398f0", + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "type": "uses" + }, { "dest-uuid": "954a1639-f2d6-407d-aef3-4917622ca493", "type": "uses" }, + { + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "type": "uses" + }, { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "uses" }, + { + "dest-uuid": "b4409cd8-0da9-46e1-a401-a241afd4d1cc", + "type": "uses" + }, + { + "dest-uuid": "b76b2d94-60e4-4107-a903-4a3a7622fb3b", + "type": "uses" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "type": "uses" + }, + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "type": "uses" + }, + { + "dest-uuid": "c9e0c59e-162e-40a4-b8b1-78fab4329ada", + "type": "uses" + }, { "dest-uuid": "cca0ccb6-a068-4574-a722-b1556f86833a", "type": "uses" + }, + { + "dest-uuid": "ceaeb6d8-95ee-4da2-9d42-dc6aa6ca43ae", + "type": "uses" + }, + { + "dest-uuid": "cf1c2504-433f-4c4e-a1f8-91de45a0318c", + "type": "uses" + }, + { + "dest-uuid": "cff94884-3b1c-4987-a70b-6d5643c621c3", + "type": "uses" + }, + { + "dest-uuid": "defc1257-4db1-4fb3-8ef5-bb77f63146df", + "type": "uses" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "uses" + }, + { + "dest-uuid": "e49920b0-6c54-40c1-9571-73723653205f", + "type": "uses" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "type": "uses" + }, + { + "dest-uuid": "fde19a18-e502-467f-be14-58c71b4e7f4b", + "type": "uses" } ], "uuid": "44d37b89-a739-4810-9111-0d2617a8939b", @@ -5014,6 +5247,7 @@ "external_id": "G0117", "refs": [ "https://attack.mitre.org/groups/G0117", + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://us-cert.cisa.gov/ncas/alerts/aa20-259a", "https://www.clearskysec.com/fox-kitten/", "https://www.clearskysec.com/wp-content/uploads/2020/12/Pay2Kitten.pdf", @@ -5024,7 +5258,9 @@ "Fox Kitten", "UNC757", "Parisite", - "Pioneer Kitten" + "Pioneer Kitten", + "RUBIDIUM", + "Lemon Sandstorm" ] }, "related": [ @@ -5040,6 +5276,10 @@ "dest-uuid": "01327cde-66c4-4123-bf34-5f258d59457b", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" @@ -5160,10 +5400,6 @@ "dest-uuid": "b1ccd744-3f78-4a0e-9bb2-2002057f7928", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" @@ -5248,6 +5484,10 @@ "dest-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", "type": "uses" }, + { + "dest-uuid": "149b477f-f364-4824-b1b5-aa1d56115869", + "type": "uses" + }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" @@ -5344,10 +5584,6 @@ "dest-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1", "type": "uses" }, - { - "dest-uuid": "810d8072-afb6-4a56-9ee7-86379ac4a6f3", - "type": "uses" - }, { "dest-uuid": "866d0d6d-02c6-42bd-aa2f-02907fdc0969", "type": "uses" @@ -5435,12 +5671,15 @@ "refs": [ "https://attack.mitre.org/groups/G0119", "https://home.treasury.gov/news/press-releases/sm845", + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/", "https://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/" ], "synonyms": [ "Indrik Spider", - "Evil Corp" + "Evil Corp", + "Manatee Tempest", + "DEV-0243" ] }, "related": [ @@ -6075,6 +6314,10 @@ ], "type": "similar" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" @@ -6119,10 +6362,6 @@ "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" @@ -6210,13 +6449,15 @@ "external_id": "G1004", "refs": [ "https://attack.mitre.org/groups/G1004", + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://unit42.paloaltonetworks.com/lapsus-group/", "https://www.bbc.com/news/technology-60953527", "https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" ], "synonyms": [ "LAPSUS$", - "DEV-0537" + "DEV-0537", + "Strawberry Tempest" ] }, "related": [ @@ -6458,6 +6699,62 @@ "uuid": "c4d50cdf-87ce-407d-86d8-862883485842", "value": "APT-C-36 - G0099" }, + { + "description": "[APT-C-23](https://attack.mitre.org/groups/G1028) is a threat group that has been active since at least 2014.(Citation: symantec_mantis) [APT-C-23](https://attack.mitre.org/groups/G1028) has primarily focused its operations on the Middle East, including Israeli military assets. [APT-C-23](https://attack.mitre.org/groups/G1028) has developed mobile spyware targeting Android and iOS devices since 2017.(Citation: welivesecurity_apt-c-23)", + "meta": { + "external_id": "G1028", + "refs": [ + "https://attack.mitre.org/groups/G1028", + "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/", + "https://web.archive.org/web/20230604112435/https://research.checkpoint.com/2018/interactive-mapping-of-apt-c-23/", + "https://web.archive.org/web/20231126111812/https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf", + "https://web.archive.org/web/20231227054130/https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/mantis-palestinian-attacks", + "https://web.archive.org/web/20240208234008/www.sentinelone.com/labs/the-israel-hamas-war-cyber-domain-state-sponsored-activity-of-interest/" + ], + "synonyms": [ + "APT-C-23", + "Mantis", + "Arid Viper", + "Desert Falcon", + "TAG-63", + "Grey Karkadann", + "Big Bang APT", + "Two-tailed Scorpion" + ] + }, + "related": [ + { + "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", + "type": "uses" + }, + { + "dest-uuid": "3271c107-92c4-442e-9506-e76d62230ee8", + "type": "uses" + }, + { + "dest-uuid": "8c050cea-86e1-4b63-bf21-7af4fa483349", + "type": "uses" + }, + { + "dest-uuid": "96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", + "type": "uses" + }, + { + "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "type": "uses" + }, + { + "dest-uuid": "defc1257-4db1-4fb3-8ef5-bb77f63146df", + "type": "uses" + }, + { + "dest-uuid": "f97e2718-af50-41df-811f-215ebab45691", + "type": "uses" + } + ], + "uuid": "8332952e-b86b-486b-acc3-1c2a85d39394", + "value": "APT-C-23 - G1028" + }, { "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018)(Citation: FireEye TEMP.Veles JSON April 2019)", "meta": { @@ -6476,86 +6773,18 @@ ] }, "related": [ - { - "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", - "type": "uses" - }, - { - "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", - "type": "uses" - }, - { - "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", - "type": "uses" - }, - { - "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", - "type": "uses" - }, { "dest-uuid": "20a66013-8dab-4ca3-a67d-766c842c561c", "type": "uses" }, - { - "dest-uuid": "2db31dcd-54da-405d-acef-b9129b816ed6", - "type": "uses" - }, - { - "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", - "type": "uses" - }, - { - "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", - "type": "uses" - }, - { - "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", - "type": "uses" - }, - { - "dest-uuid": "6d4a7fb3-5a24-42be-ae61-6728a2b581f6", - "type": "uses" - }, { "dest-uuid": "795c1a92-3a26-453e-b99a-6a566aa94dc6", "type": "uses" }, - { - "dest-uuid": "79da0971-3147-4af6-a4f5-e8cd447cd795", - "type": "uses" - }, - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "type": "uses" - }, - { - "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", - "type": "uses" - }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" }, - { - "dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92", - "type": "uses" - }, - { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", - "type": "uses" - }, - { - "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", - "type": "uses" - }, - { - "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", - "type": "uses" - }, - { - "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", - "type": "uses" - }, { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" @@ -6624,20 +6853,6 @@ { "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", "type": "uses" - }, - { - "dest-uuid": "6c74fda2-bb04-40bd-a166-8c2d4b952d33", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "fbe9387f-34e6-4828-ac28-3080020c597b", @@ -6699,27 +6914,6 @@ { "dest-uuid": "d5e96a35-7b0b-4c6a-9533-d63ecbda563e", "type": "uses" - }, - { - "dest-uuid": "8beac7c2-48d2-4cd9-9b15-6c452f38ac06", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ad4f146f-e3ec-444a-ba71-24bffd7f0f8e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb", @@ -6773,27 +6967,6 @@ { "dest-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", "type": "uses" - }, - { - "dest-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "5e0a7cf2-6107-4d5f-9dd0-9df38b1fcba8", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd", @@ -7002,27 +7175,6 @@ { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" - }, - { - "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", @@ -7148,34 +7300,6 @@ { "dest-uuid": "fb28627c-d6ea-4c35-b138-ab5e96ae5445", "type": "uses" - }, - { - "dest-uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "24110866-cb22-4c85-a7d2-0413e126694b", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "090242d7-73fc-4738-af68-20162f7a5aae", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973", @@ -7198,6 +7322,10 @@ ] }, "related": [ + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" @@ -7266,10 +7394,6 @@ "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "b76b2d94-60e4-4107-a903-4a3a7622fb3b", "type": "uses" @@ -7310,6 +7434,7 @@ "http://www.secureworks.com/research/threat-profiles/iron-hunter", "https://attack.mitre.org/groups/G0010", "https://blog.talosintelligence.com/2021/09/tinyturla.html", + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://securelist.com/introducing-whitebear/81638/", "https://securelist.com/the-epic-turla-operation/65545/", "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", @@ -7325,12 +7450,13 @@ "Turla", "IRON HUNTER", "Group 88", - "Belugasturgeon", "Waterbug", "WhiteBear", "Snake", "Krypton", - "Venomous Bear" + "Venomous Bear", + "Secret Blizzard", + "BELUGASTURGEON" ] }, "related": [ @@ -7719,13 +7845,6 @@ { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" - }, - { - "dest-uuid": "6b62e336-176f-417b-856a-8552dd8c44e1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", @@ -7737,6 +7856,7 @@ "external_id": "G0050", "refs": [ "https://attack.mitre.org/groups/G0050", + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://www.amnestyusa.org/wp-content/uploads/2021/02/Click-and-Bait_Vietnamese-Human-Rights-Defenders-Targeted-with-Spyware-Attacks.pdf", "https://www.cybereason.com/blog/operation-cobalt-kitty-apt", "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", @@ -7748,7 +7868,9 @@ "APT32", "SeaLotus", "OceanLotus", - "APT-C-00" + "APT-C-00", + "Canvas Cyclone", + "BISMUTH" ] }, "related": [ @@ -7796,6 +7918,10 @@ "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" @@ -8030,10 +8156,6 @@ "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "type": "uses" @@ -8137,20 +8259,6 @@ { "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", "type": "uses" - }, - { - "dest-uuid": "7e5a571f-dee2-4cae-a960-f8ab8a8fb1cf", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", @@ -8162,6 +8270,7 @@ "external_id": "G0092", "refs": [ "https://attack.mitre.org/groups/G0092", + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://research.nccgroup.com/2020/11/18/ta505-a-brief-history-of-their-time/", "https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/", "https://www.fsec.or.kr/user/bbs/fsec/163/344/bbsDataView/1382.do?page=1&column=&search=&searchSDate=&searchEDate=&bbsDataCategory=", @@ -8171,7 +8280,9 @@ ], "synonyms": [ "TA505", - "Hive0065" + "Hive0065", + "Spandex Tempest", + "CHIMBORAZO" ] }, "related": [ @@ -8199,6 +8310,10 @@ "dest-uuid": "099ecff2-41b8-436d-843c-038a9aa9aa69", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" @@ -8315,10 +8430,6 @@ "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" @@ -8462,6 +8573,10 @@ "dest-uuid": "0c4b4fda-9062-47da-98b9-ceae2dcf052a", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", "type": "uses" @@ -8470,6 +8585,10 @@ "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "type": "uses" }, + { + "dest-uuid": "149b477f-f364-4824-b1b5-aa1d56115869", + "type": "uses" + }, { "dest-uuid": "1b7b1806-7746-41a1-a35d-e48dae25ddba", "type": "uses" @@ -8655,6 +8774,10 @@ "dest-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab", "type": "uses" }, + { + "dest-uuid": "79da0971-3147-4af6-a4f5-e8cd447cd795", + "type": "uses" + }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" @@ -8755,10 +8878,6 @@ "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a", "type": "uses" @@ -8902,20 +9021,6 @@ { "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", "type": "uses" - }, - { - "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", @@ -8949,13 +9054,6 @@ { "dest-uuid": "f244b8dd-af6c-4391-a497-fc03627ce995", "type": "uses" - }, - { - "dest-uuid": "10d5f3b7-6be6-4da5-9a77-0f1e2bbfcc44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "96e239be-ad99-49eb-b127-3007b8c1bec9", @@ -8988,20 +9086,6 @@ { "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", "type": "uses" - }, - { - "dest-uuid": "f3bdec95-3d62-42d9-a840-29630f6cdc1a", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "519630c5-f03f-4882-825c-3af924935817", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "2e5d3a83-fe00-41a5-9b60-237efc84832f", @@ -9013,6 +9097,7 @@ "external_id": "G0004", "refs": [ "https://attack.mitre.org/groups/G0004", + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", "https://web.archive.org/web/20180615122133/https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/", "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf", @@ -9027,7 +9112,8 @@ "GREF", "Playful Dragon", "RoyalAPT", - "NICKEL" + "NICKEL", + "Nylon Typhoon" ] }, "related": [ @@ -9254,13 +9340,6 @@ { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "type": "uses" - }, - { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", @@ -9389,41 +9468,6 @@ { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" - }, - { - "dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", @@ -9660,20 +9704,6 @@ { "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", "type": "uses" - }, - { - "dest-uuid": "9559ecaf-2e75-48a7-aee8-9974020bc772", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", @@ -9763,20 +9793,6 @@ { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" - }, - { - "dest-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", @@ -9980,6 +9996,10 @@ "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "type": "uses" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" @@ -10132,13 +10152,6 @@ { "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", "type": "uses" - }, - { - "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "fe98767f-9df8-42b9-83c9-004b1dec8647", @@ -10172,13 +10185,6 @@ { "dest-uuid": "e51398e6-53dc-4e9f-a323-e54683d8672b", "type": "uses" - }, - { - "dest-uuid": "3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "d6e88e18-81e8-4709-82d8-973095da1e70", @@ -10228,55 +10234,6 @@ { "dest-uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43", "type": "uses" - }, - { - "dest-uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "24110866-cb22-4c85-a7d2-0413e126694b", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "24110866-cb22-4c85-a7d2-0413e126694b", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "090242d7-73fc-4738-af68-20162f7a5aae", @@ -10300,6 +10257,10 @@ ] }, "related": [ + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "type": "uses" @@ -10353,10 +10314,6 @@ "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236", "type": "uses" @@ -10388,13 +10345,6 @@ { "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648", @@ -10408,6 +10358,7 @@ "http://www.secureworks.com/research/threat-profiles/iron-hemlock", "https://attack.mitre.org/groups/G0016", "https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/", + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF", "https://msrc-blog.microsoft.com/2021/06/25/new-nobelium-activity/", "https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline/", @@ -10450,7 +10401,8 @@ "CozyDuke", "SolarStorm", "Blue Kitsune", - "UNC3524" + "UNC3524", + "Midnight Blizzard" ] }, "related": [ @@ -10654,6 +10606,10 @@ "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", "type": "uses" }, + { + "dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3", + "type": "uses" + }, { "dest-uuid": "6dbdc657-d8e0-4f2f-909b-7251b3e72c6d", "type": "uses" @@ -10702,6 +10658,10 @@ "dest-uuid": "88d31120-5bc7-4ce3-a9c0-7cf147be8e54", "type": "uses" }, + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "type": "uses" + }, { "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", "type": "uses" @@ -10762,10 +10722,6 @@ "dest-uuid": "a8839c95-029f-44cf-8f3d-a3cf2039e927", "type": "uses" }, - { - "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", - "type": "uses" - }, { "dest-uuid": "ae9d818d-95d0-41da-b045-9cabea1ca164", "type": "uses" @@ -10829,6 +10785,10 @@ "dest-uuid": "ca9d3402-ada3-484d-876a-d717bd6e05f2", "type": "uses" }, + { + "dest-uuid": "cacc40da-4c9e-462c-80d5-fd70a178b12d", + "type": "uses" + }, { "dest-uuid": "cbf646f1-7db5-4dc6-808b-0094313949df", "type": "uses" @@ -10877,6 +10837,10 @@ "dest-uuid": "e74de37c-a829-446c-937d-56a44f0e9306", "type": "uses" }, + { + "dest-uuid": "eb897572-8979-4242-a089-56f294f4c91d", + "type": "uses" + }, { "dest-uuid": "ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68", "type": "uses" @@ -10898,14 +10862,11 @@ "type": "uses" }, { - "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", "type": "uses" }, { - "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], + "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" } ], @@ -10913,7 +10874,7 @@ "value": "APT29 - G0016" }, { - "description": "[BITTER](https://attack.mitre.org/groups/G1002) is a suspected South Asian cyber espionage threat group that has been active since at least 2013. [BITTER](https://attack.mitre.org/groups/G1002) has primarily targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia.(Citation: Cisco Talos Bitter Bangladesh May 2022)(Citation: Forcepoint BITTER Pakistan Oct 2016)", + "description": "[BITTER](https://attack.mitre.org/groups/G1002) is a suspected South Asian cyber espionage threat group that has been active since at least 2013. [BITTER](https://attack.mitre.org/groups/G1002) has targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia.(Citation: Cisco Talos Bitter Bangladesh May 2022)(Citation: Forcepoint BITTER Pakistan Oct 2016)", "meta": { "external_id": "G1002", "refs": [ @@ -10931,6 +10892,10 @@ "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "232a7e42-cd6e-4902-8fe9-2960f529dd4d", "type": "uses" @@ -10971,10 +10936,6 @@ "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", "type": "uses" @@ -10987,6 +10948,10 @@ "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, + { + "dest-uuid": "defc1257-4db1-4fb3-8ef5-bb77f63146df", + "type": "uses" + }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" @@ -11005,6 +10970,7 @@ "external_id": "G0012", "refs": [ "https://attack.mitre.org/groups/G0012", + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070903/darkhotel_kl_07.11.pdf", "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWxPuf", "https://securelist.com/darkhotels-attacks-in-2015/71713/", @@ -11014,7 +10980,8 @@ ], "synonyms": [ "Darkhotel", - "DUBNIUM" + "DUBNIUM", + "Zigzag Hail" ] }, "related": [ @@ -11022,6 +10989,10 @@ "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" @@ -11086,10 +11057,6 @@ "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" @@ -11120,13 +11087,6 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "9e729a7e-0dd6-4097-95bf-db8d64911383", @@ -11236,6 +11196,10 @@ "dest-uuid": "0ba9281c-93fa-4b29-8e9e-7ef918c7b13a", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" @@ -11292,10 +11256,6 @@ "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", "type": "uses" @@ -11318,13 +11278,6 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "df71bb3b-813c-45eb-a8bc-f2a419837411", @@ -11425,13 +11378,6 @@ { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" - }, - { - "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", @@ -11470,6 +11416,10 @@ "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" @@ -11522,10 +11472,6 @@ "dest-uuid": "a7881f21-e978-4fe4-af56-92c9416a2616", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "type": "uses" @@ -11567,6 +11513,10 @@ ] }, "related": [ + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "115f88dd-0618-4389-83cb-98d33ae81848", "type": "uses" @@ -11587,10 +11537,6 @@ "dest-uuid": "5763217a-05b6-4edd-9bca-057e47b5e403", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" @@ -11606,12 +11552,15 @@ "refs": [ "https://attack.mitre.org/groups/G0096", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://www.group-ib.com/blog/colunmtk-apt41/", "https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf" ], "synonyms": [ "APT41", - "Wicked Panda" + "Wicked Panda", + "Brass Typhoon", + "BARIUM" ] }, "related": [ @@ -11663,6 +11612,14 @@ "dest-uuid": "13cd9151-83b7-410d-9f98-25d0f0d1d80d", "type": "uses" }, + { + "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", + "type": "uses" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "uses" + }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" @@ -11679,6 +11636,14 @@ "dest-uuid": "1d24cdee-9ea2-4189-b08e-af110bf2435d", "type": "uses" }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "uses" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "type": "uses" + }, { "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", "type": "uses" @@ -11707,6 +11672,10 @@ "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "uses" + }, { "dest-uuid": "38952eac-cb1b-4a71-bad2-ee8223a1c8fe", "type": "uses" @@ -11735,6 +11704,10 @@ "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "type": "uses" }, + { + "dest-uuid": "5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4", + "type": "uses" + }, { "dest-uuid": "56f46b17-8cfa-46c0-b501-dd52fef394e2", "type": "uses" @@ -11743,6 +11716,10 @@ "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, + { + "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "type": "uses" + }, { "dest-uuid": "5a3a31fe-5a8f-48e1-bff0-a753e5b1be70", "type": "uses" @@ -11787,6 +11764,14 @@ "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" }, + { + "dest-uuid": "74d2a63f-3c7b-4852-92da-02d8fbab16da", + "type": "uses" + }, + { + "dest-uuid": "76551c52-b111-4884-bc47-ff3e728f0156", + "type": "uses" + }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" @@ -11819,6 +11804,10 @@ "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, + { + "dest-uuid": "9a2640c2-9f43-46fe-b13f-bde881e55555", + "type": "uses" + }, { "dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", "type": "uses" @@ -11875,6 +11864,10 @@ "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, + { + "dest-uuid": "bc76d0a4-db11-4551-9ac4-01a469cfb161", + "type": "uses" + }, { "dest-uuid": "bd369cd9-abb8-41ce-b5bb-fff23ee86c00", "type": "uses" @@ -11883,6 +11876,22 @@ "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, + { + "dest-uuid": "bed04f7d-e48a-4e76-bd0f-4c57fe31fc46", + "type": "uses" + }, + { + "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "type": "uses" + }, + { + "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", + "type": "uses" + }, { "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", "type": "uses" @@ -11903,6 +11912,10 @@ "dest-uuid": "cfc75b0d-e579-40ae-ad07-a1ce00d49a6c", "type": "uses" }, + { + "dest-uuid": "cff94884-3b1c-4987-a70b-6d5643c621c3", + "type": "uses" + }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" @@ -11919,6 +11932,10 @@ "dest-uuid": "d906e6f7-434c-44c0-b51a-ed50af8f7945", "type": "uses" }, + { + "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", + "type": "uses" + }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" @@ -11927,6 +11944,10 @@ "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" }, + { + "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e", + "type": "uses" + }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" @@ -11939,10 +11960,18 @@ "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "type": "uses" }, + { + "dest-uuid": "ec4be82f-940c-4dcb-87fe-2bbdd17c692f", + "type": "uses" + }, { "dest-uuid": "ec9e00dd-0313-4d5b-8105-c20aa47abffc", "type": "uses" }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "type": "uses" + }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" @@ -12149,13 +12178,6 @@ { "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", "type": "uses" - }, - { - "dest-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "277d2f87-2ae5-4730-a3aa-50c1fdff9656", @@ -12232,10 +12254,12 @@ "external_id": "G1005", "refs": [ "https://attack.mitre.org/groups/G1005", + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/" ], "synonyms": [ - "POLONIUM" + "POLONIUM", + "Plaid Rain" ] }, "related": [ @@ -12290,15 +12314,7 @@ "Taidoor" ] }, - "related": [ - { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - } - ], + "related": [], "uuid": "59140a2e-d117-4206-9b2c-2a8662bd9d46", "value": "Taidoor - G0015" }, @@ -12513,13 +12529,6 @@ { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" - }, - { - "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "fd19bd82-1b14-49a1-a176-6cdc46b8a826", @@ -12714,31 +12723,18 @@ { "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", "type": "uses" - }, - { - "dest-uuid": "2e5d3a83-fe00-41a5-9b60-237efc84832f", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "f3bdec95-3d62-42d9-a840-29630f6cdc1a", "value": "DragonOK - G0017" }, { - "description": "[Orangeworm](https://attack.mitre.org/groups/G0071) is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015, likely for the purpose of corporate espionage.(Citation: Symantec Orangeworm April 2018)", + "description": "[Orangeworm](https://attack.mitre.org/groups/G0071) is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015, likely for the purpose of corporate espionage.(Citation: Symantec Orangeworm April 2018) Reverse engineering of [Kwampirs](https://attack.mitre.org/software/S0236), directly associated with [Orangeworm](https://attack.mitre.org/groups/G0071) activity, indicates significant functional and development overlaps with [Shamoon](https://attack.mitre.org/software/S0140).(Citation: Cylera Kwampirs 2022)", "meta": { "external_id": "G0071", "refs": [ "https://attack.mitre.org/groups/G0071", + "https://resources.cylera.com/hubfs/Cylera%20Labs/Cylera%20Labs%20Kwampirs%20Shamoon%20Technical%20Report.pdf", "https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia" ], "synonyms": [ @@ -12803,6 +12799,10 @@ ] }, "related": [ + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" @@ -12835,10 +12835,6 @@ "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" @@ -13073,27 +13069,6 @@ { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" - }, - { - "dest-uuid": "5e0a7cf2-6107-4d5f-9dd0-9df38b1fcba8", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", @@ -13244,13 +13219,12 @@ "value": "Silence - G0091" }, { - "description": "[APT3](https://attack.mitre.org/groups/G0022) is a China-based threat group that researchers have attributed to China's Ministry of State Security.(Citation: FireEye Clandestine Wolf)(Citation: Recorded Future APT3 May 2017) This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.(Citation: FireEye Clandestine Wolf)(Citation: FireEye Operation Double Tap) As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.(Citation: Symantec Buckeye)\n\nIn 2017, MITRE developed an APT3 Adversary Emulation Plan.(Citation: APT3 Adversary Emulation Plan)", + "description": "[APT3](https://attack.mitre.org/groups/G0022) is a China-based threat group that researchers have attributed to China's Ministry of State Security.(Citation: FireEye Clandestine Wolf)(Citation: Recorded Future APT3 May 2017) This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.(Citation: FireEye Clandestine Wolf)(Citation: FireEye Operation Double Tap) As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.(Citation: Symantec Buckeye)", "meta": { "external_id": "G0022", "refs": [ "http://pwc.blogs.com/cyber_security_updates/2015/07/pirpi-scanbox.html", "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong", - "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Plan.pdf", "https://attack.mitre.org/groups/G0022", "https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html", "https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html", @@ -13469,26 +13443,20 @@ { "dest-uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8", "type": "uses" - }, - { - "dest-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "value": "APT3 - G0022" }, { - "description": "[APT38](https://attack.mitre.org/groups/G0082) is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020) Active since at least 2014, [APT38](https://attack.mitre.org/groups/G0082) has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which [APT38](https://attack.mitre.org/groups/G0082) stole $81 million, as well as attacks against Bancomext (2018) and Banco de Chile (2018); some of their attacks have been destructive.(Citation: CISA AA20-239A BeagleBoyz August 2020)(Citation: FireEye APT38 Oct 2018)(Citation: DOJ North Korea Indictment Feb 2021)(Citation: Kaspersky Lazarus Under The Hood Blog 2017)\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups.", + "description": "[APT38](https://attack.mitre.org/groups/G0082) is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020) Active since at least 2014, [APT38](https://attack.mitre.org/groups/G0082) has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which [APT38](https://attack.mitre.org/groups/G0082) stole $81 million, as well as attacks against Bancomext (Citation: FireEye APT38 Oct 2018) and Banco de Chile (Citation: FireEye APT38 Oct 2018); some of their attacks have been destructive.(Citation: CISA AA20-239A BeagleBoyz August 2020)(Citation: FireEye APT38 Oct 2018)(Citation: DOJ North Korea Indictment Feb 2021)(Citation: Kaspersky Lazarus Under The Hood Blog 2017)\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups.", "meta": { "external_id": "G0082", "refs": [ "https://attack.mitre.org/groups/G0082", "https://content.fireeye.com/apt/rpt-apt38", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://securelist.com/lazarus-under-the-hood/77908/", "https://us-cert.cisa.gov/ncas/alerts/aa20-239a", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-april-stardust-chollima/", @@ -13500,7 +13468,9 @@ "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", - "Stardust Chollima" + "Stardust Chollima", + "Sapphire Sleet", + "COPERNICIUM" ] }, "related": [ @@ -13766,13 +13736,6 @@ { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" - }, - { - "dest-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "62a64fd3-aaf7-4d09-a375-d6f8bb118481", @@ -13796,13 +13759,6 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" } ], "uuid": "9559ecaf-2e75-48a7-aee8-9974020bc772", @@ -13877,13 +13833,6 @@ { "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "type": "uses" - }, - { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a", @@ -13906,11 +13855,12 @@ "value": "Honeybee - G0072" }, { - "description": "[APT33](https://attack.mitre.org/groups/G0064) is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors. (Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)", + "description": "[APT33](https://attack.mitre.org/groups/G0064) is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors.(Citation: FireEye APT33 Sept 2017)(Citation: FireEye APT33 Webinar Sept 2017)", "meta": { "external_id": "G0064", "refs": [ "https://attack.mitre.org/groups/G0064", + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://www.brighttalk.com/webcast/10703/275683", "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/", @@ -13919,7 +13869,8 @@ "synonyms": [ "APT33", "HOLMIUM", - "Elfin" + "Elfin", + "Peach Sandstorm" ] }, "related": [ @@ -13939,6 +13890,10 @@ "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "13cd9151-83b7-410d-9f98-25d0f0d1d80d", "type": "uses" @@ -14054,10 +14009,6 @@ "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "b4d80f8b-d2b9-4448-8844-4bef777ed676", "type": "uses" @@ -14113,20 +14064,6 @@ { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "type": "uses" - }, - { - "dest-uuid": "accd848b-b8f4-46ba-a408-9063b35cfbf2", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "fbd29c89-18ba-4c2d-b792-51c0adee049f", @@ -14144,20 +14081,6 @@ { "dest-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", "type": "revoked-by" - }, - { - "dest-uuid": "73a521f6-3bc7-11e8-9e30-df7c90e50dda", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", @@ -14185,7 +14108,7 @@ "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { @@ -14199,13 +14122,6 @@ { "dest-uuid": "d906e6f7-434c-44c0-b51a-ed50af8f7945", "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "7331c66a-5601-4d3f-acf6-ad9e3035eb40", @@ -14293,13 +14209,6 @@ { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" - }, - { - "dest-uuid": "0e18b800-906c-4e44-a143-b11c72b3448b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", @@ -14314,6 +14223,7 @@ "https://attack.mitre.org/groups/G0035", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers", + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks", "https://vblocalhost.com/uploads/VB2021-Slowik.pdf", "https://www.cisa.gov/uscert/ncas/alerts/aa20-296a#revisions", @@ -14333,7 +14243,9 @@ "TG-4192", "Crouching Yeti", "IRON LIBERTY", - "Energetic Bear" + "Energetic Bear", + "Ghost Blizzard", + "BROMINE" ] }, "related": [ @@ -14607,13 +14519,6 @@ { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" - }, - { - "dest-uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", @@ -14824,20 +14729,6 @@ { "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", "type": "uses" - }, - { - "dest-uuid": "bb446dc2-4fee-4212-8b2c-3ffa2917e338", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "4a2ce82e-1a74-468a-a6fb-bbead541383c", @@ -14850,6 +14741,7 @@ "refs": [ "https://attack.mitre.org/groups/G0037", "https://crowdstrike.lookbookhq.com/global-threat-report-2018-web/cs-2018-global-threat-report", + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/", "https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/", "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", @@ -14859,7 +14751,9 @@ "FIN6", "Magecart Group 6", "ITG08", - "Skeleton Spider" + "Skeleton Spider", + "TAAL", + "Camouflage Tempest" ] }, "related": [ @@ -15077,13 +14971,6 @@ { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", @@ -15116,13 +15003,6 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "0ea72cd5-ca30-46ba-bc04-378f701c658f", @@ -15146,13 +15026,6 @@ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "da49b9f1-ca99-443f-9728-0a074db66850", @@ -15204,6 +15077,10 @@ "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" @@ -15244,6 +15121,10 @@ "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, + { + "dest-uuid": "3a32740a-11b0-4bcf-b0a9-3abd0f6d3cd5", + "type": "uses" + }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" @@ -15336,10 +15217,6 @@ "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "b63970b7-ddfb-4aee-97b1-80d335e033a8", "type": "uses" @@ -15491,18 +15368,19 @@ "value": "SilverTerrier - G0083" }, { - "description": "[GALLIUM](https://attack.mitre.org/groups/G0093) is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. Security researchers have identified [GALLIUM](https://attack.mitre.org/groups/G0093) as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019)(Citation: Unit 42 PingPull Jun 2022)", + "description": "[GALLIUM](https://attack.mitre.org/groups/G0093) is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. This group is particularly known for launching Operation Soft Cell, a long-term campaign targeting telecommunications providers.(Citation: Cybereason Soft Cell June 2019) Security researchers have identified [GALLIUM](https://attack.mitre.org/groups/G0093) as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019)(Citation: Unit 42 PingPull Jun 2022)", "meta": { "external_id": "G0093", "refs": [ "https://attack.mitre.org/groups/G0093", + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://unit42.paloaltonetworks.com/pingpull-gallium/", "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers", "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/" ], "synonyms": [ "GALLIUM", - "Operation Soft Cell" + "Granite Typhoon" ] }, "related": [ @@ -15742,13 +15620,6 @@ { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" - }, - { - "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "5cbe0d3b-6fb1-471f-b591-4b192915116d", @@ -15836,6 +15707,7 @@ "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf", "https://www.justice.gov/opa/page/file/1122671/download", "https://www.justice.gov/opa/pr/two-chinese-hackers-associated-ministry-state-security-charged-global-computer-intrusion", + "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader", "https://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem" ], "synonyms": [ @@ -15846,7 +15718,8 @@ "APT10", "Red Apollo", "CVNX", - "HOGFISH" + "HOGFISH", + "BRONZE RIVERSIDE" ] }, "related": [ @@ -15874,6 +15747,10 @@ "dest-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "13cd9151-83b7-410d-9f98-25d0f0d1d80d", "type": "uses" @@ -15990,6 +15867,10 @@ "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" }, + { + "dest-uuid": "54089fba-8662-4f37-9a44-6ad25a5f630a", + "type": "uses" + }, { "dest-uuid": "56b37b05-72e7-4a89-ba8a-61ce45269a8c", "tags": [ @@ -16065,10 +15946,6 @@ "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", "type": "uses" @@ -16140,13 +16017,6 @@ { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" - }, - { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", @@ -16215,13 +16085,6 @@ { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" - }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "d1acfbb3-647b-4723-9154-800ec119006e", @@ -16234,6 +16097,7 @@ "refs": [ "http://blog.morphisec.com/fin7-attacks-restaurant-industry", "https://attack.mitre.org/groups/G0046", + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://securityintelligence.com/posts/ransomware-2020-attack-trends-new-techniques-affecting-organizations-worldwide/", "https://web.archive.org/web/20180808125108/https:/www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html", "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/", @@ -16242,13 +16106,16 @@ "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html", "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", "https://www.mandiant.com/resources/evolution-of-fin7", + "https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", "https://www.secureworks.com/research/threat-profiles/gold-niagara" ], "synonyms": [ "FIN7", "GOLD NIAGARA", "ITG14", - "Carbon Spider" + "Carbon Spider", + "ELBRUS", + "Sangria Tempest" ] }, "related": [ @@ -16367,6 +16234,10 @@ "dest-uuid": "3ee16395-03f0-4690-a32e-69ce9ada0f9e", "type": "uses" }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "type": "uses" + }, { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "type": "uses" @@ -16491,6 +16362,10 @@ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, + { + "dest-uuid": "d9f7383c-95ec-4080-bbce-121c9384457b", + "type": "uses" + }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" @@ -16528,17 +16403,7 @@ "type": "uses" }, { - "dest-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", "type": "uses" } ], @@ -16630,13 +16495,6 @@ { "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", "type": "uses" - }, - { - "dest-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "c416b28c-103b-4df1-909e-78089a7e0e5f", @@ -16654,6 +16512,7 @@ "https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/", "https://brica.de/alerts/alert/public/1255063/kimsuky-unveils-apt-campaign-smoke-screen-aimed-at-korea-and-america/", "https://global.ahnlab.com/global/upload/download/techreport/%5BAnalysis_Report%5DOperation%20Kabar%20Cobra.pdf", + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/", "https://threatconnect.com/blog/kimsuky-phishing-operations-putting-in-work/", "https://us-cert.cisa.gov/ncas/alerts/aa20-301a", @@ -16662,10 +16521,10 @@ ], "synonyms": [ "Kimsuky", - "STOLEN PENCIL", - "Thallium", "Black Banshee", - "Velvet Chollima" + "Velvet Chollima", + "Emerald Sleet", + "THALLIUM" ] }, "related": [ @@ -16797,10 +16656,6 @@ "dest-uuid": "40f5caa0-4cb7-4117-89fc-d421bb493df3", "type": "uses" }, - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "type": "uses" - }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" @@ -17070,7 +16925,7 @@ "value": "Kimsuky - G0094" }, { - "description": "[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.(Citation: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Jan 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo Alto OilRig Oct 2016)(Citation: Unit42 OilRig Playbook 2023)(Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018)", + "description": "[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.(Citation: FireEye APT34 Dec 2017)(Citation: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Jan 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo Alto OilRig Oct 2016)(Citation: Unit42 OilRig Playbook 2023)(Citation: Unit 42 QUADAGENT July 2018)", "meta": { "external_id": "G0049", "refs": [ @@ -17079,6 +16934,7 @@ "http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/", "http://www.clearskysec.com/oilrig/", "https://attack.mitre.org/groups/G0049", + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://pan-unit42.github.io/playbook_viewer/", "https://pan-unit42.github.io/playbook_viewer/?pb=evasive-serpens", "https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/", @@ -17093,7 +16949,9 @@ "IRN2", "APT34", "Helix Kitten", - "Evasive Serpens" + "Evasive Serpens", + "Hazel Sandstorm", + "EUROPIUM" ] }, "related": [ @@ -17133,6 +16991,10 @@ "dest-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "type": "uses" @@ -17319,10 +17181,6 @@ "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", "type": "uses" @@ -17418,20 +17276,6 @@ { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" - }, - { - "dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", @@ -17469,13 +17313,6 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "025bdaa9-897d-4bad-afa6-013ba5734653", @@ -17563,13 +17400,6 @@ { "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", "type": "uses" - }, - { - "dest-uuid": "691c60e2-273d-4d56-9ce6-b67e0f8719ad", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "efed95ba-d7e8-47ff-8c53-99c42426ee7c", @@ -17581,6 +17411,7 @@ "external_id": "G0065", "refs": [ "https://attack.mitre.org/groups/G0065", + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://us-cert.cisa.gov/ncas/alerts/aa21-200a", "https://www.accenture.com/us-en/blogs/cyber-defense/mudcarps-focus-on-submarine-technologies", "https://www.crowdstrike.com/blog/two-birds-one-stone-panda/", @@ -17598,7 +17429,8 @@ "BRONZE MOHAWK", "TEMP.Jumper", "APT40", - "TEMP.Periscope" + "TEMP.Periscope", + "Gingham Typhoon" ] }, "related": [ @@ -17626,6 +17458,10 @@ "dest-uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "type": "uses" @@ -17793,10 +17629,6 @@ "dest-uuid": "b1ccd744-3f78-4a0e-9bb2-2002057f7928", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "type": "uses" @@ -17852,13 +17684,6 @@ { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" - }, - { - "dest-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "7113eaa5-ba79-4fb3-b68a-398ee9cd698e", @@ -17901,6 +17726,10 @@ "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", "type": "uses" }, + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "type": "uses" + }, { "dest-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f", "type": "uses" @@ -18028,6 +17857,10 @@ "dest-uuid": "039814a0-88de-46c5-a4fb-b293db21880a", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" @@ -18052,10 +17885,6 @@ "dest-uuid": "79499993-a8d6-45eb-b343-bf58dea5bdde", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", "type": "uses" @@ -18102,13 +17931,6 @@ { "dest-uuid": "f4d8a2d6-c684-453a-8a14-cf4a94f755c5", "type": "uses" - }, - { - "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "03506554-5f37-4f8f-9ce4-0e9f01a1b484", @@ -18241,13 +18063,6 @@ { "dest-uuid": "f5946b5e-9408-485f-a7f7-b5efc88909b6", "type": "uses" - }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "f9c06633-dcff-48a1-8588-759e7cec5694", @@ -18260,6 +18075,7 @@ "refs": [ "https://attack.mitre.org/groups/G0069", "https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html", + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/", "https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/", "https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies", @@ -18268,6 +18084,7 @@ "https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf", "https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/", "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html", + "https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta450-uses-embedded-links-pdf-attachments-latest-campaign", "https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group", "https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" ], @@ -18277,7 +18094,9 @@ "MERCURY", "Static Kitten", "Seedworm", - "TEMP.Zagros" + "TEMP.Zagros", + "Mango Sandstorm", + "TA450" ] }, "related": [ @@ -18405,10 +18224,6 @@ "dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3", "type": "uses" }, - { - "dest-uuid": "69f897fd-12a9-4c89-ad6a-46d2f3c38262", - "type": "uses" - }, { "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", "type": "uses" @@ -18583,13 +18398,6 @@ { "dest-uuid": "ff41b9b6-4c1d-407b-a7e2-835109c8dbc5", "type": "uses" - }, - { - "dest-uuid": "a127c32c-cbb0-4f9d-be07-881a792408ec", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "269e8108-68c6-4f99-b911-14b2e765dec2", @@ -18879,6 +18687,10 @@ "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc", "type": "uses" @@ -18967,10 +18779,6 @@ "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "bdb27a1d-1844-42f1-a0c0-826027ae0326", "type": "uses" @@ -19392,10 +19200,15 @@ "external_id": "G1012", "refs": [ "https://attack.mitre.org/groups/G1012", - "https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021" + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", + "https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021", + "https://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media" ], "synonyms": [ - "CURIUM" + "CURIUM", + "Crimson Sandstorm", + "TA456", + "Tortoise Shell" ] }, "related": [ @@ -19440,6 +19253,10 @@ "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" @@ -19519,10 +19336,6 @@ "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" @@ -19715,6 +19528,10 @@ "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, + { + "dest-uuid": "ea132c68-b518-4478-ae8d-1763cda26ee3", + "type": "uses" + }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" @@ -19744,6 +19561,10 @@ ] }, "related": [ + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "3be1fb7a-0f7e-415e-8e3a-74a80d596e68", "type": "uses" @@ -19760,10 +19581,6 @@ "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" @@ -20288,6 +20105,353 @@ "uuid": "7251b44b-6072-476c-b8d9-a6e32c355b28", "value": "MoustachedBouncer - G1019" }, + { + "description": "[ToddyCat](https://attack.mitre.org/groups/G1022) is a sophisticated threat group that has been active since at least 2020 using custom loaders and malware in multi-stage infection chains against government and military targets across Europe and Asia.(Citation: Kaspersky ToddyCat June 2022)(Citation: Kaspersky ToddyCat Check Logs October 2023)", + "meta": { + "external_id": "G1022", + "refs": [ + "https://attack.mitre.org/groups/G1022", + "https://securelist.com/toddycat-keep-calm-and-check-logs/110696/", + "https://securelist.com/toddycat/106799/" + ], + "synonyms": [ + "ToddyCat" + ] + }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "type": "uses" + }, + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "type": "uses" + }, + { + "dest-uuid": "023254de-caaf-4a05-b2c7-e4e2f283f7a5", + "type": "uses" + }, + { + "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", + "type": "uses" + }, + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "type": "uses" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "type": "uses" + }, + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "uses" + }, + { + "dest-uuid": "359b00ad-9425-420b-bba5-6de8d600cbc0", + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "type": "uses" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "type": "uses" + }, + { + "dest-uuid": "452da2d9-706c-4185-ad6f-f5edaf4b9f48", + "type": "uses" + }, + { + "dest-uuid": "4664b683-f578-434f-919b-1c1aad2a1111", + "type": "uses" + }, + { + "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", + "type": "uses" + }, + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "type": "uses" + }, + { + "dest-uuid": "5a3a31fe-5a8f-48e1-bff0-a753e5b1be70", + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "type": "uses" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "type": "uses" + }, + { + "dest-uuid": "a7881f21-e978-4fe4-af56-92c9416a2616", + "type": "uses" + }, + { + "dest-uuid": "ae91fb8f-5031-4f57-9839-e3be3ed503f0", + "type": "uses" + }, + { + "dest-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47", + "type": "uses" + }, + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "type": "uses" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "type": "uses" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "uses" + }, + { + "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", + "type": "uses" + }, + { + "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", + "type": "uses" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "uses" + }, + { + "dest-uuid": "e4feffc2-53d1-45c9-904e-adb9faca0d15", + "type": "uses" + }, + { + "dest-uuid": "f6ad61ee-65f3-4bd0-a3f5-2f0accb36317", + "type": "uses" + } + ], + "uuid": "b516b235-fc7d-4635-aca5-3d33312339c3", + "value": "ToddyCat - G1022" + }, + { + "description": "[APT5](https://attack.mitre.org/groups/G1023) is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia. [APT5](https://attack.mitre.org/groups/G1023) has displayed advanced tradecraft and significant interest in compromising networking devices and their underlying software including through the use of zero-day exploits.(Citation: NSA APT5 Citrix Threat Hunting December 2022)(Citation: Microsoft East Asia Threats September 2023)(Citation: Mandiant Pulse Secure Zero-Day April 2021)(Citation: Mandiant Pulse Secure Update May 2021)(Citation: FireEye Southeast Asia Threat Landscape March 2015)(Citation: Mandiant Advanced Persistent Threats) ", + "meta": { + "external_id": "G1023", + "refs": [ + "https://attack.mitre.org/groups/G1023", + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", + "https://media.defense.gov/2022/Dec/13/2003131586/-1/-1/0/CSA-APT5-CITRIXADC-V1.PDF", + "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW1aFyW", + "https://web.archive.org/web/20220122121143/https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf", + "https://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day", + "https://www.mandiant.com/resources/blog/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices", + "https://www.mandiant.com/resources/insights/apt-groups", + "https://www.secureworks.com/research/threat-profiles/bronze-fleetwood" + ], + "synonyms": [ + "APT5", + "Mulberry Typhoon", + "MANGANESE", + "BRONZE FLEETWOOD", + "Keyhole Panda", + "UNC2630" + ] + }, + "related": [ + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "type": "uses" + }, + { + "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", + "type": "uses" + }, + { + "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", + "type": "uses" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "type": "uses" + }, + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "type": "uses" + }, + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "type": "uses" + }, + { + "dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c", + "type": "uses" + }, + { + "dest-uuid": "2db31dcd-54da-405d-acef-b9129b816ed6", + "type": "uses" + }, + { + "dest-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", + "type": "uses" + }, + { + "dest-uuid": "3a53b207-aba2-4a2b-9cdb-273d633669e7", + "type": "uses" + }, + { + "dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a", + "type": "uses" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "type": "uses" + }, + { + "dest-uuid": "4664b683-f578-434f-919b-1c1aad2a1111", + "type": "uses" + }, + { + "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", + "type": "uses" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "uses" + }, + { + "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", + "type": "uses" + }, + { + "dest-uuid": "647215dd-29a6-4528-b354-ca8b5e08fca1", + "type": "uses" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "type": "uses" + }, + { + "dest-uuid": "74d2a63f-3c7b-4852-92da-02d8fbab16da", + "type": "uses" + }, + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "type": "uses" + }, + { + "dest-uuid": "866d0d6d-02c6-42bd-aa2f-02907fdc0969", + "type": "uses" + }, + { + "dest-uuid": "880f7b3e-ad27-4158-8b03-d44c9357950b", + "type": "uses" + }, + { + "dest-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24", + "type": "uses" + }, + { + "dest-uuid": "89f63ae4-f229-4a5c-95ad-6f22ed2b5c49", + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "type": "uses" + }, + { + "dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", + "type": "uses" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "type": "uses" + }, + { + "dest-uuid": "9a097d18-d15f-4635-a4f1-189df7efdc40", + "type": "uses" + }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "type": "uses" + }, + { + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "type": "uses" + }, + { + "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", + "type": "uses" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "uses" + }, + { + "dest-uuid": "d1008b78-960c-4b36-bdc4-39a734e1e4e3", + "type": "uses" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "type": "uses" + }, + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "type": "uses" + }, + { + "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", + "type": "uses" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "type": "uses" + }, + { + "dest-uuid": "f8fc98ac-ad6d-44db-b6e2-f0c6eb4eace4", + "type": "uses" + } + ], + "uuid": "c1aab4c9-4c34-4f4f-8541-d529e46a07f9", + "value": "APT5 - G1023" + }, { "description": "[CostaRicto](https://attack.mitre.org/groups/G0132) is a suspected hacker-for-hire cyber espionage campaign that has targeted multiple industries worldwide since at least 2019. [CostaRicto](https://attack.mitre.org/groups/G0132)'s targets, a large portion of which are financial institutions, are scattered across Europe, the Americas, Asia, Australia, and Africa, with a large concentration in South Asia.(Citation: BlackBerry CostaRicto November 2020)", "meta": { @@ -20304,6 +20468,96 @@ "uuid": "bb82e0b0-6e9c-439f-970a-4c917a74c5f2", "value": "CostaRicto - G0132" }, + { + "description": "[Akira](https://attack.mitre.org/groups/G1024) is a ransomware variant and ransomware deployment entity active since at least March 2023.(Citation: Arctic Wolf Akira 2023) [Akira](https://attack.mitre.org/groups/G1024) uses compromised credentials to access single-factor external access mechanisms such as VPNs for initial access, then various publicly-available tools and techniques for lateral movement.(Citation: Arctic Wolf Akira 2023)(Citation: Secureworks GOLD SAHARA) [Akira](https://attack.mitre.org/groups/G1024) operations are associated with \"double extortion\" ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid. Technical analysis of [Akira](https://attack.mitre.org/software/S1129) ransomware indicates multiple overlaps with and similarities to [Conti](https://attack.mitre.org/software/S0575) malware.(Citation: BushidoToken Akira 2023)", + "meta": { + "external_id": "G1024", + "refs": [ + "https://arcticwolf.com/resources/blog/conti-and-akira-chained-together/", + "https://attack.mitre.org/groups/G1024", + "https://blog.bushidotoken.net/2023/09/tracking-adversaries-akira-another.html", + "https://www.crowdstrike.com/adversaries/punk-spider/", + "https://www.secureworks.com/research/threat-profiles/gold-sahara" + ], + "synonyms": [ + "Akira", + "GOLD SAHARA", + "PUNK SPIDER" + ] + }, + "related": [ + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "type": "uses" + }, + { + "dest-uuid": "0c4b4fda-9062-47da-98b9-ceae2dcf052a", + "type": "uses" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "uses" + }, + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "type": "uses" + }, + { + "dest-uuid": "59096109-a1dd-463b-87e7-a8d110fe3a79", + "type": "uses" + }, + { + "dest-uuid": "6f6b2353-4b39-40ce-9d6d-d00b7a61e656", + "type": "uses" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "type": "uses" + }, + { + "dest-uuid": "851e071f-208d-4c79-adc6-5974c85c78f3", + "type": "uses" + }, + { + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "type": "uses" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "type": "uses" + }, + { + "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", + "type": "uses" + }, + { + "dest-uuid": "b76b2d94-60e4-4107-a903-4a3a7622fb3b", + "type": "uses" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "type": "uses" + }, + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "type": "uses" + }, + { + "dest-uuid": "f59508a6-3615-47c3-b493-6676e1a39a87", + "type": "uses" + }, + { + "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "type": "uses" + } + ], + "uuid": "46bb06cb-f2d9-4b37-8c92-a27e224ad90d", + "value": "Akira - G1024" + }, { "description": "[Confucius](https://attack.mitre.org/groups/G0142) is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers have noted similarities between [Confucius](https://attack.mitre.org/groups/G0142) and [Patchwork](https://attack.mitre.org/groups/G0040), particularly in their respective custom malware code and targets.(Citation: TrendMicro Confucius APT Feb 2018)(Citation: TrendMicro Confucius APT Aug 2021)(Citation: Uptycs Confucius APT Jan 2021)", "meta": { @@ -20468,12 +20722,14 @@ "external_id": "G0125", "refs": [ "https://attack.mitre.org/groups/G0125", + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/" ], "synonyms": [ "HAFNIUM", - "Operation Exchange Marauder" + "Operation Exchange Marauder", + "Silk Typhoon" ] }, "related": [ @@ -20648,6 +20904,10 @@ "dest-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" @@ -20712,10 +20972,6 @@ "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" @@ -20760,6 +21016,100 @@ "uuid": "54dfec3e-6464-4f74-9d69-b7c817b7e5a3", "value": "Higaisa - G0126" }, + { + "description": "[Malteiro](https://attack.mitre.org/groups/G1026) is a financially motivated criminal group that is likely based in Brazil and has been active since at least November 2019. The group operates and distributes the [Mispadu](https://attack.mitre.org/software/S1122) banking trojan via a Malware-as-a-Service (MaaS) business model. [Malteiro](https://attack.mitre.org/groups/G1026) mainly targets victims throughout Latin America (particularly Mexico) and Europe (particularly Spain and Portugal).(Citation: SCILabs Malteiro 2021)", + "meta": { + "external_id": "G1026", + "refs": [ + "https://attack.mitre.org/groups/G1026", + "https://blog.scilabs.mx/en/cyber-threat-profile-malteiro/" + ], + "synonyms": [ + "Malteiro" + ] + }, + "related": [ + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "type": "uses" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "uses" + }, + { + "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "type": "uses" + }, + { + "dest-uuid": "4e6464d2-69df-4e56-8d4c-1973f84d7b80", + "type": "uses" + }, + { + "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "type": "uses" + }, + { + "dest-uuid": "851e071f-208d-4c79-adc6-5974c85c78f3", + "type": "uses" + }, + { + "dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19", + "type": "uses" + }, + { + "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", + "type": "uses" + }, + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "type": "uses" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "uses" + } + ], + "uuid": "bf668120-e9a6-4017-a014-bfc0f5232656", + "value": "Malteiro - G1026" + }, + { + "description": "[UNC788](https://attack.mitre.org/groups/G1029) is a group of hackers from Iran that has targeted people in the Middle East.(Citation: Meta Adversarial Threat Report 2022)", + "meta": { + "external_id": "G1029", + "refs": [ + "https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf", + "https://attack.mitre.org/groups/G1029" + ], + "synonyms": [ + "UNC788" + ] + }, + "related": [ + { + "dest-uuid": "55714f87-6178-4b89-b3e5-d3a643f647ca", + "type": "uses" + }, + { + "dest-uuid": "defc1257-4db1-4fb3-8ef5-bb77f63146df", + "type": "uses" + } + ], + "uuid": "1f322d74-4822-4d60-8f64-414eea8a9258", + "value": "UNC788 - G1029" + }, { "description": "[ZIRCONIUM](https://attack.mitre.org/groups/G0128) is a threat group operating out of China, active since at least 2017, that has targeted individuals associated with the 2020 US presidential election and prominent leaders in the international affairs community.(Citation: Microsoft Targeting Elections September 2020)(Citation: Check Point APT31 February 2021)", "meta": { @@ -20767,11 +21117,13 @@ "refs": [ "https://attack.mitre.org/groups/G0128", "https://blogs.microsoft.com/on-the-issues/2020/09/10/cyberattacks-us-elections-trump-biden/", + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://research.checkpoint.com/2021/the-story-of-jian/" ], "synonyms": [ "ZIRCONIUM", - "APT31" + "APT31", + "Violet Typhoon" ] }, "related": [ @@ -21049,12 +21401,15 @@ "https://adversary.crowdstrike.com/en-US/adversary/silent-chollima/", "https://attack.mitre.org/groups/G0138", "https://home.treasury.gov/news/press-releases/sm774", + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://www.fsec.or.kr/user/bbs/fsec/163/344/bbsDataView/1680.do", "https://www.trendmicro.com/en_us/research/18/g/new-andariel-reconnaissance-tactics-hint-at-next-targets.html" ], "synonyms": [ "Andariel", - "Silent Chollima" + "Silent Chollima", + "PLUTONIUM", + "Onyx Sleet" ] }, "related": [ @@ -21147,6 +21502,10 @@ "dest-uuid": "09b130a2-a77e-4af0-a361-f46f9aad1345", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", "type": "uses" @@ -21319,10 +21678,6 @@ "dest-uuid": "b0c74ef9-c61e-4986-88cb-78da98a355ec", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "b76b2d94-60e4-4107-a903-4a3a7622fb3b", "type": "uses" @@ -21376,5 +21731,5 @@ "value": "TeamTNT - G0139" } ], - "version": 33 + "version": 34 } diff --git a/clusters/mitre-malware.json b/clusters/mitre-malware.json index 84f2cd6c..e55e0958 100644 --- a/clusters/mitre-malware.json +++ b/clusters/mitre-malware.json @@ -29,13 +29,6 @@ { "dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada", "type": "uses" - }, - { - "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "4b62ab58-c23b-4704-9c15-edd568cd59f8", @@ -79,27 +72,6 @@ { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" - }, - { - "dest-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "56660521-6db4-4e5a-a927-464f22954b7c", @@ -197,6 +169,10 @@ "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", "type": "uses" @@ -217,10 +193,6 @@ "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" @@ -261,6 +233,10 @@ ] }, "related": [ + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", "type": "uses" @@ -277,10 +253,6 @@ "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" @@ -357,6 +329,10 @@ "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" @@ -419,10 +395,6 @@ "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" @@ -450,13 +422,6 @@ { "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", "type": "uses" - }, - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "d3afa961-a80c-4043-9509-282cdf69ab21", @@ -496,6 +461,10 @@ "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", "type": "uses" }, + { + "dest-uuid": "45a5fe76-eda3-4d40-8f22-c186efd6278d", + "type": "uses" + }, { "dest-uuid": "4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "type": "uses" @@ -526,6 +495,10 @@ "dest-uuid": "a9fa0d30-a8ff-45bf-922e-7720da0b7922", "type": "uses" }, + { + "dest-uuid": "be63612f-a48f-44f2-a7a6-1763509fcf80", + "type": "uses" + }, { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "type": "uses" @@ -541,20 +514,6 @@ { "dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd", "type": "uses" - }, - { - "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "93799a9d-3537-43d8-b6f4-17215de1657c", @@ -614,7 +573,7 @@ "value": "XLoader for Android - S0318" }, { - "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) is the iOS version of malware that has reportedly been linked to the NSO Group. It has been advertised and sold to target high-value victims. (Citation: Lookout-Pegasus) (Citation: PegasusCitizenLab) The Android version is tracked separately under [Pegasus for Android](https://attack.mitre.org/software/S0316).", + "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) is the iOS version of malware that has reportedly been linked to the NSO Group. It has been advertised and sold to target high-value victims.(Citation: Lookout-Pegasus)(Citation: PegasusCitizenLab) The Android version is tracked separately under [Pegasus for Android](https://attack.mitre.org/software/S0316).", "meta": { "external_id": "S0289", "mitre_platforms": [ @@ -657,6 +616,10 @@ "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" }, + { + "dest-uuid": "6ecbc2eb-e85a-440a-ab68-4d98f8d56fbe", + "type": "uses" + }, { "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", "type": "uses" @@ -680,6 +643,10 @@ "dest-uuid": "dd818ea5-adf5-41c7-93b5-f3b839a219fb", "type": "uses" }, + { + "dest-uuid": "defc1257-4db1-4fb3-8ef5-bb77f63146df", + "type": "uses" + }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" @@ -695,20 +662,6 @@ { "dest-uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57", "type": "uses" - }, - { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "33d9d91d-aad9-49d5-a516-220ce101ac8a", @@ -973,13 +926,6 @@ { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" - }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24", @@ -1044,13 +990,6 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "5a3a31fe-5a8f-48e1-bff0-a753e5b1be70", @@ -1075,13 +1014,6 @@ { "dest-uuid": "d4b96d2c-1032-4b22-9235-2b5b649d0605", "type": "uses" - }, - { - "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "89f63ae4-f229-4a5c-95ad-6f22ed2b5c49", @@ -1108,13 +1040,6 @@ { "dest-uuid": "f7c0689c-4dbd-489b-81be-7cb7c7079ade", "type": "uses" - }, - { - "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "b2c5d3ca-b43a-4888-ad8d-e2d43497bf85", @@ -1167,13 +1092,6 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56", @@ -1323,13 +1241,6 @@ { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "type": "uses" - }, - { - "dest-uuid": "317fefa6-46c7-4062-adb6-2008cf6bcb41", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "b2203c59-4089-4ee4-bfe1-28fa25f0dbfe", @@ -1360,6 +1271,10 @@ "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", "type": "uses" @@ -1400,10 +1315,6 @@ "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19", "type": "uses" @@ -1487,20 +1398,6 @@ { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "type": "uses" - }, - { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "20dbaf05-59b8-4dc6-8777-0b17f4553a23", @@ -1544,13 +1441,6 @@ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a", @@ -1658,13 +1548,6 @@ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc", @@ -1797,13 +1680,6 @@ { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" - }, - { - "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "fde50aaa-f5de-4cb8-989a-babb57d6a704", @@ -2171,6 +2047,10 @@ "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" @@ -2215,10 +2095,6 @@ "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" @@ -2330,13 +2206,6 @@ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" - }, - { - "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "f5352566-1a64-49ac-8f7f-97e1d1a03300", @@ -3063,6 +2932,10 @@ "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc", "type": "uses" @@ -3131,10 +3004,6 @@ "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" @@ -3222,18 +3091,43 @@ { "dest-uuid": "0042a9f5-f053-4769-b3ef-9ad018dfa298", "type": "uses" - }, - { - "dest-uuid": "52f3d5a6-8a0f-4f82-977e-750abf90d0b0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "0a9c51e0-825d-4b9b-969d-ce86ed8ce3c3", "value": "Power Loader - S0177" }, + { + "description": "[HUI Loader](https://attack.mitre.org/software/S1097) is a custom DLL loader that has been used since at least 2015 by China-based threat groups including [Cinnamon Tempest](https://attack.mitre.org/groups/G1021) and [menuPass](https://attack.mitre.org/groups/G0045) to deploy malware on compromised hosts. [HUI Loader](https://attack.mitre.org/software/S1097) has been observed in campaigns loading [SodaMaster](https://attack.mitre.org/software/S0627), [PlugX](https://attack.mitre.org/software/S0013), [Cobalt Strike](https://attack.mitre.org/software/S0154), [Komplex](https://attack.mitre.org/software/S0162), and several strains of ransomware.(Citation: SecureWorks BRONZE STARLIGHT Ransomware Operations June 2022)", + "meta": { + "external_id": "S1097", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1097", + "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader" + ], + "synonyms": [ + "HUI Loader" + ] + }, + "related": [ + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "uses" + }, + { + "dest-uuid": "74d2a63f-3c7b-4852-92da-02d8fbab16da", + "type": "uses" + } + ], + "uuid": "54089fba-8662-4f37-9a44-6ad25a5f630a", + "value": "HUI Loader - S1097" + }, { "description": "[Brave Prince](https://attack.mitre.org/software/S0252) is a Korean-language implant that was first observed in the wild in December 2017. It contains similar code and behavior to [Gold Dragon](https://attack.mitre.org/software/S0249), and was seen along with [Gold Dragon](https://attack.mitre.org/software/S0249) and [RunningRAT](https://attack.mitre.org/software/S0253) in operations surrounding the 2018 Pyeongchang Winter Olympics. (Citation: McAfee Gold Dragon)", "meta": { @@ -3304,6 +3198,10 @@ "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004", "type": "uses" @@ -3347,10 +3245,6 @@ "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "ba91d713-c36e-4d98-9fb7-e16496a69eec", "tags": [ @@ -3369,13 +3263,6 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "3f18edba-28f4-4bb9-82c3-8aa60dcac5f7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "0c824410-58ff-49b2-9cf2-1c96b182bdf0", @@ -3535,6 +3422,10 @@ "dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "type": "uses" }, + { + "dest-uuid": "45a5fe76-eda3-4d40-8f22-c186efd6278d", + "type": "uses" + }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" @@ -3547,6 +3438,10 @@ "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b", "type": "uses" }, + { + "dest-uuid": "be63612f-a48f-44f2-a7a6-1763509fcf80", + "type": "uses" + }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" @@ -3812,6 +3707,10 @@ "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" @@ -3856,10 +3755,6 @@ "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" @@ -4154,6 +4049,10 @@ "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc", "type": "uses" @@ -4198,10 +4097,6 @@ "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" @@ -4538,13 +4433,6 @@ { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" - }, - { - "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "28e39395-91e7-4f02-b694-5e079c964da9", @@ -4563,13 +4451,6 @@ { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" - }, - { - "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "a1867c56-8c86-455a-96ad-b0d5f7e2bc17", @@ -4588,13 +4469,6 @@ { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" - }, - { - "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "d89c132d-7752-4c7f-9372-954a71522985", @@ -4687,13 +4561,6 @@ { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", @@ -4794,13 +4661,6 @@ { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" - }, - { - "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", @@ -4822,6 +4682,10 @@ ] }, "related": [ + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" @@ -4830,10 +4694,6 @@ "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "type": "uses" @@ -4864,13 +4724,6 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc", @@ -4889,13 +4742,6 @@ { "dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c", "type": "uses" - }, - { - "dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "17dec760-9c8f-4f1b-9b4b-0ac47a453234", @@ -4957,6 +4803,10 @@ "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd", "type": "uses" @@ -5017,10 +4867,6 @@ "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" @@ -5185,20 +5031,6 @@ { "dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd", "type": "uses" - }, - { - "dest-uuid": "1f96d624-8409-4472-ad8a-30618ee6b2e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "d05f7357-4cbe-47ea-bf83-b8604226d533", @@ -5315,13 +5147,6 @@ { "dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada", "type": "uses" - }, - { - "dest-uuid": "6856ddd6-2df3-4379-8b87-284603c189c3", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "c5e9cb46-aced-466c-85ea-7db5572ad9ec", @@ -5354,20 +5179,6 @@ { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" - }, - { - "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "4bf6ba32-4165-42c1-b911-9c36165891c8", @@ -5412,13 +5223,6 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "40d3e230-ed32-469f-ba89-be70cc08ab39", @@ -5513,13 +5317,6 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "083bb47b-02c8-4423-81a2-f9ef58572974", @@ -5632,13 +5429,6 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d", @@ -5736,6 +5526,10 @@ "dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", "type": "uses" @@ -5800,10 +5594,6 @@ "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" @@ -5840,6 +5630,54 @@ "uuid": "b00f90b6-c75c-4bfd-b813-ca9e6c9ebf29", "value": "OSX_OCEANLOTUS.D - S0352" }, + { + "description": "[LITTLELAMB.WOOLTEA](https://attack.mitre.org/software/S1121) is a backdoor that was used by UNC5325 during [Cutting Edge](https://attack.mitre.org/campaigns/C0029) to deploy malware on targeted Ivanti Connect Secure VPNs and to establish persistence across system upgrades and patches.(Citation: Mandiant Cutting Edge Part 3 February 2024)", + "meta": { + "external_id": "S1121", + "mitre_platforms": [ + "Network" + ], + "refs": [ + "https://attack.mitre.org/software/S1121", + "https://www.mandiant.com/resources/blog/investigating-ivanti-exploitation-persistence" + ], + "synonyms": [ + "LITTLELAMB.WOOLTEA" + ] + }, + "related": [ + { + "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "uses" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "type": "uses" + }, + { + "dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", + "type": "uses" + }, + { + "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", + "type": "uses" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "type": "uses" + } + ], + "uuid": "19256855-65e9-48f2-8b74-9f3d0a994428", + "value": "LITTLELAMB.WOOLTEA - S1121" + }, { "description": "[OSX/Shlayer](https://attack.mitre.org/software/S0402) is a Trojan designed to install adware on macOS that was first discovered in 2018.(Citation: Carbon Black Shlayer Feb 2019)(Citation: Intego Shlayer Feb 2018)", "meta": { @@ -6001,13 +5839,6 @@ { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" - }, - { - "dest-uuid": "317fefa6-46c7-4062-adb6-2008cf6bcb41", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", @@ -6046,13 +5877,6 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "67fc172a-36fa-4a35-88eb-4ba730ed52a6", @@ -6104,13 +5928,6 @@ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" - }, - { - "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "7f8730af-f683-423f-9ee1-5f6875a80481", @@ -6148,13 +5965,6 @@ { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" - }, - { - "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "251fbae2-78f6-4de7-84f6-194c727a64ad", @@ -6203,13 +6013,6 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "e170995d-4f61-4f17-b60e-04f9a06ee517", @@ -6228,13 +6031,6 @@ { "dest-uuid": "22379609-a99f-4a01-bd7e-70f3e105859d", "type": "uses" - }, - { - "dest-uuid": "22379609-a99f-4a01-bd7e-70f3e105859d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "ff742eeb-1f90-4f5a-8b92-9d40fffd99ca", @@ -6337,13 +6133,6 @@ { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "type": "uses" - }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4", @@ -6379,13 +6168,6 @@ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" - }, - { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "ad4f146f-e3ec-444a-ba71-24bffd7f0f8e", @@ -6445,13 +6227,6 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9", @@ -6596,13 +6371,6 @@ { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "type": "uses" - }, - { - "dest-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", @@ -6759,13 +6527,6 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", @@ -6803,13 +6564,6 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "fbb470da-1d44-4f29-bbb3-9efbe20f94a3", @@ -6882,13 +6636,6 @@ { "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", "type": "uses" - }, - { - "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "95047f03-4811-4300-922e-1ba937d53a61", @@ -6979,18 +6726,135 @@ { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" - }, - { - "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38", "value": "Rover - S0090" }, + { + "description": "[Ninja](https://attack.mitre.org/software/S1100) is a malware developed in C++ that has been used by [ToddyCat](https://attack.mitre.org/groups/G1022) to penetrate networks and control remote systems since at least 2020. [Ninja](https://attack.mitre.org/software/S1100) is possibly part of a post exploitation toolkit exclusively used by [ToddyCat](https://attack.mitre.org/groups/G1022) and allows multiple operators to work simultaneously on the same machine. [Ninja](https://attack.mitre.org/software/S1100) has been used against government and military entities in Europe and Asia and observed in specific infection chains being deployed by [Samurai](https://attack.mitre.org/software/S1099).(Citation: Kaspersky ToddyCat June 2022)", + "meta": { + "external_id": "S1100", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1100", + "https://securelist.com/toddycat/106799/" + ], + "synonyms": [ + "Ninja" + ] + }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "uses" + }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "type": "uses" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "type": "uses" + }, + { + "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "type": "uses" + }, + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "type": "uses" + }, + { + "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", + "type": "uses" + }, + { + "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "type": "uses" + }, + { + "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", + "type": "uses" + }, + { + "dest-uuid": "acd0ba37-7ba9-4cc5-ac61-796586cd856d", + "type": "uses" + }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "type": "uses" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "type": "uses" + }, + { + "dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc", + "type": "uses" + }, + { + "dest-uuid": "d467bc38-284b-4a00-96ac-125f447799fc", + "type": "uses" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "uses" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "uses" + }, + { + "dest-uuid": "f244b8dd-af6c-4391-a497-fc03627ce995", + "type": "uses" + }, + { + "dest-uuid": "f6ad61ee-65f3-4bd0-a3f5-2f0accb36317", + "type": "uses" + }, + { + "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", + "type": "uses" + } + ], + "uuid": "023254de-caaf-4a05-b2c7-e4e2f283f7a5", + "value": "Ninja - S1100" + }, { "description": "[Taidoor](https://attack.mitre.org/software/S0011) is a remote access trojan (RAT) that has been used by Chinese government cyber actors to maintain access on victim networks.(Citation: CISA MAR-10292089-1.v2 TAIDOOR August 2021) [Taidoor](https://attack.mitre.org/software/S0011) has primarily been used against Taiwanese government organizations since at least 2010.(Citation: TrendMicro Taidoor)", "meta": { @@ -7008,6 +6872,10 @@ ] }, "related": [ + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" @@ -7052,10 +6920,6 @@ "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" @@ -7094,13 +6958,6 @@ { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" - }, - { - "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "b143dfa4-e944-43ff-8429-bfffc308c517", @@ -7115,8 +6972,8 @@ ], "refs": [ "https://attack.mitre.org/software/S0109", - "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.zip", - "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" + "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", + "https://www.mandiant.com/sites/default/files/2021-09/mandiant-apt1-report.pdf" ], "synonyms": [ "WEBC2" @@ -7141,13 +6998,6 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "46944654-fcc1-4f63-9dad-628102376586", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "1d808f62-cf63-4063-9727-ff6132514c22", @@ -7259,13 +7109,6 @@ { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "94379dec-5c87-49db-b36e-66abc0b81344", @@ -7366,13 +7209,6 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "de6cb631-52f6-4169-a73b-7965390b0c30", @@ -7484,13 +7320,6 @@ { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" - }, - { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "b42378e0-f147-496f-992a-26a49705395b", @@ -7516,6 +7345,10 @@ "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" @@ -7549,11 +7382,11 @@ "type": "uses" }, { - "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { @@ -7628,13 +7461,6 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "c251e4a5-9a2e-4166-8e42-442af75c3b9a", @@ -7719,13 +7545,6 @@ { "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", "type": "uses" - }, - { - "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", @@ -7785,13 +7604,6 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "317a2c10-d489-431e-b6b2-f0251fddc88e", @@ -7952,13 +7764,6 @@ { "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", "type": "uses" - }, - { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", @@ -7993,6 +7798,10 @@ "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", "type": "uses" @@ -8033,10 +7842,6 @@ "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "type": "uses" @@ -8093,6 +7898,10 @@ "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" @@ -8117,10 +7926,6 @@ "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" @@ -8138,7 +7943,7 @@ "value": "Fysbis - S0410" }, { - "description": "[Shamoon](https://attack.mitre.org/software/S0140) is wiper malware that was first used by an Iranian group known as the \"Cutting Sword of Justice\" in 2012. Other versions known as Shamoon 2 and Shamoon 3 were observed in 2016 and 2018. [Shamoon](https://attack.mitre.org/software/S0140) has also been seen leveraging [RawDisk](https://attack.mitre.org/software/S0364) and Filerase to carry out data wiping tasks. The term Shamoon is sometimes used to refer to the group using the malware as well as the malware itself.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Unit 42 Shamoon3 2018)(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)", + "description": "[Shamoon](https://attack.mitre.org/software/S0140) is wiper malware that was first used by an Iranian group known as the \"Cutting Sword of Justice\" in 2012. Other versions known as Shamoon 2 and Shamoon 3 were observed in 2016 and 2018. [Shamoon](https://attack.mitre.org/software/S0140) has also been seen leveraging [RawDisk](https://attack.mitre.org/software/S0364) and Filerase to carry out data wiping tasks. Analysis has linked [Shamoon](https://attack.mitre.org/software/S0140) with [Kwampirs](https://attack.mitre.org/software/S0236) based on multiple shared artifacts and coding patterns.(Citation: Cylera Kwampirs 2022) The term Shamoon is sometimes used to refer to the group using the malware as well as the malware itself.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Unit 42 Shamoon3 2018)(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)", "meta": { "external_id": "S0140", "mitre_platforms": [ @@ -8147,6 +7952,7 @@ "refs": [ "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/", "https://attack.mitre.org/software/S0140", + "https://resources.cylera.com/hubfs/Cylera%20Labs/Cylera%20Labs%20Kwampirs%20Shamoon%20Technical%20Report.pdf", "https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/", "https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html", "https://www.symantec.com/connect/blogs/shamoon-attacks" @@ -8259,13 +8065,6 @@ { "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", @@ -8284,13 +8083,6 @@ { "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", "type": "uses" - }, - { - "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "a19c49aa-36fe-4c05-b817-23e1c7a7d085", @@ -8347,13 +8139,6 @@ { "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", @@ -8413,20 +8198,6 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "6e45f758-7bd9-44b8-a21c-7309614ae176", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808", @@ -8507,13 +8278,6 @@ { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" - }, - { - "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "8beac7c2-48d2-4cd9-9b15-6c452f38ac06", @@ -8543,6 +8307,10 @@ "dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" @@ -8599,10 +8367,6 @@ "dest-uuid": "93591901-3172-4e94-abf8-6034ab26f44a", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" @@ -8655,13 +8419,6 @@ { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" - }, - { - "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "007b44b6-e4c5-480b-b5b9-56f2081b1b7b", @@ -8689,6 +8446,10 @@ "dest-uuid": "0470e792-32f8-46b0-a351-652bc35e9336", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", "type": "uses" @@ -8765,10 +8526,6 @@ "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", "type": "uses" @@ -8825,6 +8582,10 @@ "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "type": "uses" @@ -8905,10 +8666,6 @@ "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "type": "uses" @@ -9046,8 +8803,8 @@ ], "refs": [ "https://attack.mitre.org/software/S0017", - "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.zip", - "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" + "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", + "https://www.mandiant.com/sites/default/files/2021-09/mandiant-apt1-report.pdf" ], "synonyms": [ "BISCUIT" @@ -9098,10 +8855,7 @@ "type": "uses" }, { - "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" } ], @@ -9136,6 +8890,10 @@ "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" @@ -9191,10 +8949,6 @@ "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", "type": "uses" @@ -9214,13 +8968,6 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", @@ -9256,13 +9003,6 @@ { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "9e2bba94-950b-4fcf-8070-cb3f816c5f4e", @@ -9295,6 +9035,10 @@ "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" @@ -9350,10 +9094,6 @@ "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" @@ -9376,13 +9116,6 @@ { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" - }, - { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", @@ -9512,13 +9245,6 @@ { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", @@ -9553,6 +9279,10 @@ ], "type": "similar" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" @@ -9601,10 +9331,6 @@ "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "bbfd4fb4-3e5a-43bf-b4bb-eaf5ef4fb25f", "tags": [ @@ -9631,13 +9357,6 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", @@ -9864,13 +9583,6 @@ { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "6b62e336-176f-417b-856a-8552dd8c44e1", @@ -9949,13 +9661,6 @@ { "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0", @@ -9996,13 +9701,6 @@ { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "5bcd5511-6756-4824-a692-e8bb109364af", @@ -10036,6 +9734,10 @@ "dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", "type": "uses" @@ -10119,10 +9821,6 @@ "dest-uuid": "acd0ba37-7ba9-4cc5-ac61-796586cd856d", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" @@ -10185,13 +9883,6 @@ { "dest-uuid": "f7c0689c-4dbd-489b-81be-7cb7c7079ade", "type": "uses" - }, - { - "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "80a014ba-3fef-4768-990b-37d8bd10d7f4", @@ -10224,13 +9915,6 @@ { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" - }, - { - "dest-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "0f1ad2ef-41d4-4b7a-9304-ddae68ea3005", @@ -10358,20 +10042,6 @@ { "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", "type": "uses" - }, - { - "dest-uuid": "56660521-6db4-4e5a-a927-464f22954b7c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", @@ -10413,20 +10083,6 @@ { "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", "type": "uses" - }, - { - "dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1", @@ -10561,13 +10217,6 @@ { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" - }, - { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "73a4793a-ce55-4159-b2a6-208ef29b326f", @@ -10590,6 +10239,10 @@ ] }, "related": [ + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" @@ -10625,10 +10278,6 @@ ], "type": "similar" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" @@ -10655,13 +10304,6 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "4ab44516-ad75-4e43-a280-705dc0420e2f", @@ -10694,20 +10336,6 @@ { "dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "type": "uses" - }, - { - "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "41e3fd01-7b83-471f-835d-d2b1dc9a770c", @@ -10784,13 +10412,6 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b", @@ -10971,13 +10592,6 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "79499993-a8d6-45eb-b343-bf58dea5bdde", @@ -11128,13 +10742,6 @@ { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" - }, - { - "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "63c2a130-8a5b-452f-ad96-07cf0af12ffe", @@ -11170,13 +10777,6 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "5a84dc36-df0d-4053-9b7c-f0c388a57283", @@ -11211,6 +10811,10 @@ "dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" @@ -11259,10 +10863,6 @@ "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" @@ -11329,13 +10929,6 @@ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" - }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "b136d088-a829-432c-ac26-5529c26d4c7e", @@ -11448,13 +11041,6 @@ { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" - }, - { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "48523614-309e-43bf-a2b8-705c2b45d7b2", @@ -11487,13 +11073,6 @@ { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" - }, - { - "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "f2e8c7a1-cae1-45c4-baf0-6f21bdcbb2c2", @@ -11621,13 +11200,6 @@ { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54", @@ -11974,13 +11546,6 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "039814a0-88de-46c5-a4fb-b293db21880a", @@ -12033,13 +11598,6 @@ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5", @@ -12170,13 +11728,6 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "f4d8a2d6-c684-453a-8a14-cf4a94f755c5", @@ -12199,13 +11750,6 @@ { "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", "type": "uses" - }, - { - "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "552462b9-ae79-49dd-855c-5973014e157f", @@ -12232,13 +11776,6 @@ { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" - }, - { - "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "b1de6916-7a22-4460-8d26-6b5483ffaa2a", @@ -12264,6 +11801,10 @@ "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "1b20efbf-8063-4fc3-a07d-b575318a301b", "type": "uses" @@ -12300,10 +11841,6 @@ "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" @@ -12319,13 +11856,6 @@ { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", @@ -12415,13 +11945,6 @@ { "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "e811ff6a-4cef-4856-a6ae-a7daf9ed39ae", @@ -12446,13 +11969,6 @@ { "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", "type": "revoked-by" - }, - { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "310f437b-29e7-4844-848c-7220868d074a", @@ -12488,13 +12004,6 @@ { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "type": "uses" - }, - { - "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "20d56cd6-8dff-4871-9889-d32d254816de", @@ -12517,20 +12026,6 @@ { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" - }, - { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "5ddf81ea-2c06-497b-8c30-5f1ab89a40f9", @@ -12573,13 +12068,6 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "cafd0bf8-2b9c-46c7-ae3c-3e0f42c5062e", @@ -12613,13 +12101,6 @@ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "123bd7b3-675c-4b1a-8482-c55782b20e2b", @@ -12691,13 +12172,6 @@ { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" - }, - { - "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", @@ -12888,13 +12362,6 @@ { "dest-uuid": "a3e1e6c5-9c74-4fc0-a16c-a9d228c17829", "type": "uses" - }, - { - "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "8b880b41-5139-4807-baa9-309690218719", @@ -12984,13 +12451,6 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", @@ -13066,6 +12526,10 @@ "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", "type": "uses" }, + { + "dest-uuid": "3a32740a-11b0-4bcf-b0a9-3abd0f6d3cd5", + "type": "uses" + }, { "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", "type": "uses" @@ -13074,10 +12538,6 @@ "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "type": "uses" - }, { "dest-uuid": "d0613359-5781-4fd2-b5be-c269270be1f6", "type": "uses" @@ -13254,13 +12714,6 @@ { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" - }, - { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "43213480-78f7-4fb3-976f-d48f5f6a4c2a", @@ -13315,13 +12768,6 @@ { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "58adaaa8-f1e8-4606-9a08-422e568461eb", @@ -13443,6 +12889,10 @@ "dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", "type": "uses" @@ -13555,10 +13005,6 @@ "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", "type": "uses" @@ -13653,13 +13099,6 @@ { "dest-uuid": "eec23884-3fa1-4d8a-ac50-6f104d51e235", "type": "uses" - }, - { - "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4", @@ -13685,13 +13124,6 @@ { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "type": "uses" - }, - { - "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "56f46b17-8cfa-46c0-b501-dd52fef394e2", @@ -13718,11 +13150,11 @@ }, "related": [ { - "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", "type": "uses" }, { @@ -13771,6 +13203,10 @@ "dest-uuid": "0af0ca99-357d-4ba1-805f-674fdfb7bef9", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" @@ -13783,10 +13219,6 @@ "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" @@ -13929,13 +13361,6 @@ { "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", "type": "uses" - }, - { - "dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "68dca94f-c11d-421e-9287-7c501108e18c", @@ -14027,13 +13452,6 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", @@ -14069,20 +13487,6 @@ { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" - }, - { - "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "f6ac21b6-2592-400c-8472-10d0e2f1bfaf", @@ -14181,6 +13585,10 @@ "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "1de47f51-1f20-403b-a2e1-5eaabe275faa", "tags": [ @@ -14241,10 +13649,6 @@ "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", "type": "uses" @@ -14279,13 +13683,6 @@ { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" - }, - { - "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", @@ -14465,13 +13862,6 @@ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" - }, - { - "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", @@ -14502,6 +13892,10 @@ "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" }, + { + "dest-uuid": "45a5fe76-eda3-4d40-8f22-c186efd6278d", + "type": "uses" + }, { "dest-uuid": "52eff1c7-dd30-4121-b762-24ae6fa61bbb", "type": "uses" @@ -14675,13 +14069,6 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "cbf646f1-7db5-4dc6-808b-0094313949df", @@ -14721,6 +14108,10 @@ "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "type": "uses" }, + { + "dest-uuid": "45a5fe76-eda3-4d40-8f22-c186efd6278d", + "type": "uses" + }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" @@ -14898,6 +14289,10 @@ "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "type": "uses" @@ -14922,10 +14317,6 @@ "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", "type": "uses" @@ -14945,13 +14336,6 @@ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" - }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", @@ -14984,13 +14368,6 @@ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c", @@ -15260,6 +14637,10 @@ "dest-uuid": "351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "type": "uses" }, + { + "dest-uuid": "45a5fe76-eda3-4d40-8f22-c186efd6278d", + "type": "uses" + }, { "dest-uuid": "4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "type": "uses" @@ -15288,6 +14669,10 @@ "dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47", "type": "uses" }, + { + "dest-uuid": "be63612f-a48f-44f2-a7a6-1763509fcf80", + "type": "uses" + }, { "dest-uuid": "ccde43e4-78f9-4f32-b401-c081e7db71ea", "type": "uses" @@ -15354,6 +14739,10 @@ "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" @@ -15377,10 +14766,6 @@ "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" @@ -15414,13 +14799,6 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "96b08451-b27a-4ff6-893f-790e26393a8e", @@ -15561,13 +14939,6 @@ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" - }, - { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "ae9d818d-95d0-41da-b045-9cabea1ca164", @@ -15619,13 +14990,6 @@ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" - }, - { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "199463de-d9be-46d6-bb41-07234c1dd5a6", @@ -15948,13 +15312,6 @@ { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "8c553311-0baa-4146-997a-f79acef3d831", @@ -16088,6 +15445,10 @@ "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "type": "uses" }, + { + "dest-uuid": "45a5fe76-eda3-4d40-8f22-c186efd6278d", + "type": "uses" + }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" @@ -16460,6 +15821,10 @@ ] }, "related": [ + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" @@ -16508,10 +15873,6 @@ "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" @@ -16573,6 +15934,10 @@ "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, + { + "dest-uuid": "dfafc230-5465-4993-8dc5-f51fa9fec002", + "type": "uses" + }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" @@ -16651,13 +16016,6 @@ { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421", @@ -16695,6 +16053,10 @@ "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", "type": "uses" }, + { + "dest-uuid": "45a5fe76-eda3-4d40-8f22-c186efd6278d", + "type": "uses" + }, { "dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad", "type": "uses" @@ -16785,13 +16147,6 @@ { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "22addc7b-b39f-483d-979a-1b35147da5de", @@ -17072,6 +16427,10 @@ "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, + { + "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", + "type": "uses" + }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" @@ -17212,13 +16571,6 @@ { "dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc", "type": "uses" - }, - { - "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "bb3c1098-d654-4620-bf40-694386d28921", @@ -17258,13 +16610,6 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "800bdfba-6d66-480f-9f45-15845c05cb5d", @@ -17468,13 +16813,6 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "166c0eca-02fd-424a-92c0-6b5106994d31", @@ -17507,13 +16845,6 @@ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" - }, - { - "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "e8268361-a599-4e45-bd3f-71c8c7e700c0", @@ -17563,13 +16894,6 @@ { "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43", @@ -17631,13 +16955,6 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "cb7bcf6f-085f-41db-81ee-4b68481661b5", @@ -17678,13 +16995,6 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "dfb5fa9b-3051-4b97-8035-08f80aef945b", @@ -17727,13 +17037,6 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4", @@ -17801,13 +17104,6 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2", @@ -17943,13 +17239,6 @@ { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", @@ -18022,18 +17311,112 @@ { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd", "value": "H1N1 - S0132" }, + { + "description": "[SLIGHTPULSE](https://attack.mitre.org/software/S1110) is a web shell that was used by [APT5](https://attack.mitre.org/groups/G1023) as early as 2020 including against Pulse Secure VPNs at US Defense Industrial Base (DIB) entities.(Citation: Mandiant Pulse Secure Zero-Day April 2021)", + "meta": { + "external_id": "S1110", + "mitre_platforms": [ + "Network", + "Linux" + ], + "refs": [ + "https://attack.mitre.org/software/S1110", + "https://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day" + ], + "synonyms": [ + "SLIGHTPULSE" + ] + }, + "related": [ + { + "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", + "type": "uses" + }, + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "type": "uses" + }, + { + "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "uses" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "type": "uses" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "type": "uses" + } + ], + "uuid": "d1008b78-960c-4b36-bdc4-39a734e1e4e3", + "value": "SLIGHTPULSE - S1110" + }, + { + "description": "[LoFiSe](https://attack.mitre.org/software/S1101) has been used by [ToddyCat](https://attack.mitre.org/groups/G1022) since at least 2023 to identify and collect files of interest on targeted systems.(Citation: Kaspersky ToddyCat Check Logs October 2023)", + "meta": { + "external_id": "S1101", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1101", + "https://securelist.com/toddycat-keep-calm-and-check-logs/110696/" + ], + "synonyms": [ + "LoFiSe" + ] + }, + "related": [ + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "type": "uses" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "type": "uses" + }, + { + "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "type": "uses" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "uses" + } + ], + "uuid": "452da2d9-706c-4185-ad6f-f5edaf4b9f48", + "value": "LoFiSe - S1101" + }, { "description": "[Tarrask](https://attack.mitre.org/software/S1011) is malware that has been used by [HAFNIUM](https://attack.mitre.org/groups/G0125) since at least August 2021. [Tarrask](https://attack.mitre.org/software/S1011) was designed to evade digital defenses and maintain persistence by generating concealed scheduled tasks.(Citation: Tarrask scheduled task)", "meta": { @@ -18082,6 +17465,54 @@ "uuid": "988976ff-beeb-4fb5-b07d-ca7437ea66e8", "value": "Tarrask - S1011" }, + { + "description": "[FRAMESTING](https://attack.mitre.org/software/S1120) is a Python web shell that was used during [Cutting Edge](https://attack.mitre.org/campaigns/C0029) to embed into an Ivanti Connect Secure Python package for command execution.(Citation: Mandiant Cutting Edge Part 2 January 2024)", + "meta": { + "external_id": "S1120", + "mitre_platforms": [ + "Network" + ], + "refs": [ + "https://attack.mitre.org/software/S1120", + "https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation" + ], + "synonyms": [ + "FRAMESTING" + ] + }, + "related": [ + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "uses" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "uses" + }, + { + "dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", + "type": "uses" + }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "type": "uses" + }, + { + "dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc", + "type": "uses" + }, + { + "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", + "type": "uses" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "uses" + } + ], + "uuid": "bcaae558-9697-47a2-9ec7-c75000ddf58c", + "value": "FRAMESTING - S1120" + }, { "description": "[ROCKBOOT](https://attack.mitre.org/software/S0112) is a [Bootkit](https://attack.mitre.org/techniques/T1542/003) that has been used by an unidentified, suspected China-based group. (Citation: FireEye Bootkits)", "meta": { @@ -18101,13 +17532,6 @@ { "dest-uuid": "1b7b1806-7746-41a1-a35d-e48dae25ddba", "type": "uses" - }, - { - "dest-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "cba78a1c-186f-4112-9e6a-be1839f030f7", @@ -18277,18 +17701,47 @@ { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" - }, - { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "e9e9bfe2-76f4-4870-a2a1-b7af89808613", "value": "Linfo - S0211" }, + { + "description": "[Pcexter](https://attack.mitre.org/software/S1102) is an uploader that has been used by [ToddyCat](https://attack.mitre.org/groups/G1022) since at least 2023 to exfiltrate stolen files.(Citation: Kaspersky ToddyCat Check Logs October 2023)", + "meta": { + "external_id": "S1102", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1102", + "https://securelist.com/toddycat-keep-calm-and-check-logs/110696/" + ], + "synonyms": [ + "Pcexter" + ] + }, + "related": [ + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "type": "uses" + }, + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "type": "uses" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "uses" + } + ], + "uuid": "e4feffc2-53d1-45c9-904e-adb9faca0d15", + "value": "Pcexter - S1102" + }, { "description": "[PS1](https://attack.mitre.org/software/S0613) is a loader that was used to deploy 64-bit backdoors in the [CostaRicto](https://attack.mitre.org/groups/G0132) campaign.(Citation: BlackBerry CostaRicto November 2020)", "meta": { @@ -18305,6 +17758,10 @@ ] }, "related": [ + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" @@ -18313,10 +17770,6 @@ "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" @@ -18329,6 +17782,50 @@ "uuid": "13183cdf-280b-46be-913a-5c6df47831e7", "value": "PS1 - S0613" }, + { + "description": "[FlixOnline](https://attack.mitre.org/software/S1103) is an Android malware, first detected in early 2021, believed to target users of WhatsApp. [FlixOnline](https://attack.mitre.org/software/S1103) primarily spreads via automatic replies to a device’s incoming WhatsApp messages.(Citation: checkpoint_flixonline_0421) ", + "meta": { + "external_id": "S1103", + "mitre_platforms": [ + "Android" + ], + "refs": [ + "https://attack.mitre.org/software/S1103", + "https://research.checkpoint.com/2021/new-wormable-android-malware-spreads-by-creating-auto-replies-to-messages-in-whatsapp/" + ], + "synonyms": [ + "FlixOnline" + ] + }, + "related": [ + { + "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", + "type": "uses" + }, + { + "dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", + "type": "uses" + }, + { + "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", + "type": "uses" + }, + { + "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", + "type": "uses" + }, + { + "dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467", + "type": "uses" + }, + { + "dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6", + "type": "uses" + } + ], + "uuid": "0ec9593f-3221-49b1-b597-37f307c19f13", + "value": "FlixOnline - S1103" + }, { "description": "[TINYTYPHON](https://attack.mitre.org/software/S0131) is a backdoor that has been used by the actors responsible for the MONSOON campaign. The majority of its code was reportedly taken from the MyDoom worm. (Citation: Forcepoint Monsoon)", "meta": { @@ -18336,9 +17833,16 @@ "refs": [ "https://attack.mitre.org/software/S0131", "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" + ], + "synonyms": [ + "TINYTYPHON" ] }, "related": [ + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", "type": "uses" @@ -18350,17 +17854,6 @@ { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "85b39628-204a-48d2-b377-ec368cbcb7ca", @@ -18482,6 +17975,10 @@ "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", "type": "uses" @@ -18537,10 +18034,6 @@ "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" @@ -18548,13 +18041,6 @@ { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" - }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", @@ -18624,20 +18110,6 @@ { "dest-uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57", "type": "uses" - }, - { - "dest-uuid": "51aedbd6-2837-4d15-aeb0-cb09f2bf22ac", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "a15c9357-2be0-4836-beec-594f28b9b4a9", @@ -18653,6 +18125,9 @@ "refs": [ "https://attack.mitre.org/software/S1013", "https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html" + ], + "synonyms": [ + "ZxxZ" ] }, "related": [ @@ -18664,6 +18139,10 @@ "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" @@ -18696,10 +18175,6 @@ "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" @@ -18741,13 +18216,6 @@ { "dest-uuid": "dfebc3b7-d19d-450b-81c7-6dafe4184c04", "type": "uses" - }, - { - "dest-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "da2ef4a9-7cbe-400a-a379-e2f230f28db3", @@ -18777,6 +18245,10 @@ "dest-uuid": "01327cde-66c4-4123-bf34-5f258d59457b", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" @@ -18801,10 +18273,6 @@ "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" @@ -18845,6 +18313,10 @@ ] }, "related": [ + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" @@ -18857,10 +18329,6 @@ "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" @@ -18869,6 +18337,50 @@ "uuid": "0b639373-5f03-430e-b8f9-2fe8c8faad8e", "value": "Chinoxy - S1041" }, + { + "description": "[SLOWPULSE](https://attack.mitre.org/software/S1104) is a malware that was used by [APT5](https://attack.mitre.org/groups/G1023) as early as 2020 including against U.S. Defense Industrial Base (DIB) companies. [SLOWPULSE](https://attack.mitre.org/software/S1104) has several variants and can modify legitimate Pulse Secure VPN files in order to log credentials and bypass single and two-factor authentication flows.(Citation: Mandiant Pulse Secure Zero-Day April 2021)", + "meta": { + "external_id": "S1104", + "mitre_platforms": [ + "Network" + ], + "refs": [ + "https://attack.mitre.org/software/S1104", + "https://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day" + ], + "synonyms": [ + "SLOWPULSE" + ] + }, + "related": [ + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "type": "uses" + }, + { + "dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "type": "uses" + }, + { + "dest-uuid": "b4409cd8-0da9-46e1-a401-a241afd4d1cc", + "type": "uses" + }, + { + "dest-uuid": "dd43c543-bb85-4a6f-aa6e-160d90d06a49", + "type": "uses" + }, + { + "dest-uuid": "fa44a152-ac48-441e-a524-dd7b04b8adcd", + "type": "uses" + } + ], + "uuid": "f8fc98ac-ad6d-44db-b6e2-f0c6eb4eace4", + "value": "SLOWPULSE - S1104" + }, { "description": "[Rotexy](https://attack.mitre.org/software/S0411) is an Android banking malware that has evolved over several years. It was originally an SMS spyware Trojan first spotted in October 2014, and since then has evolved to contain more features, including ransomware functionality.(Citation: securelist rotexy 2018)", "meta": { @@ -18993,25 +18505,104 @@ { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" - }, - { - "dest-uuid": "71ac10de-1103-40a7-b65b-f97dab9769bf", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "0ced8926-914e-4c78-bc93-356fb90dbd1f", "value": "HALFBAKED - S0151" }, + { + "description": "[COATHANGER](https://attack.mitre.org/software/S1105) is a remote access tool (RAT) targeting FortiGate networking appliances. First used in 2023 in targeted intrusions against military and government entities in the Netherlands along with other victims, [COATHANGER](https://attack.mitre.org/software/S1105) was disclosed in early 2024, with a high confidence assessment linking this malware to a state-sponsored entity in the People's Republic of China. [COATHANGER](https://attack.mitre.org/software/S1105) is delivered after gaining access to a FortiGate device, with in-the-wild observations linked to exploitation of CVE-2022-42475. The name [COATHANGER](https://attack.mitre.org/software/S1105) is based on a unique string in the malware used to encrypt configuration files on disk: “She took his coat and hung it up”.(Citation: NCSC-NL COATHANGER Feb 2024)", + "meta": { + "external_id": "S1105", + "mitre_platforms": [ + "Linux", + "Network" + ], + "refs": [ + "https://attack.mitre.org/software/S1105", + "https://www.ncsc.nl/binaries/ncsc/documenten/publicaties/2024/februari/6/mivd-aivd-advisory-coathanger-tlp-clear/TLP-CLEAR+MIVD+AIVD+Advisory+COATHANGER.pdf" + ], + "synonyms": [ + "COATHANGER" + ] + }, + "related": [ + { + "dest-uuid": "09b130a2-a77e-4af0-a361-f46f9aad1345", + "type": "uses" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "uses" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "type": "uses" + }, + { + "dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba", + "type": "uses" + }, + { + "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "type": "uses" + }, + { + "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", + "type": "uses" + }, + { + "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "type": "uses" + }, + { + "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", + "type": "uses" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "type": "uses" + }, + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "type": "uses" + }, + { + "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", + "type": "uses" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "uses" + }, + { + "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", + "type": "uses" + } + ], + "uuid": "0c242cc5-58d3-4fe3-a866-b00a4b6fb817", + "value": "COATHANGER - S1105" + }, { "description": "[Crimson](https://attack.mitre.org/software/S0115) is a remote access Trojan that has been used by [Transparent Tribe](https://attack.mitre.org/groups/G0134) since at least 2016.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)", "meta": { @@ -19166,13 +18757,6 @@ { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2", @@ -19252,6 +18836,10 @@ ] }, "related": [ + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" @@ -19260,10 +18848,6 @@ "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" @@ -19315,6 +18899,10 @@ "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd", "type": "uses" @@ -19363,10 +18951,6 @@ "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" @@ -19443,6 +19027,10 @@ "dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "type": "uses" }, + { + "dest-uuid": "45a5fe76-eda3-4d40-8f22-c186efd6278d", + "type": "uses" + }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" @@ -19556,20 +19144,6 @@ { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" - }, - { - "dest-uuid": "5930509b-7793-4db9-bdfc-4edda7709d0d", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", @@ -19665,6 +19239,46 @@ "uuid": "cad3ba95-8c89-4146-ab10-08daa813f9de", "value": "Clop - S0611" }, + { + "description": "[NGLite](https://attack.mitre.org/software/S1106) is a backdoor Trojan that is only capable of running commands received through its C2 channel. While the capabilities are standard for a backdoor, NGLite uses a novel C2 channel that leverages a decentralized network based on the legitimate NKN to communicate between the backdoor and the actors.(Citation: NGLite Trojan)", + "meta": { + "external_id": "S1106", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1106", + "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/" + ], + "synonyms": [ + "NGLite" + ] + }, + "related": [ + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "uses" + }, + { + "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "uses" + }, + { + "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", + "type": "uses" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "uses" + } + ], + "uuid": "72b5f07f-5448-4e00-9ff2-08bc193a7b77", + "value": "NGLite - S1106" + }, { "description": "[MacMa](https://attack.mitre.org/software/S1016) is a macOS-based backdoor with a large set of functionalities to control and exfiltrate files from a compromised computer. [MacMa](https://attack.mitre.org/software/S1016) has been observed in the wild since November 2021.(Citation: ESET DazzleSpy Jan 2022)", "meta": { @@ -19788,6 +19402,61 @@ "uuid": "bdee9574-7479-4073-a7dc-e86d8acd073a", "value": "MacMa - S1016" }, + { + "description": "[NKAbuse](https://attack.mitre.org/software/S1107) is a Go-based, multi-platform malware abusing NKN (New Kind of Network) technology for data exchange between peers, functioning as a potent implant, and equipped with both flooder and backdoor capabilities.(Citation: NKAbuse BC)(Citation: NKAbuse SL)", + "meta": { + "external_id": "S1107", + "mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1107", + "https://securelist.com/unveiling-nkabuse/111512/", + "https://www.bleepingcomputer.com/news/security/new-nkabuse-malware-abuses-nkn-blockchain-for-stealthy-comms/#google_vignette" + ], + "synonyms": [ + "NKAbuse" + ] + }, + "related": [ + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "type": "uses" + }, + { + "dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc", + "type": "uses" + }, + { + "dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c", + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "type": "uses" + }, + { + "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", + "type": "uses" + }, + { + "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", + "type": "uses" + }, + { + "dest-uuid": "d74c4a7e-ffbf-432f-9365-7ebf1f787cab", + "type": "uses" + } + ], + "uuid": "bd2ebee8-7c38-408a-871d-221012104222", + "value": "NKAbuse - S1107" + }, { "description": "[Felismus](https://attack.mitre.org/software/S0171) is a modular backdoor that has been used by [Sowbug](https://attack.mitre.org/groups/G0054). (Citation: Symantec Sowbug Nov 2017) (Citation: Forcepoint Felismus Mar 2017)", "meta": { @@ -19851,13 +19520,6 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1", @@ -20003,13 +19665,6 @@ { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" - }, - { - "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab", @@ -20052,6 +19707,10 @@ "dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" @@ -20124,10 +19783,6 @@ "dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" @@ -20244,18 +19899,48 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e", "value": "FALLCHILL - S0181" }, + { + "description": "[PULSECHECK](https://attack.mitre.org/software/S1108) is a web shell written in Perl that was used by [APT5](https://attack.mitre.org/groups/G1023) as early as 2020 including against Pulse Secure VPNs at US Defense Industrial Base (DIB) companies.(Citation: Mandiant Pulse Secure Zero-Day April 2021)", + "meta": { + "external_id": "S1108", + "mitre_platforms": [ + "Network", + "Linux" + ], + "refs": [ + "https://attack.mitre.org/software/S1108", + "https://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day" + ], + "synonyms": [ + "PULSECHECK" + ] + }, + "related": [ + { + "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", + "type": "uses" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "uses" + }, + { + "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", + "type": "uses" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "uses" + } + ], + "uuid": "9a097d18-d15f-4635-a4f1-189df7efdc40", + "value": "PULSECHECK - S1108" + }, { "description": "[Nidiran](https://attack.mitre.org/software/S0118) is a custom backdoor developed and used by [Suckfly](https://attack.mitre.org/groups/G0039). It has been delivered via strategic web compromise. (Citation: Symantec Suckfly March 2016)", "meta": { @@ -20284,18 +19969,56 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "9e9b9415-a7df-406b-b14d-92bfe6809fbe", "value": "Nidiran - S0118" }, + { + "description": "[PACEMAKER](https://attack.mitre.org/software/S1109) is a credential stealer that was used by [APT5](https://attack.mitre.org/groups/G1023) as early as 2020 including activity against US Defense Industrial Base (DIB) companies.(Citation: Mandiant Pulse Secure Zero-Day April 2021)", + "meta": { + "external_id": "S1109", + "mitre_platforms": [ + "Network", + "Linux" + ], + "refs": [ + "https://attack.mitre.org/software/S1109", + "https://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day" + ], + "synonyms": [ + "PACEMAKER" + ] + }, + "related": [ + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "type": "uses" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "type": "uses" + }, + { + "dest-uuid": "3120b9fa-23b8-4500-ae73-09494f607b7d", + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "type": "uses" + }, + { + "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", + "type": "uses" + }, + { + "dest-uuid": "ea016b56-ae0e-47fe-967a-cc0ad51af67f", + "type": "uses" + } + ], + "uuid": "647215dd-29a6-4528-b354-ca8b5e08fca1", + "value": "PACEMAKER - S1109" + }, { "description": "[Shark](https://attack.mitre.org/software/S1019) is a backdoor malware written in C# and .NET that is an updated version of [Milan](https://attack.mitre.org/software/S1015); it has been used by [HEXANE](https://attack.mitre.org/groups/G1001) since at least July 2021.(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021)", "meta": { @@ -20313,6 +20036,10 @@ ] }, "related": [ + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd", "type": "uses" @@ -20353,10 +20080,6 @@ "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" @@ -20477,13 +20200,6 @@ { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "type": "uses" - }, - { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "8ab98e25-1672-4b5f-a2fb-e60f08a5ea9e", @@ -20634,13 +20350,6 @@ { "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", "type": "uses" - }, - { - "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "3d8e547d-9456-4f32-a895-dc86134e282f", @@ -20738,6 +20447,10 @@ "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", "type": "uses" @@ -20749,10 +20462,6 @@ ], "type": "similar" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" @@ -20760,13 +20469,6 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "0852567d-7958-4f4b-8947-4f840ec8d57d", @@ -20796,6 +20498,10 @@ "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" @@ -20816,10 +20522,6 @@ "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "type": "uses" @@ -20902,13 +20604,6 @@ { "dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467", "type": "uses" - }, - { - "dest-uuid": "f981d199-2720-467e-9dc9-eea04dbe05cf", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "6447e3a1-ef4d-44b1-99d5-6b1c4888674f", @@ -20939,13 +20634,6 @@ { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "type": "uses" - }, - { - "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb", @@ -21132,13 +20820,6 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "211cfe9f-2676-4e1c-a5f5-2c8091da2a68", @@ -21250,13 +20931,6 @@ { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" - }, - { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86", @@ -21401,13 +21075,6 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236", @@ -21609,13 +21276,6 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "3c02fb1f-cbdb-48f5-abaf-8c81d6e0c322", @@ -21647,6 +21307,10 @@ "dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" @@ -21679,10 +21343,6 @@ "dest-uuid": "853c4192-4311-43e1-bfbb-b11b14911852", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" @@ -21937,20 +21597,6 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "c542f369-f06d-4168-8c84-fdf5fc7f2a8d", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78", @@ -21983,6 +21629,10 @@ "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "type": "uses" @@ -22058,10 +21708,6 @@ "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" @@ -22097,13 +21743,6 @@ { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "type": "uses" - }, - { - "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", @@ -22381,13 +22020,6 @@ { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "da5880b4-f7da-4869-85f2-e0aba84b8565", @@ -22439,13 +22071,6 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "53d47b09-09c2-4015-8d37-6633ecd53f79", @@ -22579,20 +22204,6 @@ { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" - }, - { - "dest-uuid": "75c79f95-4c84-4650-9158-510f0ce4831d", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "f108215f-3487-489d-be8b-80e346d32518", @@ -22616,6 +22227,10 @@ ] }, "related": [ + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" @@ -22664,10 +22279,6 @@ "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" @@ -22854,13 +22465,6 @@ { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" - }, - { - "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", @@ -22954,13 +22558,6 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "4189a679-72ed-4a89-a57c-7f689712ecf8", @@ -22986,6 +22583,10 @@ "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", "type": "uses" @@ -23021,10 +22622,6 @@ "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" @@ -23040,13 +22637,6 @@ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29", @@ -23164,13 +22754,6 @@ { "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", "type": "uses" - }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "e9595678-d269-469e-ae6b-75e49259de63", @@ -23210,13 +22793,6 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "414dc555-c79e-4b24-a2da-9b607f7eaf16", @@ -23429,13 +23005,6 @@ { "dest-uuid": "f5946b5e-9408-485f-a7f7-b5efc88909b6", "type": "uses" - }, - { - "dest-uuid": "46944654-fcc1-4f63-9dad-628102376586", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "a5528622-3a8a-4633-86ce-8cdaf8423858", @@ -23573,13 +23142,6 @@ { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" - }, - { - "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "49abab73-3c5c-476e-afd5-69b5c732d845", @@ -23606,20 +23168,6 @@ { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "type": "uses" - }, - { - "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f0e39c6-82c9-41ec-9f93-5696c0f2e274", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "c709da93-20c3-4d17-ab68-48cba76b2137", @@ -23725,6 +23273,10 @@ ] }, "related": [ + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" @@ -23741,10 +23293,6 @@ "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" @@ -23786,13 +23334,6 @@ { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" - }, - { - "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "936be60d-90eb-4c36-9247-4b31128432c4", @@ -23827,6 +23368,10 @@ "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "type": "uses" @@ -23867,10 +23412,6 @@ "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "type": "uses" @@ -23949,13 +23490,6 @@ { "dest-uuid": "f7c0689c-4dbd-489b-81be-7cb7c7079ade", "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "08d20cd2-f084-45ee-8558-fa6ef5a18519", @@ -24023,13 +23557,6 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498", @@ -24412,13 +23939,6 @@ { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" - }, - { - "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "e669bb87-f773-4c7b-bfcc-a9ffebfdd8d4", @@ -24520,13 +24040,6 @@ { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "type": "uses" - }, - { - "dest-uuid": "667e5707-3843-4da8-bd34-88b922526f0d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "507fe748-5e4a-4b45-9e9f-8b1115f4e878", @@ -24561,6 +24074,10 @@ "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", "type": "uses" @@ -24669,10 +24186,6 @@ "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" @@ -24748,6 +24261,10 @@ "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" @@ -24809,10 +24326,6 @@ "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" @@ -24828,20 +24341,6 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "3df08e23-1d0b-41ed-b735-c4eca46ce48e", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", @@ -24967,6 +24466,10 @@ ] }, "related": [ + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", "type": "uses" @@ -25022,20 +24525,9 @@ "dest-uuid": "a3e1e6c5-9c74-4fc0-a16c-a9d228c17829", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", @@ -25211,20 +24703,6 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "4af4e96f-c92d-4a45-9958-a88ad8deb38d", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "c0a384a4-9a25-40e1-97b6-458388474bc8", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "234e7770-99b0-4f65-b983-d3230f76a60b", @@ -25256,6 +24734,10 @@ "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" @@ -25288,10 +24770,6 @@ "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" @@ -25381,13 +24859,6 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", @@ -25412,13 +24883,6 @@ { "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "0e18b800-906c-4e44-a143-b11c72b3448b", @@ -25614,13 +25078,6 @@ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "2dd34b01-6110-4aac-835d-b5e7b936b0be", @@ -25846,6 +25303,10 @@ "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", "type": "uses" @@ -25866,10 +25327,6 @@ "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" @@ -26168,13 +25625,6 @@ { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", @@ -26204,6 +25654,10 @@ "dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc", "type": "uses" }, + { + "dest-uuid": "45a5fe76-eda3-4d40-8f22-c186efd6278d", + "type": "uses" + }, { "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "type": "uses" @@ -26388,13 +25842,6 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", @@ -26436,6 +25883,10 @@ "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", "type": "uses" @@ -26524,10 +25975,6 @@ "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" @@ -26665,6 +26112,10 @@ "dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "type": "uses" @@ -26676,10 +26127,6 @@ { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" } ], "uuid": "56d10a7f-bb42-4267-9b4c-63abb9c06010", @@ -26740,20 +26187,6 @@ { "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", "type": "uses" - }, - { - "dest-uuid": "4f6aa78c-c3d4-4883-9840-96ca2f5d6d47", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351", @@ -26852,6 +26285,10 @@ ] }, "related": [ + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" @@ -26884,10 +26321,6 @@ "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", "type": "uses" @@ -27049,20 +26482,6 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "4f6aa78c-c3d4-4883-9840-96ca2f5d6d47", @@ -27419,13 +26838,6 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "0b32ec39-ba61-4864-9ebe-b4b0b73caf9a", @@ -27815,13 +27227,6 @@ { "dest-uuid": "ea4c2f9c-9df1-477c-8c42-6da1118f2ac4", "type": "uses" - }, - { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", @@ -28021,13 +27426,6 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", @@ -28283,18 +27681,141 @@ { "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", "type": "uses" - }, - { - "dest-uuid": "d519cfd5-f3a8-43a9-a846-ed0bb40672b1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", "value": "RTM - S0148" }, + { + "description": "[BRATA](https://attack.mitre.org/software/S1094) (Brazilian Remote Access Tool, Android), is an evolving Android malware strain, detected in late 2018 and again in late 2021. Originating in Brazil, [BRATA](https://attack.mitre.org/software/S1094) was later also found in the UK, Poland, Italy, Spain, and USA, where it is believed to have targeted financial institutions such as banks. There are currently three known variants of [BRATA](https://attack.mitre.org/software/S1094).(Citation: securelist_brata_0819)(Citation: cleafy_brata_0122)(Citation: mcafee_brata_0421)", + "meta": { + "external_id": "S1094", + "mitre_platforms": [ + "Android" + ], + "refs": [ + "https://attack.mitre.org/software/S1094", + "https://securelist.com/spying-android-rat-from-brazil-brata/92775/", + "https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/brata-keeps-sneaking-into-google-play-now-targeting-usa-and-spain/" + ], + "synonyms": [ + "BRATA" + ] + }, + "related": [ + { + "dest-uuid": "0b761f2b-197a-40f2-b100-8152cb957c0c", + "type": "uses" + }, + { + "dest-uuid": "0cdd66ad-26ac-4338-a764-4972a1e17ee3", + "type": "uses" + }, + { + "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", + "type": "uses" + }, + { + "dest-uuid": "1d44f529-6fe6-489f-8a01-6261ac43f05e", + "type": "uses" + }, + { + "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", + "type": "uses" + }, + { + "dest-uuid": "24a77e53-0751-46fc-b207-99378fb35c08", + "type": "uses" + }, + { + "dest-uuid": "2aa78dfd-cb6f-4c70-9408-137cfd96be49", + "type": "uses" + }, + { + "dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc", + "type": "uses" + }, + { + "dest-uuid": "351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", + "type": "uses" + }, + { + "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", + "type": "uses" + }, + { + "dest-uuid": "51636761-2e35-44bf-9e56-e337adf97174", + "type": "uses" + }, + { + "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", + "type": "uses" + }, + { + "dest-uuid": "6ecbc2eb-e85a-440a-ab68-4d98f8d56fbe", + "type": "uses" + }, + { + "dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad", + "type": "uses" + }, + { + "dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e", + "type": "uses" + }, + { + "dest-uuid": "74e6003f-c7f4-4047-983b-708cc19b96b6", + "type": "uses" + }, + { + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", + "type": "uses" + }, + { + "dest-uuid": "9ef14445-6f35-4ed0-a042-5024f13a9242", + "type": "uses" + }, + { + "dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47", + "type": "uses" + }, + { + "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "type": "uses" + }, + { + "dest-uuid": "d1f1337e-aea7-454c-86bd-482a98ffaf62", + "type": "uses" + }, + { + "dest-uuid": "defc1257-4db1-4fb3-8ef5-bb77f63146df", + "type": "uses" + }, + { + "dest-uuid": "dfe29258-ce59-421c-9dee-e85cb9fa90cd", + "type": "uses" + }, + { + "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "type": "uses" + }, + { + "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "type": "uses" + }, + { + "dest-uuid": "e3b936a4-6321-4172-9114-038a866362ec", + "type": "uses" + }, + { + "dest-uuid": "e422b6fa-4739-46b9-992e-82f1b350c780", + "type": "uses" + } + ], + "uuid": "5aff44ab-5a41-49bb-b5d1-b4876d0437f4", + "value": "BRATA - S1094" + }, { "description": "[SUGARUSH](https://attack.mitre.org/software/S1049) is a small custom backdoor that can establish a reverse shell over TCP to a hard coded C2 address. [SUGARUSH](https://attack.mitre.org/software/S1049) was first identified during analysis of UNC3890's [C0010](https://attack.mitre.org/campaigns/C0010) campaign targeting Israeli companies, which began in late 2020.(Citation: Mandiant UNC3890 Aug 2022)", "meta": { @@ -28467,13 +27988,6 @@ { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", @@ -28496,6 +28010,10 @@ ] }, "related": [ + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", "type": "uses" @@ -28568,10 +28086,6 @@ "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" @@ -28725,20 +28239,6 @@ { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" - }, - { - "dest-uuid": "a89ed72c-202d-486b-9349-6ffc0a61e30a", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "98e8a977-3416-43aa-87fa-33e287e9c14c", @@ -29177,20 +28677,6 @@ { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" - }, - { - "dest-uuid": "321e2bd3-2d98-41d6-8402-3949f514c548", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "7dbb67c7-270a-40ad-836e-c45f8948aa5a", @@ -29320,13 +28806,6 @@ { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" - }, - { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8", @@ -29357,10 +28836,18 @@ "dest-uuid": "3e091a89-a493-4a6c-8e88-d57be19bb98d", "type": "uses" }, + { + "dest-uuid": "45a5fe76-eda3-4d40-8f22-c186efd6278d", + "type": "uses" + }, { "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "type": "uses" }, + { + "dest-uuid": "be63612f-a48f-44f2-a7a6-1763509fcf80", + "type": "uses" + }, { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "type": "uses" @@ -29495,20 +28982,6 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "f5ac89a7-e129-43b7-bd68-e3cb1e5a3ba2", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "9ca488bd-9587-48ef-b923-1743523e63b2", @@ -29621,13 +29094,6 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "0998045d-f96e-4284-95ce-3c8219707486", @@ -29660,20 +29126,6 @@ { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" - }, - { - "dest-uuid": "f9c6da03-8cb1-4383-9d52-a614c42082bf", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "f6ae7a52-f3b6-4525-9daf-640c083f006e", @@ -29912,6 +29364,86 @@ "uuid": "0c52f5bc-557d-4083-bd27-66d7cdb794bb", "value": "Sardonic - S1085" }, + { + "description": "[AhRat](https://attack.mitre.org/software/S1095) is an Android remote access tool based on the open-source AhMyth remote access tool. [AhRat](https://attack.mitre.org/software/S1095) initially spread in August 2022 on the Google Play Store via an update containing malicious code to the previously benign application, “iRecorder – Screen Recorder”, which itself was released in September 2021.(Citation: welivesecurity_ahrat_0523)", + "meta": { + "external_id": "S1095", + "mitre_platforms": [ + "Android" + ], + "refs": [ + "https://attack.mitre.org/software/S1095", + "https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/" + ], + "synonyms": [ + "AhRat" + ] + }, + "related": [ + { + "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", + "type": "uses" + }, + { + "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", + "type": "uses" + }, + { + "dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc", + "type": "uses" + }, + { + "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", + "type": "uses" + }, + { + "dest-uuid": "46d818a5-67fa-4585-a7fc-ecf15376c8d5", + "type": "uses" + }, + { + "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "type": "uses" + }, + { + "dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e", + "type": "uses" + }, + { + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", + "type": "uses" + }, + { + "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b", + "type": "uses" + }, + { + "dest-uuid": "cf28ca46-1fd3-46b4-b1f6-ec0b72361848", + "type": "uses" + }, + { + "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "type": "uses" + }, + { + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "type": "uses" + }, + { + "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "type": "uses" + }, + { + "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "type": "uses" + }, + { + "dest-uuid": "ed2c05a1-4f81-4d97-9e1b-aff01c34ae84", + "type": "uses" + } + ], + "uuid": "24c8f6db-71e0-41ef-a1dc-83399a5b17e5", + "value": "AhRat - S1095" + }, { "description": "[SNUGRIDE](https://attack.mitre.org/software/S0159) is a backdoor that has been used by [menuPass](https://attack.mitre.org/groups/G0045) as first stage malware. (Citation: FireEye APT10 April 2017)", "meta": { @@ -29950,20 +29482,6 @@ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" - }, - { - "dest-uuid": "12b524b9-0d94-400f-904f-615f4f764aaf", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "3240cbe4-c550-443b-aa76-cc2a7058b870", @@ -29998,6 +29516,10 @@ "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", "type": "uses" @@ -30066,10 +29588,6 @@ "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "type": "uses" @@ -30185,13 +29703,6 @@ { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" - }, - { - "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "4e6b9625-bbda-4d96-a652-b3bb45453f26", @@ -30349,6 +29860,10 @@ "dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", "type": "uses" @@ -30413,10 +29928,6 @@ "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", "type": "uses" @@ -30667,13 +30178,6 @@ { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458", @@ -30781,13 +30285,6 @@ { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" - }, - { - "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654", @@ -30814,6 +30311,10 @@ "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" @@ -30830,10 +30331,6 @@ "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" @@ -31001,13 +30498,6 @@ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148", @@ -31047,6 +30537,10 @@ ], "type": "similar" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" @@ -31079,10 +30573,6 @@ "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" @@ -31106,13 +30596,6 @@ { "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", @@ -31315,13 +30798,6 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "5c6ed2dc-37f4-40ea-b2e1-4c76140a388c", @@ -31395,6 +30871,39 @@ "uuid": "68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", "value": "TangleBot - S1069" }, + { + "description": "[Cheerscrypt](https://attack.mitre.org/software/S1096) is a ransomware that was developed by [Cinnamon Tempest](https://attack.mitre.org/groups/G1021) and has been used in attacks against ESXi and Windows environments since at least 2022. [Cheerscrypt](https://attack.mitre.org/software/S1096) was derived from the leaked [Babuk](https://attack.mitre.org/software/S0638) source code and has infrastructure overlaps with deployments of Night Sky ransomware, which was also derived from [Babuk](https://attack.mitre.org/software/S0638).(Citation: Sygnia Emperor Dragonfly October 2022)(Citation: Trend Micro Cheerscrypt May 2022)", + "meta": { + "external_id": "S1096", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1096", + "https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group", + "https://www.trendmicro.com/en_se/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html" + ], + "synonyms": [ + "Cheerscrypt" + ] + }, + "related": [ + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "type": "uses" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "type": "uses" + } + ], + "uuid": "5d3fa1db-5041-4560-b87b-8f61cc225c52", + "value": "Cheerscrypt - S1096" + }, { "description": "[Neoichor](https://attack.mitre.org/software/S0691) is C2 malware used by [Ke3chang](https://attack.mitre.org/groups/G0004) since at least 2019; similar malware families used by the group include Leeson and Numbldea.(Citation: Microsoft NICKEL December 2021)", "meta": { @@ -31509,13 +31018,6 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "9752aef4-a1f3-4328-929f-b64eb0536090", @@ -31565,6 +31067,10 @@ "dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "type": "uses" }, + { + "dest-uuid": "45a5fe76-eda3-4d40-8f22-c186efd6278d", + "type": "uses" + }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" @@ -31589,6 +31095,10 @@ "dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63", "type": "uses" }, + { + "dest-uuid": "be63612f-a48f-44f2-a7a6-1763509fcf80", + "type": "uses" + }, { "dest-uuid": "cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "type": "uses" @@ -31706,13 +31216,6 @@ { "dest-uuid": "eec23884-3fa1-4d8a-ac50-6f104d51e235", "type": "uses" - }, - { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a", @@ -31832,13 +31335,6 @@ { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "691c60e2-273d-4d56-9ce6-b67e0f8719ad", @@ -31873,13 +31369,6 @@ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" - }, - { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "c4de7d83-e875-4c88-8b5d-06c41e5b7e79", @@ -31921,6 +31410,10 @@ "dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc", "type": "uses" }, + { + "dest-uuid": "45a5fe76-eda3-4d40-8f22-c186efd6278d", + "type": "uses" + }, { "dest-uuid": "46d818a5-67fa-4585-a7fc-ecf15376c8d5", "type": "uses" @@ -31949,6 +31442,10 @@ "dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47", "type": "uses" }, + { + "dest-uuid": "be63612f-a48f-44f2-a7a6-1763509fcf80", + "type": "uses" + }, { "dest-uuid": "c4b96c0b-cb58-497a-a1c2-bb447d79d692", "type": "uses" @@ -32060,13 +31557,6 @@ { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" - }, - { - "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "96566860-9f11-4b6f-964d-1c924e4f24a4", @@ -32335,13 +31825,6 @@ { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" - }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "2a70812b-f1ef-44db-8578-a496a227aef2", @@ -32378,13 +31861,6 @@ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" - }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "5be33fef-39c0-4532-84ee-bea31e1b5324", @@ -32437,18 +31913,103 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "db1355a7-e5c9-4e2c-8da7-eccf2ae9bf5c", "value": "TURNEDUP - S0199" }, + { + "description": "[Samurai](https://attack.mitre.org/software/S1099) is a passive backdoor that has been used by [ToddyCat](https://attack.mitre.org/groups/G1022) since at least 2020. [Samurai](https://attack.mitre.org/software/S1099) allows arbitrary C# code execution and is used with multiple modules for remote administration and lateral movement.(Citation: Kaspersky ToddyCat June 2022)", + "meta": { + "external_id": "S1099", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1099", + "https://securelist.com/toddycat/106799/" + ], + "synonyms": [ + "Samurai" + ] + }, + "related": [ + { + "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", + "type": "uses" + }, + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "type": "uses" + }, + { + "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "type": "uses" + }, + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "type": "uses" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "type": "uses" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "type": "uses" + }, + { + "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", + "type": "uses" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "type": "uses" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "uses" + }, + { + "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "type": "uses" + }, + { + "dest-uuid": "ea4c2f9c-9df1-477c-8c42-6da1118f2ac4", + "type": "uses" + } + ], + "uuid": "ae91fb8f-5031-4f57-9839-e3be3ed503f0", + "value": "Samurai - S1099" + }, { "description": "[CCBkdr](https://attack.mitre.org/software/S0222) is malware that was injected into a signed version of CCleaner and distributed from CCleaner's distribution website. (Citation: Talos CCleanup 2017) (Citation: Intezer Aurora Sept 2017)", "meta": { @@ -32473,13 +32034,6 @@ { "dest-uuid": "bd369cd9-abb8-41ce-b5bb-fff23ee86c00", "type": "uses" - }, - { - "dest-uuid": "3f18edba-28f4-4bb9-82c3-8aa60dcac5f7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "b0f13390-cec7-4814-b37c-ccec01887faa", @@ -32611,13 +32165,6 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "e8545794-b98c-492b-a5b3-4b5a02682e37", @@ -32650,20 +32197,6 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "f981d199-2720-467e-9dc9-eea04dbe05cf", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "76c12fc8-a4eb-45d6-a3b7-e371a7248f69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "c8770c81-c29f-40d2-a140-38544206b2b4", @@ -32690,19 +32223,12 @@ "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" - }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "7451bcf9-e6e6-4a70-bc3d-1599173d0035", @@ -32919,6 +32445,10 @@ "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", "type": "uses" }, + { + "dest-uuid": "45a5fe76-eda3-4d40-8f22-c186efd6278d", + "type": "uses" + }, { "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "type": "uses" @@ -33173,6 +32703,10 @@ "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" @@ -33208,10 +32742,6 @@ "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" @@ -33223,13 +32753,6 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "705f0783-5f7d-4491-b6b7-9628e6e006d2", @@ -33292,19 +32815,35 @@ "value": "MacSpy - S0282" }, { - "description": "[AndroRAT](https://attack.mitre.org/software/S0292) is malware that allows a third party to control the device and collect information. (Citation: Lookout-EnterpriseApps)", + "description": "[AndroRAT](https://attack.mitre.org/software/S0292) is an open-source remote access tool for Android devices. [AndroRAT](https://attack.mitre.org/software/S0292) is capable of collecting data, such as device location, call logs, etc., and is capable of executing actions, such as sending SMS messages and taking pictures.(Citation: Lookout-EnterpriseApps)(Citation: github_androrat)(Citation: Forcepoint BITTER Pakistan Oct 2016) It is originally available through the `The404Hacking` Github repository.(Citation: github_androrat)", "meta": { "external_id": "S0292", + "mitre_platforms": [ + "Android" + ], "refs": [ "https://attack.mitre.org/software/S0292", - "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/" + "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/", + "https://web.archive.org/web/20221013124327/https://github.com/The404Hacking/AndroRAT", + "https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan" + ], + "synonyms": [ + "AndroRAT" ] }, "related": [ + { + "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", + "type": "uses" + }, { "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "type": "uses" }, + { + "dest-uuid": "351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", + "type": "uses" + }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" @@ -33320,27 +32859,25 @@ "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, + { + "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b", + "type": "uses" + }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, + { + "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "type": "uses" + }, + { + "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", + "type": "uses" + }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" - }, - { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "a3dad2be-ce62-4440-953b-00fbce7aba93", @@ -33422,13 +32959,6 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "06d735e7-1db1-4dbe-ab4b-acbe419f902b", @@ -33472,20 +33002,6 @@ { "dest-uuid": "eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", "type": "uses" - }, - { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "d1c600f8-0fb6-4367-921b-85b71947d950", @@ -33542,13 +33058,6 @@ { "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", "type": "uses" - }, - { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "049ff071-0b3c-4712-95d2-d21c6aa54501", @@ -33869,6 +33378,10 @@ "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" @@ -33901,10 +33414,6 @@ "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" @@ -34257,6 +33766,10 @@ "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" @@ -34293,10 +33806,6 @@ "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" @@ -34461,6 +33970,10 @@ "dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc", "type": "uses" }, + { + "dest-uuid": "45a5fe76-eda3-4d40-8f22-c186efd6278d", + "type": "uses" + }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" @@ -34469,6 +33982,10 @@ "dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467", "type": "uses" }, + { + "dest-uuid": "be63612f-a48f-44f2-a7a6-1763509fcf80", + "type": "uses" + }, { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "type": "uses" @@ -34482,7 +33999,7 @@ "value": "RedDrop - S0326" }, { - "description": "[Kwampirs](https://attack.mitre.org/software/S0236) is a backdoor Trojan used by [Orangeworm](https://attack.mitre.org/groups/G0071). It has been found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines. (Citation: Symantec Orangeworm April 2018)", + "description": "[Kwampirs](https://attack.mitre.org/software/S0236) is a backdoor Trojan used by [Orangeworm](https://attack.mitre.org/groups/G0071). [Kwampirs](https://attack.mitre.org/software/S0236) has been found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines.(Citation: Symantec Orangeworm April 2018) [Kwampirs](https://attack.mitre.org/software/S0236) has multiple technical overlaps with [Shamoon](https://attack.mitre.org/software/S0140) based on reverse engineering analysis.(Citation: Cylera Kwampirs 2022)", "meta": { "external_id": "S0236", "mitre_platforms": [ @@ -34490,6 +34007,7 @@ ], "refs": [ "https://attack.mitre.org/software/S0236", + "https://resources.cylera.com/hubfs/Cylera%20Labs/Cylera%20Labs%20Kwampirs%20Shamoon%20Technical%20Report.pdf", "https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia" ], "synonyms": [ @@ -34505,6 +34023,10 @@ "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "type": "uses" @@ -34565,10 +34087,6 @@ "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", "type": "uses" @@ -34694,6 +34212,10 @@ "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", "type": "uses" @@ -34742,10 +34264,6 @@ "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" @@ -35231,20 +34749,6 @@ { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "type": "uses" - }, - { - "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "e13d084c-382f-40fd-aa9a-98d69e20301e", @@ -35793,11 +35297,11 @@ }, "related": [ { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { @@ -36230,6 +35734,10 @@ "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", "type": "uses" }, + { + "dest-uuid": "45a5fe76-eda3-4d40-8f22-c186efd6278d", + "type": "uses" + }, { "dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad", "type": "uses" @@ -36246,6 +35754,10 @@ "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b", "type": "uses" }, + { + "dest-uuid": "be63612f-a48f-44f2-a7a6-1763509fcf80", + "type": "uses" + }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" @@ -36644,6 +36156,10 @@ "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc", "type": "uses" @@ -36668,10 +36184,6 @@ "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "type": "uses" @@ -36800,20 +36312,6 @@ { "dest-uuid": "4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "type": "uses" - }, - { - "dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "c80a6bef-b3ce-44d0-b113-946e93124898", @@ -37218,6 +36716,10 @@ "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" @@ -37266,10 +36768,6 @@ "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" @@ -37471,6 +36969,10 @@ "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" @@ -37499,10 +37001,6 @@ "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", "type": "uses" @@ -37680,6 +37178,10 @@ "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", "type": "uses" @@ -37712,10 +37214,6 @@ "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" @@ -37839,13 +37337,6 @@ { "dest-uuid": "46d818a5-67fa-4585-a7fc-ecf15376c8d5", "type": "uses" - }, - { - "dest-uuid": "46d818a5-67fa-4585-a7fc-ecf15376c8d5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "2074b2ad-612e-4758-adce-7901c1b49bbc", @@ -38018,20 +37509,6 @@ { "dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd", "type": "uses" - }, - { - "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", @@ -38129,6 +37606,10 @@ "dest-uuid": "351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "type": "uses" }, + { + "dest-uuid": "45a5fe76-eda3-4d40-8f22-c186efd6278d", + "type": "uses" + }, { "dest-uuid": "52eff1c7-dd30-4121-b762-24ae6fa61bbb", "type": "uses" @@ -38263,6 +37744,10 @@ "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", "type": "uses" @@ -38427,6 +37912,10 @@ "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, + { + "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", + "type": "uses" + }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" @@ -38497,6 +37986,10 @@ "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" @@ -38537,10 +38030,6 @@ "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", "type": "uses" @@ -38603,6 +38092,10 @@ "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" @@ -38631,10 +38124,6 @@ "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" @@ -38676,7 +38165,7 @@ ], "refs": [ "https://attack.mitre.org/software/S0276", - "https://www.synack.com/2017/01/01/mac-malware-2016/", + "https://objective-see.org/blog/blog_0x16.html", "https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/" ], "synonyms": [ @@ -38811,6 +38300,10 @@ ] }, "related": [ + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" @@ -38835,10 +38328,6 @@ "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" @@ -38868,13 +38357,6 @@ { "dest-uuid": "dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "type": "uses" - }, - { - "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "ca4f63b9-a358-4214-bb26-8c912318cfde", @@ -38982,6 +38464,10 @@ "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" @@ -39070,10 +38556,6 @@ "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" @@ -39226,6 +38708,10 @@ "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" @@ -39278,10 +38764,6 @@ "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", "type": "uses" @@ -39383,20 +38865,6 @@ { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "type": "uses" - }, - { - "dest-uuid": "b765efd1-02e6-4e67-aebf-0fef5c37e54b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "3c3b55a6-c3e9-4043-8aae-283fe96220c0", @@ -39473,20 +38941,6 @@ { "dest-uuid": "c4b96c0b-cb58-497a-a1c2-bb447d79d692", "type": "uses" - }, - { - "dest-uuid": "c4b96c0b-cb58-497a-a1c2-bb447d79d692", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0d95940f-9583-4e0f-824c-a42c1be47fad", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "d9e07aea-baad-4b68-bdca-90c77647d7f9", @@ -39589,20 +39043,6 @@ { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" - }, - { - "dest-uuid": "3b0b604f-10db-41a0-b54c-493124d455b9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50", @@ -39621,13 +39061,6 @@ { "dest-uuid": "22379609-a99f-4a01-bd7e-70f3e105859d", "type": "uses" - }, - { - "dest-uuid": "22379609-a99f-4a01-bd7e-70f3e105859d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "23040c15-e7d8-47b5-8c16-8fd3e0e297fe", @@ -39649,6 +39082,10 @@ ] }, "related": [ + { + "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "type": "uses" + }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" @@ -39657,10 +39094,6 @@ "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" @@ -39802,6 +39235,10 @@ "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" @@ -39829,10 +39266,6 @@ { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" } ], "uuid": "44c75271-0e4d-496f-ae0a-a6d883a42a65", @@ -40240,6 +39673,10 @@ "dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" @@ -40316,10 +39753,6 @@ "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "type": "uses" @@ -40457,7 +39890,7 @@ }, "related": [ { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" } ], @@ -40501,6 +39934,10 @@ "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", "type": "uses" @@ -40521,10 +39958,6 @@ "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" @@ -40820,12 +40253,14 @@ "https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/", "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/", "https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles", - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/" ], "synonyms": [ "Bazar", "KEGTAP", - "Team9" + "Team9", + "Bazaloader" ] }, "related": [ @@ -40841,6 +40276,10 @@ "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd", "type": "uses" @@ -40961,10 +40400,6 @@ "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" @@ -41226,7 +40661,7 @@ ], "refs": [ "https://attack.mitre.org/software/S0345", - "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.zip", + "https://www.mandiant.com/sites/default/files/2021-09/mandiant-apt1-report.pdf", "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf" ], "synonyms": [ @@ -41234,6 +40669,10 @@ ] }, "related": [ + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" @@ -41254,10 +40693,6 @@ "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" @@ -41374,6 +40809,10 @@ "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "type": "uses" }, + { + "dest-uuid": "45a5fe76-eda3-4d40-8f22-c186efd6278d", + "type": "uses" + }, { "dest-uuid": "8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", "type": "uses" @@ -41386,6 +40825,10 @@ "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, + { + "dest-uuid": "be63612f-a48f-44f2-a7a6-1763509fcf80", + "type": "uses" + }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" @@ -41511,6 +40954,10 @@ "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" @@ -41543,10 +40990,6 @@ "dest-uuid": "853c4192-4311-43e1-bfbb-b11b14911852", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2", "type": "uses" @@ -41684,6 +41127,10 @@ ] }, "related": [ + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" @@ -41704,10 +41151,6 @@ "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" @@ -41740,6 +41183,10 @@ ] }, "related": [ + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" @@ -41764,10 +41211,6 @@ "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916", "type": "uses" @@ -41865,6 +41308,10 @@ "dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c", "type": "uses" @@ -41885,10 +41332,6 @@ "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" @@ -41953,6 +41396,10 @@ "dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", "type": "uses" @@ -42041,10 +41488,6 @@ "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" @@ -42102,6 +41545,10 @@ "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", "type": "uses" @@ -42142,10 +41589,6 @@ "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" @@ -42274,6 +41717,10 @@ ] }, "related": [ + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" @@ -42310,10 +41757,6 @@ "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "bd369cd9-abb8-41ce-b5bb-fff23ee86c00", "type": "uses" @@ -42354,6 +41797,10 @@ ] }, "related": [ + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", "type": "uses" @@ -42374,10 +41821,6 @@ "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" @@ -42879,6 +42322,10 @@ "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" @@ -42983,10 +42430,6 @@ "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", "type": "uses" @@ -43095,6 +42538,10 @@ "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", "type": "uses" @@ -43127,10 +42574,6 @@ "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" @@ -43184,6 +42627,10 @@ "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "29ba5a15-3b7b-4732-b817-65ea8f6468e6", "type": "uses" @@ -43252,10 +42699,6 @@ "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" @@ -43524,6 +42967,10 @@ ] }, "related": [ + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" @@ -43584,10 +43031,6 @@ "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a", "type": "uses" @@ -43784,6 +43227,10 @@ "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc", "type": "uses" @@ -43852,10 +43299,6 @@ "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" @@ -43932,6 +43375,10 @@ "dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" @@ -43992,10 +43439,6 @@ "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" @@ -44301,6 +43744,10 @@ "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "type": "uses" + }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" @@ -44561,7 +44008,7 @@ ], "refs": [ "https://attack.mitre.org/software/S0386", - "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-the-multifaceted-malware/?_ga=2.165628854.808042651.1508120821-744063452.1505819992", + "https://web.archive.org/web/20210719165945/https://www.trendmicro.com/en_us/research/15/c/ursnif-the-multifaceted-malware.html?_ga=2.165628854.808042651.1508120821-744063452.1505819992", "https://www.cyber.nj.gov/threat-profiles/trojan-variants/ursnif", "https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html", "https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality" @@ -44582,6 +44029,10 @@ "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd", "type": "uses" @@ -44670,10 +44121,6 @@ "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" @@ -45027,6 +44474,10 @@ "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "232a7e42-cd6e-4902-8fe9-2960f529dd4d", "type": "uses" @@ -45063,10 +44514,6 @@ "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc", "type": "uses" @@ -45151,6 +44598,10 @@ ] }, "related": [ + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" @@ -45159,10 +44610,6 @@ "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" @@ -45201,6 +44648,10 @@ "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" @@ -45217,10 +44668,6 @@ "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" @@ -46004,6 +45451,10 @@ "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", "type": "uses" @@ -46064,10 +45515,6 @@ "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" @@ -46294,6 +45741,10 @@ "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", "type": "uses" }, + { + "dest-uuid": "45a5fe76-eda3-4d40-8f22-c186efd6278d", + "type": "uses" + }, { "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "type": "uses" @@ -46498,6 +45949,10 @@ "dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" @@ -46598,10 +46053,6 @@ "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" @@ -46843,6 +46294,10 @@ ] }, "related": [ + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" @@ -46863,10 +46318,6 @@ "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" @@ -47912,6 +47363,10 @@ "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" @@ -47936,10 +47391,6 @@ "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "b4b7458f-81f2-4d38-84be-1c5ba0167a52", "type": "uses" @@ -48526,6 +47977,10 @@ "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", "type": "uses" @@ -48570,10 +48025,6 @@ "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" @@ -48852,6 +48303,10 @@ "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" @@ -48924,10 +48379,6 @@ "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" @@ -49104,6 +48555,10 @@ "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", "type": "uses" }, + { + "dest-uuid": "45a5fe76-eda3-4d40-8f22-c186efd6278d", + "type": "uses" + }, { "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "type": "uses" @@ -49164,6 +48619,10 @@ "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" @@ -49196,10 +48655,6 @@ "dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", "type": "uses" @@ -49239,6 +48694,10 @@ ] }, "related": [ + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "type": "uses" @@ -49255,10 +48714,6 @@ "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", "type": "uses" @@ -49662,6 +49117,10 @@ ] }, "related": [ + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" @@ -49678,10 +49137,6 @@ "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916", "type": "uses" @@ -49992,6 +49447,10 @@ "dest-uuid": "eec23884-3fa1-4d8a-ac50-6f104d51e235", "type": "uses" }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "type": "uses" + }, { "dest-uuid": "f7c0689c-4dbd-489b-81be-7cb7c7079ade", "type": "uses" @@ -50117,6 +49576,10 @@ "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" @@ -50157,10 +49620,6 @@ "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" @@ -50193,6 +49652,10 @@ "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", "type": "uses" @@ -50233,10 +49696,6 @@ "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" @@ -50803,7 +50262,7 @@ "value": "PowerPunch - S0685" }, { - "description": "[Diavol](https://attack.mitre.org/software/S0659) is a ransomware variant first observed in June 2021 that is capable of prioritizing file types to encrypt based on a pre-configured list of extensions defined by the attacker. [Diavol](https://attack.mitre.org/software/S0659) has been deployed by [Bazar](https://attack.mitre.org/software/S0534) and is thought to have potential ties to [Wizard Spider](https://attack.mitre.org/groups/G0102).(Citation: Fortinet Diavol July 2021)(Citation: FBI Flash Diavol January 2022)(Citation: DFIR Diavol Ransomware December 2021)", + "description": "[Diavol](https://attack.mitre.org/software/S0659) is a ransomware variant first observed in June 2021 that is capable of prioritizing file types to encrypt based on a pre-configured list of extensions defined by the attacker. The [Diavol](https://attack.mitre.org/software/S0659) Ransomware-as-a Service (RaaS) program is managed by [Wizard Spider](https://attack.mitre.org/groups/G0102) and it has been observed being deployed by [Bazar](https://attack.mitre.org/software/S0534).(Citation: Fortinet Diavol July 2021)(Citation: FBI Flash Diavol January 2022)(Citation: DFIR Diavol Ransomware December 2021)(Citation: Microsoft Ransomware as a Service)", "meta": { "external_id": "S0659", "mitre_platforms": [ @@ -50813,7 +50272,8 @@ "https://attack.mitre.org/software/S0659", "https://thedfirreport.com/2021/12/13/diavol-ransomware/", "https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider", - "https://www.ic3.gov/Media/News/2022/220120.pdf" + "https://www.ic3.gov/Media/News/2022/220120.pdf", + "https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/" ], "synonyms": [ "Diavol" @@ -51157,6 +50617,10 @@ ] }, "related": [ + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" @@ -51165,10 +50629,6 @@ "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" @@ -51208,6 +50668,10 @@ "dest-uuid": "09b130a2-a77e-4af0-a361-f46f9aad1345", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" @@ -51248,10 +50712,6 @@ "dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" @@ -51320,6 +50780,10 @@ ] }, "related": [ + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" @@ -51356,10 +50820,6 @@ "dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" @@ -51404,6 +50864,10 @@ "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" @@ -51440,10 +50904,6 @@ "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" @@ -51686,6 +51146,10 @@ "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" @@ -51762,10 +51226,6 @@ "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "b4b7458f-81f2-4d38-84be-1c5ba0167a52", "type": "uses" @@ -51838,6 +51298,10 @@ "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" @@ -51874,10 +51338,6 @@ "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" @@ -52254,6 +51714,10 @@ "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" @@ -52286,10 +51750,6 @@ "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" @@ -52394,6 +51854,10 @@ "dest-uuid": "0af0ca99-357d-4ba1-805f-674fdfb7bef9", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" @@ -52450,10 +51914,6 @@ "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" @@ -52612,6 +52072,10 @@ "dest-uuid": "0af0ca99-357d-4ba1-805f-674fdfb7bef9", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "1b7b1806-7746-41a1-a35d-e48dae25ddba", "type": "uses" @@ -52676,10 +52140,6 @@ "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" @@ -52752,6 +52212,10 @@ "dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" @@ -52776,10 +52240,6 @@ "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "type": "uses" @@ -52807,7 +52267,1041 @@ ], "uuid": "ff7ed9c1-dca3-4e62-9da6-72c5d388b8fa", "value": "HermeticWizard - S0698" + }, + { + "description": "[DarkGate](https://attack.mitre.org/software/S1111) first emerged in 2018 and has evolved into an initial access and data gathering tool associated with various criminal cyber operations. Written in Delphi and named \"DarkGate\" by its author, [DarkGate](https://attack.mitre.org/software/S1111) is associated with credential theft, cryptomining, cryptotheft, and pre-ransomware actions.(Citation: Ensilo Darkgate 2018) DarkGate use increased significantly starting in 2022 and is under active development by its author, who provides it as a Malware-as-a-Service offering.(Citation: Trellix Darkgate 2023)", + "meta": { + "external_id": "S1111", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1111", + "https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign", + "https://www.trellix.com/blogs/research/the-continued-evolution-of-the-darkgate-malware-as-a-service/" + ], + "synonyms": [ + "DarkGate" + ] + }, + "related": [ + { + "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", + "type": "uses" + }, + { + "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", + "type": "uses" + }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, + { + "dest-uuid": "11f29a39-0942-4d62-92b6-fe236cf3066e", + "type": "uses" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "type": "uses" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "type": "uses" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "type": "uses" + }, + { + "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", + "type": "uses" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "uses" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "type": "uses" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "type": "uses" + }, + { + "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "type": "uses" + }, + { + "dest-uuid": "3a32740a-11b0-4bcf-b0a9-3abd0f6d3cd5", + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "uses" + }, + { + "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "type": "uses" + }, + { + "dest-uuid": "40f5caa0-4cb7-4117-89fc-d421bb493df3", + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "type": "uses" + }, + { + "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", + "type": "uses" + }, + { + "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", + "type": "uses" + }, + { + "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "type": "uses" + }, + { + "dest-uuid": "851e071f-208d-4c79-adc6-5974c85c78f3", + "type": "uses" + }, + { + "dest-uuid": "853c4192-4311-43e1-bfbb-b11b14911852", + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "type": "uses" + }, + { + "dest-uuid": "93591901-3172-4e94-abf8-6034ab26f44a", + "type": "uses" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "uses" + }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "type": "uses" + }, + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "type": "uses" + }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "type": "uses" + }, + { + "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", + "type": "uses" + }, + { + "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "type": "uses" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "type": "uses" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "type": "uses" + }, + { + "dest-uuid": "c877e33f-1df6-40d6-b1e7-ce70f16f4979", + "type": "uses" + }, + { + "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", + "type": "uses" + }, + { + "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", + "type": "uses" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "type": "uses" + }, + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "type": "uses" + }, + { + "dest-uuid": "e4dc8c01-417f-458d-9ee0-bb0617c1b391", + "type": "uses" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "type": "uses" + }, + { + "dest-uuid": "eb897572-8979-4242-a089-56f294f4c91d", + "type": "uses" + }, + { + "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", + "type": "uses" + }, + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "type": "uses" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "type": "uses" + }, + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "type": "uses" + } + ], + "uuid": "6f6f67c9-556d-4459-95c2-78d272190e52", + "value": "DarkGate - S1111" + }, + { + "description": "[STEADYPULSE](https://attack.mitre.org/software/S1112) is a web shell that infects targeted Pulse Secure VPN servers through modification of a legitimate Perl script that was used as early as 2020 including in activity against US Defense Industrial Base (DIB) entities.(Citation: Mandiant Pulse Secure Zero-Day April 2021)", + "meta": { + "external_id": "S1112", + "mitre_platforms": [ + "Network" + ], + "refs": [ + "https://attack.mitre.org/software/S1112", + "https://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day" + ], + "synonyms": [ + "STEADYPULSE" + ] + }, + "related": [ + { + "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "uses" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "uses" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "type": "uses" + } + ], + "uuid": "ca0fead6-5277-427a-825b-42ff1fbe476e", + "value": "STEADYPULSE - S1112" + }, + { + "description": "[RAPIDPULSE](https://attack.mitre.org/software/S1113) is a web shell that exists as a modification to a legitimate Pulse Secure file that has been used by [APT5](https://attack.mitre.org/groups/G1023) since at least 2021.(Citation: Mandiant Pulse Secure Update May 2021)", + "meta": { + "external_id": "S1113", + "mitre_platforms": [ + "Network", + "Linux" + ], + "refs": [ + "https://attack.mitre.org/software/S1113", + "https://www.mandiant.com/resources/blog/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices" + ], + "synonyms": [ + "RAPIDPULSE" + ] + }, + "related": [ + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "uses" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "uses" + } + ], + "uuid": "880f7b3e-ad27-4158-8b03-d44c9357950b", + "value": "RAPIDPULSE - S1113" + }, + { + "description": "[ZIPLINE](https://attack.mitre.org/software/S1114) is a passive backdoor that was used during [Cutting Edge](https://attack.mitre.org/campaigns/C0029) on compromised Secure Connect VPNs for reverse shell and proxy functionality.(Citation: Mandiant Cutting Edge January 2024)", + "meta": { + "external_id": "S1114", + "mitre_platforms": [ + "Network" + ], + "refs": [ + "https://attack.mitre.org/software/S1114", + "https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day" + ], + "synonyms": [ + "ZIPLINE" + ] + }, + "related": [ + { + "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "type": "uses" + }, + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "type": "uses" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "type": "uses" + }, + { + "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", + "type": "uses" + }, + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "type": "uses" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "type": "uses" + } + ], + "uuid": "d9765cbd-4c88-4805-ba98-4c6ccb56b864", + "value": "ZIPLINE - S1114" + }, + { + "description": "[WIREFIRE](https://attack.mitre.org/software/S1115) is a web shell written in Python that exists as trojanized logic to the visits.py component of Ivanti Connect Secure VPN appliances. [WIREFIRE](https://attack.mitre.org/software/S1115) was used during [Cutting Edge](https://attack.mitre.org/campaigns/C0029) for downloading files and command execution.(Citation: Mandiant Cutting Edge January 2024)", + "meta": { + "external_id": "S1115", + "mitre_platforms": [ + "Network" + ], + "refs": [ + "https://attack.mitre.org/software/S1115", + "https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day", + "https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/" + ], + "synonyms": [ + "WIREFIRE", + "GIFTEDVISITOR" + ] + }, + "related": [ + { + "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", + "type": "uses" + }, + { + "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "uses" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "uses" + }, + { + "dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", + "type": "uses" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "type": "uses" + } + ], + "uuid": "c93e3079-43fb-4d8d-9e99-db63d07eadc9", + "value": "WIREFIRE - S1115" + }, + { + "description": "[WARPWIRE](https://attack.mitre.org/software/S1116) is a Javascript credential stealer that targets plaintext passwords and usernames for exfiltration that was used during [Cutting Edge](https://attack.mitre.org/campaigns/C0029) to target Ivanti Connect Secure VPNs.(Citation: Mandiant Cutting Edge January 2024)(Citation: Mandiant Cutting Edge Part 2 January 2024)", + "meta": { + "external_id": "S1116", + "mitre_platforms": [ + "Network" + ], + "refs": [ + "https://attack.mitre.org/software/S1116", + "https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation", + "https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day" + ], + "synonyms": [ + "WARPWIRE" + ] + }, + "related": [ + { + "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", + "type": "uses" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "type": "uses" + }, + { + "dest-uuid": "69e5226d-05dc-4f15-95d7-44f5ed78d06e", + "type": "uses" + }, + { + "dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", + "type": "uses" + }, + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "type": "uses" + } + ], + "uuid": "a5818d36-e9b0-46da-842d-b727a5e36ea6", + "value": "WARPWIRE - S1116" + }, + { + "description": "[GLASSTOKEN](https://attack.mitre.org/software/S1117) is a custom web shell used by threat actors during [Cutting Edge](https://attack.mitre.org/campaigns/C0029) to execute commands on compromised Ivanti Secure Connect VPNs.(Citation: Volexity Ivanti Zero-Day Exploitation January 2024)", + "meta": { + "external_id": "S1117", + "mitre_platforms": [ + "Network" + ], + "refs": [ + "https://attack.mitre.org/software/S1117", + "https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/" + ], + "synonyms": [ + "GLASSTOKEN" + ] + }, + "related": [ + { + "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "uses" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "uses" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "type": "uses" + } + ], + "uuid": "554e010d-726b-439d-9a1a-f60fff0cc109", + "value": "GLASSTOKEN - S1117" + }, + { + "description": "[BUSHWALK](https://attack.mitre.org/software/S1118) is a web shell written in Perl that was inserted into the legitimate querymanifest.cgi file on compromised Ivanti Connect Secure VPNs during [Cutting Edge](https://attack.mitre.org/campaigns/C0029).(Citation: Mandiant Cutting Edge Part 2 January 2024)(Citation: Mandiant Cutting Edge Part 3 February 2024)", + "meta": { + "external_id": "S1118", + "mitre_platforms": [ + "Network" + ], + "refs": [ + "https://attack.mitre.org/software/S1118", + "https://www.mandiant.com/resources/blog/investigating-ivanti-exploitation-persistence", + "https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation" + ], + "synonyms": [ + "BUSHWALK" + ] + }, + "related": [ + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "uses" + }, + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "type": "uses" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "uses" + }, + { + "dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "type": "uses" + } + ], + "uuid": "29a0bb87-1162-4c83-9834-2a98a876051b", + "value": "BUSHWALK - S1118" + }, + { + "description": "[LIGHTWIRE](https://attack.mitre.org/software/S1119) is a web shell written in Perl that was used during [Cutting Edge](https://attack.mitre.org/campaigns/C0029) to maintain access and enable command execution by imbedding into the legitimate compcheckresult.cgi component of Ivanti Secure Connect VPNs.(Citation: Mandiant Cutting Edge Part 2 January 2024)(Citation: Mandiant Cutting Edge January 2024)", + "meta": { + "external_id": "S1119", + "mitre_platforms": [ + "Network" + ], + "refs": [ + "https://attack.mitre.org/software/S1119", + "https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation", + "https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day" + ], + "synonyms": [ + "LIGHTWIRE" + ] + }, + "related": [ + { + "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "uses" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "type": "uses" + }, + { + "dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", + "type": "uses" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "type": "uses" + } + ], + "uuid": "5dc9e8ec-9917-4de7-b8ab-16007899dd80", + "value": "LIGHTWIRE - S1119" + }, + { + "description": "[Mispadu](https://attack.mitre.org/software/S1122) is a banking trojan written in Delphi that was first observed in 2019 and uses a Malware-as-a-Service (MaaS) business model.(Citation: ESET Security Mispadu Facebook Ads 2019)(Citation: SCILabs Malteiro 2021) This malware is operated, managed, and sold by the [Malteiro](https://attack.mitre.org/groups/G1026) cybercriminal group.(Citation: SCILabs Malteiro 2021) [Mispadu](https://attack.mitre.org/software/S1122) has mainly been used to target victims in Brazil and Mexico, and has also had confirmed operations throughout Latin America and Europe.(Citation: SCILabs Malteiro 2021)(Citation: SCILabs URSA/Mispadu Evolution 2023)(Citation: Segurança Informática URSA Sophisticated Loader 2020) ", + "meta": { + "external_id": "S1122", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1122", + "https://blog.scilabs.mx/en/cyber-threat-profile-malteiro/", + "https://blog.scilabs.mx/en/evolution-of-banking-trojan-ursa-mispadu/", + "https://seguranca-informatica.pt/threat-analysis-the-emergent-ursa-trojan-impacts-many-countries-using-a-sophisticated-loader/", + "https://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/" + ], + "synonyms": [ + "Mispadu" + ] + }, + "related": [ + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "type": "uses" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "type": "uses" + }, + { + "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", + "type": "uses" + }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "type": "uses" + }, + { + "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", + "type": "uses" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "uses" + }, + { + "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "uses" + }, + { + "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", + "type": "uses" + }, + { + "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8", + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "uses" + }, + { + "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "type": "uses" + }, + { + "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "type": "uses" + }, + { + "dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7", + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "type": "uses" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "uses" + }, + { + "dest-uuid": "a2029942-0a85-4947-b23c-ca434698171d", + "type": "uses" + }, + { + "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", + "type": "uses" + }, + { + "dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19", + "type": "uses" + }, + { + "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", + "type": "uses" + }, + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "type": "uses" + } + ], + "uuid": "4e6464d2-69df-4e56-8d4c-1973f84d7b80", + "value": "Mispadu - S1122" + }, + { + "description": "[PITSTOP](https://attack.mitre.org/software/S1123) is a backdoor that was deployed on compromised Ivanti Connect Secure VPNs during [Cutting Edge](https://attack.mitre.org/campaigns/C0029) to enable command execution and file read/write.(Citation: Mandiant Cutting Edge Part 3 February 2024)", + "meta": { + "external_id": "S1123", + "mitre_platforms": [ + "Network" + ], + "refs": [ + "https://attack.mitre.org/software/S1123", + "https://www.mandiant.com/resources/blog/investigating-ivanti-exploitation-persistence" + ], + "synonyms": [ + "PITSTOP" + ] + }, + "related": [ + { + "dest-uuid": "005cc321-08ce-4d17-b1ea-cb5275926520", + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "type": "uses" + }, + { + "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", + "type": "uses" + }, + { + "dest-uuid": "acd0ba37-7ba9-4cc5-ac61-796586cd856d", + "type": "uses" + }, + { + "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", + "type": "uses" + } + ], + "uuid": "d79b1800-3b5d-4a4f-8863-8251eca793e2", + "value": "PITSTOP - S1123" + }, + { + "description": "[SocGholish](https://attack.mitre.org/software/S1124) is a JavaScript-based loader malware that has been used since at least 2017. It has been observed in use against multiple sectors globally for initial access, primarily through drive-by-downloads masquerading as software updates. SocGholish is operated by [Mustard Tempest](https://attack.mitre.org/groups/G1020) and its access has been sold to groups including [Indrik Spider](https://attack.mitre.org/groups/G0119) for downloading secondary RAT and ransomware payloads.(Citation: SentinelOne SocGholish Infrastructure November 2022)(Citation: SocGholish-update)(Citation: Red Canary SocGholish March 2024)(Citation: Secureworks Gold Prelude Profile) ", + "meta": { + "external_id": "S1124", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1124", + "https://redcanary.com/threat-detection-report/threats/socgholish/", + "https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update", + "https://www.secureworks.com/research/threat-profiles/gold-prelude", + "https://www.sentinelone.com/labs/socgholish-diversifies-and-expands-its-malware-staging-infrastructure-to-counter-defenders/" + ], + "synonyms": [ + "SocGholish", + "FakeUpdates" + ] + }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "uses" + }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "type": "uses" + }, + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "type": "uses" + }, + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "type": "uses" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "uses" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "type": "uses" + }, + { + "dest-uuid": "c877e33f-1df6-40d6-b1e7-ce70f16f4979", + "type": "uses" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "type": "uses" + }, + { + "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "type": "uses" + }, + { + "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", + "type": "uses" + }, + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "type": "uses" + } + ], + "uuid": "5911d2ca-64f6-49b3-b94f-29b5d185085c", + "value": "SocGholish - S1124" + }, + { + "description": "[AcidRain](https://attack.mitre.org/software/S1125) is an ELF binary targeting modems and routers using MIPS architecture.(Citation: AcidRain JAGS 2022) [AcidRain](https://attack.mitre.org/software/S1125) is associated with the ViaSat KA-SAT communication outage that took place during the initial phases of the 2022 full-scale invasion of Ukraine. Analysis indicates overlap with another network device-targeting malware, VPNFilter, associated with [Sandworm Team](https://attack.mitre.org/groups/G0034).(Citation: AcidRain JAGS 2022) US and European government sources linked [AcidRain](https://attack.mitre.org/software/S1125) to Russian government entities, while Ukrainian government sources linked [AcidRain](https://attack.mitre.org/software/S1125) specifically to [Sandworm Team](https://attack.mitre.org/groups/G0034).(Citation: AcidRain State Department 2022)(Citation: Vincens AcidPour 2024)", + "meta": { + "external_id": "S1125", + "mitre_platforms": [ + "Network", + "Linux" + ], + "refs": [ + "https://attack.mitre.org/software/S1125", + "https://cyberscoop.com/viasat-malware-wiper-acidrain/", + "https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/", + "https://www.state.gov/attribution-of-russias-malicious-cyber-activity-against-ukraine/" + ], + "synonyms": [ + "AcidRain" + ] + }, + "related": [ + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "type": "uses" + }, + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "type": "uses" + }, + { + "dest-uuid": "fb640c43-aa6b-431e-a961-a279010424ac", + "type": "uses" + }, + { + "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", + "type": "uses" + } + ], + "uuid": "04cecafd-cb5f-4daf-aa1f-73899116c4a2", + "value": "AcidRain - S1125" + }, + { + "description": "[Phenakite](https://attack.mitre.org/software/S1126) is a mobile malware that is used by [APT-C-23](https://attack.mitre.org/groups/G1028) to target iOS devices. According to several reports, [Phenakite](https://attack.mitre.org/software/S1126) was developed to fill a tooling gap and to target those who owned iPhones instead of Windows desktops or Android phones.(Citation: sentinelone_israel_hamas_war)(Citation: fb_arid_viper)", + "meta": { + "external_id": "S1126", + "mitre_platforms": [ + "iOS" + ], + "refs": [ + "https://attack.mitre.org/software/S1126", + "https://web.archive.org/web/20231126111812/https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf", + "https://web.archive.org/web/20240208234008/www.sentinelone.com/labs/the-israel-hamas-war-cyber-domain-state-sponsored-activity-of-interest/" + ], + "synonyms": [ + "Phenakite" + ] + }, + "related": [ + { + "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", + "type": "uses" + }, + { + "dest-uuid": "2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", + "type": "uses" + }, + { + "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "type": "uses" + }, + { + "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "type": "uses" + }, + { + "dest-uuid": "a8c31121-852b-46bd-9ba4-674ae5afe7ad", + "type": "uses" + }, + { + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", + "type": "uses" + }, + { + "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", + "type": "uses" + }, + { + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "type": "uses" + }, + { + "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "type": "uses" + }, + { + "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "type": "uses" + } + ], + "uuid": "f97e2718-af50-41df-811f-215ebab45691", + "value": "Phenakite - S1126" + }, + { + "description": "[HilalRAT](https://attack.mitre.org/software/S1128) is a remote access-capable Android malware, developed and used by [UNC788](https://attack.mitre.org/groups/G1029).(Citation: Meta Adversarial Threat Report 2022) [HilalRAT](https://attack.mitre.org/software/S1128) is capable of collecting data, such as device location, call logs, etc., and is capable of executing actions, such as activating a device's camera and microphone.(Citation: Meta Adversarial Threat Report 2022) ", + "meta": { + "external_id": "S1128", + "mitre_platforms": [ + "Android" + ], + "refs": [ + "https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf", + "https://attack.mitre.org/software/S1128" + ], + "synonyms": [ + "HilalRAT" + ] + }, + "related": [ + { + "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "type": "uses" + }, + { + "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", + "type": "uses" + }, + { + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", + "type": "uses" + }, + { + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", + "type": "uses" + }, + { + "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", + "type": "uses" + }, + { + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "type": "uses" + } + ], + "uuid": "55714f87-6178-4b89-b3e5-d3a643f647ca", + "value": "HilalRAT - S1128" + }, + { + "description": "[Akira](https://attack.mitre.org/software/S1129) ransomware, written in C++, is most prominently (but not exclusively) associated with the a ransomware-as-a-service entity [Akira](https://attack.mitre.org/groups/G1024).(Citation: Kersten Akira 2023)", + "meta": { + "external_id": "S1129", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1129", + "https://www.trellix.com/blogs/research/akira-ransomware/" + ], + "synonyms": [ + "Akira" + ] + }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "type": "uses" + }, + { + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "type": "uses" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "type": "uses" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "type": "uses" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "type": "uses" + }, + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "type": "uses" + } + ], + "uuid": "6f6b2353-4b39-40ce-9d6d-d00b7a61e656", + "value": "Akira - S1129" } ], - "version": 32 + "version": 33 } diff --git a/clusters/mitre-tool.json b/clusters/mitre-tool.json index 7bcadc29..d7f652a0 100644 --- a/clusters/mitre-tool.json +++ b/clusters/mitre-tool.json @@ -29,13 +29,6 @@ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" - }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "242f3da3-4425-4d11-8f5c-b842886da966", @@ -211,13 +204,6 @@ { "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e", "type": "uses" - }, - { - "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "a52edc76-328d-4596-85e7-d56ef5a9eb69", @@ -395,13 +381,6 @@ { "dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916", "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "b52d6583-14a2-4ddc-8527-87fd2142558f", @@ -423,13 +402,6 @@ { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", @@ -526,13 +498,6 @@ { "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", "type": "uses" - }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", @@ -575,13 +540,6 @@ { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" - }, - { - "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "d5e96a35-7b0b-4c6a-9533-d63ecbda563e", @@ -666,13 +624,6 @@ { "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "type": "uses" - }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "9de2308e-7bed-43a3-8e58-f194b3586700", @@ -708,13 +659,6 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54", @@ -743,13 +687,6 @@ { "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", "type": "uses" - }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952", @@ -768,13 +705,6 @@ { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "362dc67f-4e85-4562-9dac-1b6b7f3ec4b5", @@ -799,13 +729,6 @@ { "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "type": "uses" - }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "4f45dfeb-fe51-4df0-8db3-edf7dd0513fe", @@ -828,13 +751,6 @@ { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" - }, - { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "b35068ec-107a-4266-bda8-eb7036267aea", @@ -853,13 +769,6 @@ { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "c11ac61d-50f4-444f-85d8-6f006067f0de", @@ -931,13 +840,6 @@ { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" - }, - { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "4664b683-f578-434f-919b-1c1aad2a1111", @@ -972,6 +874,10 @@ "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" @@ -1012,10 +918,6 @@ "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "b4b7458f-81f2-4d38-84be-1c5ba0167a52", "type": "uses" @@ -1076,13 +978,6 @@ { "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", "type": "uses" - }, - { - "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "38952eac-cb1b-4a71-bad2-ee8223a1c8fe", @@ -1131,13 +1026,6 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e", @@ -1175,20 +1063,6 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" - }, - { - "dest-uuid": "3e205e84-9f90-4b4b-8896-c82189936a15", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", @@ -1226,13 +1100,6 @@ { "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", "type": "uses" - }, - { - "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", @@ -1269,13 +1136,6 @@ { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "64764dc6-a032-495f-8250-1e4c06bdc163", @@ -1454,13 +1314,6 @@ { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" - }, - { - "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", @@ -1474,9 +1327,9 @@ "Windows" ], "refs": [ - "http://windowsitpro.com/windows/netexe-reference", "https://attack.mitre.org/software/S0039", - "https://msdn.microsoft.com/en-us/library/aa939914" + "https://msdn.microsoft.com/en-us/library/aa939914", + "https://web.archive.org/web/20150511162820/http://windowsitpro.com/windows/netexe-reference" ], "synonyms": [ "Net", @@ -1543,13 +1396,6 @@ { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" - }, - { - "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "03342581-f790-4f03-ba41-e82e67392e23", @@ -1723,13 +1569,6 @@ { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" - }, - { - "dest-uuid": "2edd9d6a-5674-4326-a600-ba56de467286", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f", @@ -1759,13 +1598,6 @@ { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" - }, - { - "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", @@ -1890,13 +1722,6 @@ { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "type": "uses" - }, - { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565", @@ -1918,13 +1743,6 @@ { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1", @@ -1946,13 +1764,6 @@ { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" - }, - { - "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47", @@ -1984,13 +1795,6 @@ { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "30489451-5886-4c46-90c9-0dff9adc5252", @@ -2016,13 +1820,6 @@ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" - }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "c9703cd3-141c-43a0-a926-380082be5d04", @@ -2047,13 +1844,6 @@ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" - }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "2fab555f-7664-4623-b4e0-1675ae38190b", @@ -2079,13 +1869,6 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "102c3898-85e0-43ee-ae28-62a0a3ed9507", @@ -2153,13 +1936,6 @@ { "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", "type": "uses" - }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "c9cd7ec9-40b7-49db-80be-1399eddd9c52", @@ -2290,13 +2066,6 @@ { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" - }, - { - "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "96fd6cc4-a693-4118-83ec-619e5352d07d", @@ -2315,13 +2084,6 @@ { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" - }, - { - "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b", @@ -2586,13 +2348,6 @@ { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" - }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "cb69b20d-56d0-41ab-8440-4a4b251614d4", @@ -2690,13 +2445,6 @@ { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" - }, - { - "dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68", @@ -2723,13 +2471,6 @@ { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "90ec2b22-7061-4469-b539-0989ec4f96c2", @@ -2795,13 +2536,6 @@ { "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", "type": "uses" - }, - { - "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "a1dd2dbd-1550-44bf-abcc-1a4c52e97719", @@ -2936,13 +2670,6 @@ { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "13cd9151-83b7-410d-9f98-25d0f0d1d80d", @@ -2968,13 +2695,6 @@ { "dest-uuid": "ca9d3402-ada3-484d-876a-d717bd6e05f2", "type": "uses" - }, - { - "dest-uuid": "1ce03c65-5946-4ac9-9d4d-66db87e024bd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "65370d0b-3bd4-4653-8cf9-daf56f6be830", @@ -3000,6 +2720,10 @@ "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" @@ -3016,10 +2740,6 @@ "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "type": "uses" @@ -3089,13 +2809,6 @@ { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" - }, - { - "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "d8d19e33-94fd-4aa3-b94a-08ee801a2153", @@ -3194,13 +2907,6 @@ { "dest-uuid": "3120b9fa-23b8-4500-ae73-09494f607b7d", "type": "uses" - }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "5a33468d-844d-4b1f-98c9-0e786c556b27", @@ -3219,13 +2925,6 @@ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "type": "uses" - }, - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "fbd727ea-c0dc-42a9-8448-9e12962d1ab5", @@ -3244,13 +2943,6 @@ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "type": "uses" - }, - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "9a2640c2-9f43-46fe-b13f-bde881e55555", @@ -3395,13 +3087,6 @@ { "dest-uuid": "0c4b4fda-9062-47da-98b9-ceae2dcf052a", "type": "uses" - }, - { - "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "33b9e38f-103c-412d-bdcf-904a91fff1e4", @@ -3976,13 +3661,6 @@ { "dest-uuid": "eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", "type": "uses" - }, - { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "da21929e-40c0-443d-bdf4-6b60d15448b4", @@ -4328,6 +4006,10 @@ "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, + { + "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", + "type": "uses" + }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" @@ -4356,10 +4038,6 @@ "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "type": "uses" - }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" @@ -5248,5 +4926,5 @@ "value": "Mythic - S0699" } ], - "version": 31 + "version": 32 }