From a4a72d0698ddd2b60e833ffcaeccfbd24e1beb28 Mon Sep 17 00:00:00 2001 From: Daniel Plohmann Date: Wed, 31 Jul 2019 14:08:50 +0200 Subject: [PATCH 01/37] adding Proofpoint's TA428 --- clusters/threat-actor.json | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 7d2cd7f..f84fa12 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7622,7 +7622,18 @@ }, "uuid": "64ac8827-89d9-4738-9df3-cd955c628bee", "value": "SWEED" + }, + { + "description": "Proofpoint researchers have identified a targeted APT campaign that utilized malicious RTF documents to deliver custom malware to unsuspecting victims. We dubbed this campaign “Operation LagTime IT” based on entities that were targeted and the distinctive domains registered to C&C IP infrastructure. Beginning in early 2019, these threat actors targeted a number of government agencies in East Asia overseeing government information technology, domestic affairs, foreign affairs, economic development, and political processes. We determined that the infection vector observed in this campaign was spear phishing, with emails originating from both free email accounts and compromised user accounts. Attackers relied on Microsoft Equation Editor exploit CVE-2018-0798 to deliver a custom malware that Proofpoint researchers have dubbed Cotx RAT. Additionally, this APT group utilizes Poison Ivy payloads that share overlapping command and control (C&C) infrastructure with the newly identified Cotx campaigns. Based on infrastructure overlaps, post-exploitation techniques, and historic TTPs utilized in this operation, Proofpoint analysts attribute this activity to the Chinese APT group tracked internally as TA428. Researchers believe that this activity has an operational and tactical resemblance to the Maudi Surveillance Operation which was previously reported in 2013.", + "meta": { + "country": "CN", + "refs": [ + "https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology" + ] + }, + "uuid": "5533d062-18ab-4c70-9472-0eac03f95a1d", + "value": "TA428" } ], - "version": 122 + "version": 123 } From 0367e16ce023adc02aab03ac0b3878e47d892ba8 Mon Sep 17 00:00:00 2001 From: Daniel Plohmann Date: Wed, 31 Jul 2019 14:35:09 +0200 Subject: [PATCH 02/37] adding secureworks actor names for energetic bear and teamspy --- clusters/threat-actor.json | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 7d2cd7f..2afccbf 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2634,7 +2634,8 @@ "https://www.symantec.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks", "https://www.kaspersky.com/resource-center/threats/crouching-yeti-energetic-bear-malware-threat", "https://www.sans.org/reading-room/whitepapers/ICS/impact-dragonfly-malware-industrial-control-systems-36672", - "https://attack.mitre.org/groups/G0035/" + "https://attack.mitre.org/groups/G0035/", + "https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector" ], "synonyms": [ "Dragonfly", @@ -2642,7 +2643,8 @@ "Group 24", "Havex", "CrouchingYeti", - "Koala Team" + "Koala Team", + "IRON LIBERTY" ] }, "related": [ @@ -2857,13 +2859,15 @@ "https://www.cfr.org/interactive/cyber-operations/team-spy-crew", "https://threatpost.com/researchers-uncover-teamspy-attack-campaign-targeting-government-research-targets-032013/77646/", "https://www.crysys.hu/publications/files/teamspy.pdf", - "https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20134928/theteamspystory_final_t2.pdf" + "https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20134928/theteamspystory_final_t2.pdf", + "https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector" ], "synonyms": [ "TeamSpy", "Team Bear", "Berserk Bear", - "Anger Bear" + "Anger Bear", + "IRON LYRIC" ] }, "related": [ @@ -7624,5 +7628,5 @@ "value": "SWEED" } ], - "version": 122 + "version": 124 } From 17452d31a7e54eb72d2c697e21435b8e3a333894 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 1 Aug 2019 15:51:03 +0200 Subject: [PATCH 03/37] chg: [att&ck] July ATT&CK release included in MISP galaxy --- clusters/mitre-attack-pattern.json | 18 +- clusters/mitre-course-of-action.json | 4103 +++++++++++++++-- ...re-enterprise-attack-course-of-action.json | 2 +- clusters/mitre-intrusion-set.json | 1140 ++++- clusters/mitre-malware.json | 2569 ++++++++++- .../mitre-mobile-attack-attack-pattern.json | 2 +- .../mitre-mobile-attack-course-of-action.json | 9 +- clusters/mitre-mobile-attack-malware.json | 2 +- clusters/mitre-pre-attack-attack-pattern.json | 2 +- clusters/mitre-pre-attack-intrusion-set.json | 9 +- clusters/mitre-tool.json | 6 +- 11 files changed, 7406 insertions(+), 456 deletions(-) diff --git a/clusters/mitre-attack-pattern.json b/clusters/mitre-attack-pattern.json index d766609..9c6a6c3 100644 --- a/clusters/mitre-attack-pattern.json +++ b/clusters/mitre-attack-pattern.json @@ -775,7 +775,7 @@ "meta": { "external_id": "T1452", "kill_chain": [ - "mitre-mobile-attack:effects" + "mitre-mobile-attack:impact" ], "mitre_platforms": [ "Android", @@ -2072,7 +2072,7 @@ "meta": { "external_id": "APP-28", "kill_chain": [ - "mitre-mobile-attack:effects" + "mitre-mobile-attack:impact" ], "mitre_platforms": [ "Android", @@ -3648,7 +3648,7 @@ "meta": { "external_id": "T1472", "kill_chain": [ - "mitre-mobile-attack:effects" + "mitre-mobile-attack:impact" ], "mitre_platforms": [ "Android", @@ -3825,7 +3825,7 @@ "meta": { "external_id": "T1448", "kill_chain": [ - "mitre-mobile-attack:effects" + "mitre-mobile-attack:impact" ], "mitre_platforms": [ "Android" @@ -7096,7 +7096,7 @@ "meta": { "external_id": "T1447", "kill_chain": [ - "mitre-mobile-attack:effects" + "mitre-mobile-attack:impact" ], "mitre_platforms": [ "Android" @@ -9731,7 +9731,7 @@ "meta": { "external_id": "APP-28", "kill_chain": [ - "mitre-mobile-attack:effects" + "mitre-mobile-attack:impact" ], "mitre_platforms": [ "Android" @@ -10263,7 +10263,7 @@ "value": "Repackaged Application - T1444" }, { - "description": "Adversaries may destroy data data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as del and rm often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1488) and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1487) because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.\n\nAdversaries may attempt to overwrite files and directories with randomly generated data to make it irrecoverable.(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) In some cases politically oriented image files have been used to overwrite data.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [Credential Dumping](https://attack.mitre.org/techniques/T1003), and [Windows Admin Shares](https://attack.mitre.org/techniques/T1077).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018)", + "description": "Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as del and rm often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1488) and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1487) because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.\n\nAdversaries may attempt to overwrite files and directories with randomly generated data to make it irrecoverable.(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) In some cases politically oriented image files have been used to overwrite data.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [Credential Dumping](https://attack.mitre.org/techniques/T1003), and [Windows Admin Shares](https://attack.mitre.org/techniques/T1077).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018)", "meta": { "external_id": "T1485", "kill_chain": [ @@ -10637,7 +10637,7 @@ "value": "Masquerading - T1036" }, { - "description": "Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.\n\nScripts can be embedded inside Office documents as macros that can be set to execute when files used in [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193) and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), where adversaries will rely on macros being allowed or that the user will accept to activate them.\n\nMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. (Citation: Metasploit) (Citation: Metasploit), (Citation: Veil) (Citation: Veil), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)", + "description": "Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.\n\nScripts can be embedded inside Office documents as macros that can be set to execute when files used in [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193) and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), where adversaries will rely on macros being allowed or that the user will accept to activate them.\n\nMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)", "meta": { "external_id": "T1064", "kill_chain": [ @@ -11083,5 +11083,5 @@ "value": "DNSCalc - T1324" } ], - "version": 9 + "version": 10 } diff --git a/clusters/mitre-course-of-action.json b/clusters/mitre-course-of-action.json index 8483059..9036013 100644 --- a/clusters/mitre-course-of-action.json +++ b/clusters/mitre-course-of-action.json @@ -14,12 +14,12 @@ "meta": { "external_id": "T1060", "refs": [ - "https://attack.mitre.org/techniques/T1060", + "https://attack.mitre.org/mitigations/T1060", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", - "https://technet.microsoft.com/en-us/library/ee791851.aspx", - "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html" + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, "related": [ @@ -39,7 +39,7 @@ "meta": { "external_id": "T1041", "refs": [ - "https://attack.mitre.org/techniques/T1041", + "https://attack.mitre.org/mitigations/T1041", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -60,7 +60,7 @@ "meta": { "external_id": "T1011", "refs": [ - "https://attack.mitre.org/techniques/T1011", + "https://attack.mitre.org/mitigations/T1011", "https://technet.microsoft.com/library/dd252791.aspx", "https://www.techrepublic.com/blog/data-center/configuring-wireless-settings-via-group-policy/" ] @@ -77,12 +77,234 @@ "uuid": "a98be93b-a75b-4dd4-8a72-4dfd0b5e25bb", "value": "Exfiltration Over Other Network Medium Mitigation - T1011" }, + { + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "meta": { + "external_id": "M1042", + "refs": [ + "https://attack.mitre.org/mitigations/M1042" + ] + }, + "related": [ + { + "dest-uuid": "7d6f590f-544b-45b4-9a42-e0805f342af3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "64196062-5210-42c3-9a02-563a0d1797ef", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "e6415f09-df0e-48de-9aba-928c902b7549", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c3bce4f4-9795-46c6-976e-8676300bbc39", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c1b11bf7-c68e-4fbf-a95b-28efbe7953bb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2892b9ee-ca9f-4723-b332-0dc6e843a8ae", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "215190a9-9f02-4e83-bb5f-e0589965a302", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6a3be63a-64c5-4678-a036-03ff8fc35300", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "a127c32c-cbb0-4f9d-be07-881a792408ec", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0dbf5f1b-a560-4d51-ac1b-d70caab3e1f0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f792d02f-813d-402b-86a5-ab98cb391d3b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "eb88d97c-32f1-40be-80f0-d61a4b0b4b31", + "value": "Disable or Remove Feature or Program - M1042" + }, + { + "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", + "meta": { + "external_id": "M1035", + "refs": [ + "https://attack.mitre.org/mitigations/M1035" + ] + }, + "related": [ + { + "dest-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "804c042c-cfe6-449e-bc1a-ba0a998a70db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d40239b3-05ff-46d8-9bdd-b46d13463ef9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "1dcaeb21-9348-42ea-950a-f842aaf1ae1f", + "value": "Limit Access to Resource Over Network - M1035" + }, { "description": "Identify unnecessary system utilities or potentially malicious software that may be used to collect data from a network share, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "meta": { "external_id": "T1039", "refs": [ - "https://attack.mitre.org/techniques/T1039", + "https://attack.mitre.org/mitigations/T1039", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -107,7 +329,7 @@ "meta": { "external_id": "T1084", "refs": [ - "https://attack.mitre.org/techniques/T1084", + "https://attack.mitre.org/mitigations/T1084", "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf" ] }, @@ -128,7 +350,7 @@ "meta": { "external_id": "T1094", "refs": [ - "https://attack.mitre.org/techniques/T1094", + "https://attack.mitre.org/mitigations/T1094", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -149,7 +371,7 @@ "meta": { "external_id": "T1183", "refs": [ - "https://attack.mitre.org/techniques/T1183", + "https://attack.mitre.org/mitigations/T1183", "https://answers.microsoft.com/windows/forum/windows_10-security/part-of-windows-10-or-really-malware/af715663-a34a-423c-850d-2a46f369a54c", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", @@ -173,7 +395,7 @@ "meta": { "external_id": "T1198", "refs": [ - "https://attack.mitre.org/techniques/T1198", + "https://attack.mitre.org/mitigations/T1198", "https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf" ] }, @@ -194,7 +416,7 @@ "meta": { "external_id": "T1095", "refs": [ - "https://attack.mitre.org/techniques/T1095", + "https://attack.mitre.org/mitigations/T1095", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -215,12 +437,12 @@ "meta": { "external_id": "T1140", "refs": [ - "https://attack.mitre.org/techniques/T1140", + "https://attack.mitre.org/mitigations/T1140", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", - "https://technet.microsoft.com/en-us/library/ee791851.aspx", - "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html" + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, "related": [ @@ -260,7 +482,7 @@ "meta": { "external_id": "T1030", "refs": [ - "https://attack.mitre.org/techniques/T1030", + "https://attack.mitre.org/mitigations/T1030", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -281,7 +503,7 @@ "meta": { "external_id": "T1005", "refs": [ - "https://attack.mitre.org/techniques/T1005", + "https://attack.mitre.org/mitigations/T1005", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -306,7 +528,7 @@ "meta": { "external_id": "T1006", "refs": [ - "https://attack.mitre.org/techniques/T1006", + "https://attack.mitre.org/mitigations/T1006", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -365,7 +587,7 @@ "meta": { "external_id": "T1070", "refs": [ - "https://attack.mitre.org/techniques/T1070" + "https://attack.mitre.org/mitigations/T1070" ] }, "related": [ @@ -385,7 +607,7 @@ "meta": { "external_id": "T1210", "refs": [ - "https://attack.mitre.org/techniques/T1210", + "https://attack.mitre.org/mitigations/T1210", "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/", "https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/", "https://en.wikipedia.org/wiki/Control-flow_integrity" @@ -408,11 +630,11 @@ "meta": { "external_id": "T1016", "refs": [ - "https://attack.mitre.org/techniques/T1016", - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://attack.mitre.org/mitigations/T1016", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, @@ -433,7 +655,7 @@ "meta": { "external_id": "T1071", "refs": [ - "https://attack.mitre.org/techniques/T1071", + "https://attack.mitre.org/mitigations/T1071", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -454,7 +676,7 @@ "meta": { "external_id": "T1091", "refs": [ - "https://attack.mitre.org/techniques/T1091", + "https://attack.mitre.org/mitigations/T1091", "https://support.microsoft.com/en-us/kb/967715", "https://technet.microsoft.com/en-us/library/cc772540(v=ws.10).aspx", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", @@ -476,12 +698,214 @@ "uuid": "effb83a0-ead1-4b36-b7f6-b7bdf9c4616e", "value": "Replication Through Removable Media Mitigation - T1091" }, + { + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "meta": { + "external_id": "M1022", + "refs": [ + "https://attack.mitre.org/mitigations/M1022" + ] + }, + "related": [ + { + "dest-uuid": "01df3350-ce05-4bdf-bdf8-0a919a66d4a8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d3046a90-580c-4004-8208-66915bc29830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "8df54627-376c-487c-a09c-7d2b5620f56e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "aa8bfbc9-78dc-41a4-a03b-7453e0fdccda", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ca205a36-c1ad-488b-aa6c-ab34bdd3a36b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0fff2797-19cb-41ea-a5f1-8a9303b8158e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9e80ddfb-ce32-4961-a778-ca6a10cfae72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2ba5aa71-9d15-4b22-b726-56af06d9ad2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c1b11bf7-c68e-4fbf-a95b-28efbe7953bb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "72b5ef57-325c-411b-93ca-a3ca6fa17e31", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "804c042c-cfe6-449e-bc1a-ba0a998a70db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "dce31a00-1e90-4655-b0f9-e2e71a748a87", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "03259939-0b57-482f-8eb5-87c0e0d54334", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "06780952-177c-4247-b978-79c357fb311f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c4ad009b-6e13-4419-8d21-918a1652de02", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6a5848a8-6201-4a2c-8a6a-ca5af8c6f3df", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0bf78622-e8d2-41da-a857-731472d61a92", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "987988f0-cf86-4680-a875-2f6456ab2448", + "value": "Restrict File and Directory Permissions - M1022" + }, { "description": "Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist. (Citation: Windows Blogs Microsoft Edge Sandbox) (Citation: Ars Technica Pwn2Own 2017 VM Escape)\n\nOther types of virtualization and application microsegmentation may also mitigate the impact of client-side exploitation. The risks of additional exploits and weaknesses in implementation may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)\n\nSecurity applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: TechNet Moving Beyond EMET) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia Control Flow Integrity) Many of these protections depend on the architecture and target application binary for compatibility.", "meta": { "external_id": "T1203", "refs": [ - "https://attack.mitre.org/techniques/T1203", + "https://attack.mitre.org/mitigations/T1203", "https://blogs.windows.com/msedgedev/2017/03/23/strengthening-microsoft-edge-sandbox/", "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/", "https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/", @@ -505,13 +929,13 @@ "meta": { "external_id": "T1042", "refs": [ - "https://attack.mitre.org/techniques/T1042", + "https://attack.mitre.org/mitigations/T1042", + "https://msdn.microsoft.com/en-us/library/cc144156.aspx", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", - "https://technet.microsoft.com/en-us/library/ee791851.aspx", - "https://msdn.microsoft.com/en-us/library/cc144156.aspx" + "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, "related": [ @@ -531,7 +955,7 @@ "meta": { "external_id": "T1025", "refs": [ - "https://attack.mitre.org/techniques/T1025", + "https://attack.mitre.org/mitigations/T1025", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -556,7 +980,7 @@ "meta": { "external_id": "T1052", "refs": [ - "https://attack.mitre.org/techniques/T1052", + "https://attack.mitre.org/mitigations/T1052", "https://support.microsoft.com/en-us/kb/967715", "https://technet.microsoft.com/en-us/library/cc772540(v=ws.10).aspx" ] @@ -578,7 +1002,7 @@ "meta": { "external_id": "T1027", "refs": [ - "https://attack.mitre.org/techniques/T1027", + "https://attack.mitre.org/mitigations/T1027", "https://cloudblogs.microsoft.com/microsoftsecure/2015/06/09/windows-10-to-offer-application-developers-new-malware-defenses/?source=mmpc" ] }, @@ -599,7 +1023,7 @@ "meta": { "external_id": "T1092", "refs": [ - "https://attack.mitre.org/techniques/T1092", + "https://attack.mitre.org/mitigations/T1092", "https://support.microsoft.com/en-us/kb/967715", "https://technet.microsoft.com/en-us/library/cc772540(v=ws.10).aspx" ] @@ -621,11 +1045,11 @@ "meta": { "external_id": "T1083", "refs": [ - "https://attack.mitre.org/techniques/T1083", - "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://attack.mitre.org/mitigations/T1083", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", + "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, @@ -646,9 +1070,9 @@ "meta": { "external_id": "T1038", "refs": [ - "https://attack.mitre.org/techniques/T1038", - "http://msdn.microsoft.com/en-US/library/ms682586", + "https://attack.mitre.org/mitigations/T1038", "http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx", + "http://msdn.microsoft.com/en-US/library/ms682586", "https://github.com/mattifestation/PowerSploit", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", @@ -672,7 +1096,7 @@ "meta": { "external_id": "T1044", "refs": [ - "https://attack.mitre.org/techniques/T1044", + "https://attack.mitre.org/mitigations/T1044", "https://github.com/mattifestation/PowerSploit", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", @@ -697,7 +1121,7 @@ "meta": { "external_id": "T1048", "refs": [ - "https://attack.mitre.org/techniques/T1048", + "https://attack.mitre.org/mitigations/T1048", "https://technet.microsoft.com/en-us/library/cc700828.aspx", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] @@ -719,12 +1143,12 @@ "meta": { "external_id": "T1049", "refs": [ - "https://attack.mitre.org/techniques/T1049", + "https://attack.mitre.org/mitigations/T1049", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", - "https://technet.microsoft.com/en-us/library/ee791851.aspx", - "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html" + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, "related": [ @@ -744,7 +1168,7 @@ "meta": { "external_id": "T1058", "refs": [ - "https://attack.mitre.org/techniques/T1058", + "https://attack.mitre.org/mitigations/T1058", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm" @@ -767,7 +1191,7 @@ "meta": { "external_id": "T1066", "refs": [ - "https://attack.mitre.org/techniques/T1066", + "https://attack.mitre.org/mitigations/T1066", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -792,7 +1216,7 @@ "meta": { "external_id": "T1068", "refs": [ - "https://attack.mitre.org/techniques/T1068", + "https://attack.mitre.org/mitigations/T1068", "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/", "https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/", "https://en.wikipedia.org/wiki/Control-flow_integrity" @@ -815,7 +1239,7 @@ "meta": { "external_id": "T1088", "refs": [ - "https://attack.mitre.org/techniques/T1088", + "https://attack.mitre.org/mitigations/T1088", "https://github.com/hfiref0x/UACME" ] }, @@ -836,7 +1260,7 @@ "meta": { "external_id": "T1211", "refs": [ - "https://attack.mitre.org/techniques/T1211", + "https://attack.mitre.org/mitigations/T1211", "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/", "https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/", "https://en.wikipedia.org/wiki/Control-flow_integrity" @@ -859,7 +1283,7 @@ "meta": { "external_id": "T1181", "refs": [ - "https://attack.mitre.org/techniques/T1181", + "https://attack.mitre.org/mitigations/T1181", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -884,7 +1308,7 @@ "meta": { "external_id": "T1212", "refs": [ - "https://attack.mitre.org/techniques/T1212", + "https://attack.mitre.org/mitigations/T1212", "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/", "https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/", "https://en.wikipedia.org/wiki/Control-flow_integrity" @@ -907,7 +1331,7 @@ "meta": { "external_id": "T1122", "refs": [ - "https://attack.mitre.org/techniques/T1122", + "https://attack.mitre.org/mitigations/T1122", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -932,7 +1356,7 @@ "meta": { "external_id": "T1213", "refs": [ - "https://attack.mitre.org/techniques/T1213" + "https://attack.mitre.org/mitigations/T1213" ] }, "related": [ @@ -952,10 +1376,10 @@ "meta": { "external_id": "T1215", "refs": [ - "https://attack.mitre.org/techniques/T1215", - "https://patchwork.kernel.org/patch/8754821/", + "https://attack.mitre.org/mitigations/T1215", "http://rkhunter.sourceforge.net", - "http://www.chkrootkit.org/" + "http://www.chkrootkit.org/", + "https://patchwork.kernel.org/patch/8754821/" ] }, "related": [ @@ -975,7 +1399,7 @@ "meta": { "external_id": "T1126", "refs": [ - "https://attack.mitre.org/techniques/T1126", + "https://attack.mitre.org/mitigations/T1126", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -1000,7 +1424,7 @@ "meta": { "external_id": "T1216", "refs": [ - "https://attack.mitre.org/techniques/T1216" + "https://attack.mitre.org/mitigations/T1216" ] }, "related": [ @@ -1020,7 +1444,7 @@ "meta": { "external_id": "T1218", "refs": [ - "https://attack.mitre.org/techniques/T1218" + "https://attack.mitre.org/mitigations/T1218" ] }, "related": [ @@ -1040,7 +1464,7 @@ "meta": { "external_id": "T1129", "refs": [ - "https://attack.mitre.org/techniques/T1129" + "https://attack.mitre.org/mitigations/T1129" ] }, "related": [ @@ -1060,13 +1484,12 @@ "meta": { "external_id": "T1175", "refs": [ - "https://attack.mitre.org/techniques/T1175", + "https://attack.mitre.org/mitigations/T1175", "https://msdn.microsoft.com/en-us/library/windows/desktop/ms687317(v=vs.85).aspx", "https://msdn.microsoft.com/en-us/library/windows/desktop/ms694331(v=vs.85).aspx", - "https://msdn.microsoft.com/library/windows/desktop/ms680573.aspx", "https://docs.microsoft.com/en-us/windows/desktop/com/dcom-security-enhancements-in-windows-xp-service-pack-2-and-windows-server-2003-service-pack-1", - "https://support.office.com/en-us/article/What-is-Protected-View-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653", - "https://technet.microsoft.com/library/cc771387.aspx" + "https://technet.microsoft.com/library/cc771387.aspx", + "https://support.office.com/en-us/article/What-is-Protected-View-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653" ] }, "related": [ @@ -1086,7 +1509,7 @@ "meta": { "external_id": "T1185", "refs": [ - "https://attack.mitre.org/techniques/T1185" + "https://attack.mitre.org/mitigations/T1185" ] }, "related": [ @@ -1106,7 +1529,7 @@ "meta": { "external_id": "T1158", "refs": [ - "https://attack.mitre.org/techniques/T1158" + "https://attack.mitre.org/mitigations/T1158" ] }, "related": [ @@ -1126,7 +1549,7 @@ "meta": { "external_id": "T1486", "refs": [ - "https://attack.mitre.org/techniques/T1486", + "https://attack.mitre.org/mitigations/T1486", "https://www.ready.gov/business/implementation/IT", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", @@ -1152,7 +1575,7 @@ "meta": { "external_id": "T1498", "refs": [ - "https://attack.mitre.org/techniques/T1498", + "https://attack.mitre.org/mitigations/T1498", "http://cert.europa.eu/static/WhitePapers/CERT-EU_Security_Whitepaper_DDoS_17-003.pdf" ] }, @@ -1173,7 +1596,7 @@ "meta": { "external_id": "T1499", "refs": [ - "https://attack.mitre.org/techniques/T1499", + "https://attack.mitre.org/mitigations/T1499", "http://cert.europa.eu/static/WhitePapers/CERT-EU_Security_Whitepaper_DDoS_17-003.pdf" ] }, @@ -1210,11 +1633,11 @@ "value": "Use Device-Provided Credential Storage - M1008" }, { - "description": "Application Isolation and least privilege help lesson the impact of an exploit. Application isolation will limit what other processes and system features the exploited target can access, and least privilege for service accounts will limit what permissions the exploited process gets on the rest of the system. Web Application Firewalls may be used to limit exposure of applications.\n\nSegment externally facing servers and services from the rest of the network with a DMZ or on separate hosting infrastructure.\n\nUse secure coding best practices when designing custom software that is meant for deployment to externally facing systems. Avoid issues documented by OWASP, CWE, and other software weakness identification efforts.\n\nRegularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and through public disclosure.", + "description": "Application isolation and least privilege help lesson the impact of an exploit. Application isolation will limit what other processes and system features the exploited target can access, and least privilege for service accounts will limit what permissions the exploited process gets on the rest of the system. Web Application Firewalls may be used to limit exposure of applications.\n\nSegment externally facing servers and services from the rest of the network with a DMZ or on separate hosting infrastructure.\n\nUse secure coding best practices when designing custom software that is meant for deployment to externally facing systems. Avoid issues documented by OWASP, CWE, and other software weakness identification efforts.\n\nRegularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and through public disclosure.", "meta": { "external_id": "T1190", "refs": [ - "https://attack.mitre.org/techniques/T1190" + "https://attack.mitre.org/mitigations/T1190" ] }, "related": [ @@ -1234,7 +1657,7 @@ "meta": { "external_id": "T1111", "refs": [ - "https://attack.mitre.org/techniques/T1111", + "https://attack.mitre.org/mitigations/T1111", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -1259,7 +1682,7 @@ "meta": { "external_id": "T1156", "refs": [ - "https://attack.mitre.org/techniques/T1156" + "https://attack.mitre.org/mitigations/T1156" ] }, "related": [ @@ -1277,9 +1700,9 @@ { "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about system users, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "meta": { - "external_id": "T1482", + "external_id": "T1033", "refs": [ - "https://attack.mitre.org/techniques/T1482", + "https://attack.mitre.org/mitigations/T1033", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -1304,14 +1727,14 @@ } ], "uuid": "16f144e4-c780-4ed2-98b4-55d14e2dfa44", - "value": "System Owner/User Discovery Mitigation - T1482" + "value": "System Owner/User Discovery Mitigation - T1033" }, { "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "meta": { "external_id": "T1010", "refs": [ - "https://attack.mitre.org/techniques/T1010", + "https://attack.mitre.org/mitigations/T1010", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -1331,12 +1754,39 @@ "uuid": "25d5e1d8-c6fb-4735-bc57-115a21222f4b", "value": "Application Window Discovery Mitigation - T1010" }, + { + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "meta": { + "external_id": "M1040", + "refs": [ + "https://attack.mitre.org/mitigations/M1040" + ] + }, + "related": [ + { + "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "90f39ee1-d5a3-4aaa-9f28-3b42815b0d46", + "value": "Behavior Prevention on Endpoint - M1040" + }, { "description": "Limit the privileges of user accounts so that only authorized administrators can perform Winlogon helper changes.\n\nIdentify and block potentially malicious software that may be executed through the Winlogon helper process by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown DLLs.", "meta": { "external_id": "T1004", "refs": [ - "https://attack.mitre.org/techniques/T1004", + "https://attack.mitre.org/mitigations/T1004", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm" @@ -1354,6 +1804,31 @@ "uuid": "313c8b20-4d49-40c1-9ac0-4c573aca28f3", "value": "Winlogon Helper DLL Mitigation - T1004" }, + { + "description": "This type of technique cannot be easily mitigated with preventive controls or patched since it is based on the abuse of operating system design features. For example, blocking all file compilation may have unintended side effects, such as preventing legitimate OS frameworks and code development mechanisms from operating properly. Consider removing compilers if not needed, otherwise efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.\n\nIdentify unnecessary system utilities or potentially malicious software that may be used to decrypt, deobfuscate, decode, and compile files or information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", + "meta": { + "external_id": "T1500", + "refs": [ + "https://attack.mitre.org/mitigations/T1500", + "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", + "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", + "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://technet.microsoft.com/en-us/library/ee791851.aspx" + ] + }, + "related": [ + { + "dest-uuid": "cf7b3a06-8b42-4c33-bbe9-012120027925", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "ae56a49d-5281-45c5-ab95-70a1439c338e", + "value": "Compile After Delivery Mitigation - T1500" + }, { "description": "New mobile operating system versions bring not only patches against discovered vulnerabilities but also often bring security architecture improvements that provide resilience against potential vulnerabilities or weaknesses that have not yet been discovered. They may also bring improvements that block use of observed adversary techniques.", "meta": { @@ -1526,7 +2001,7 @@ "meta": { "external_id": "T1007", "refs": [ - "https://attack.mitre.org/techniques/T1007", + "https://attack.mitre.org/mitigations/T1007", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -1551,7 +2026,7 @@ "meta": { "external_id": "T1080", "refs": [ - "https://attack.mitre.org/techniques/T1080", + "https://attack.mitre.org/mitigations/T1080", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -1576,7 +2051,7 @@ "meta": { "external_id": "T1101", "refs": [ - "https://attack.mitre.org/techniques/T1101", + "https://attack.mitre.org/mitigations/T1101", "http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html", "https://technet.microsoft.com/en-us/library/dn408187.aspx" ] @@ -1598,7 +2073,7 @@ "meta": { "external_id": "T1120", "refs": [ - "https://attack.mitre.org/techniques/T1120", + "https://attack.mitre.org/mitigations/T1120", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -1623,7 +2098,7 @@ "meta": { "external_id": "T1201", "refs": [ - "https://attack.mitre.org/techniques/T1201", + "https://attack.mitre.org/mitigations/T1201", "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements" ] }, @@ -1644,7 +2119,7 @@ "meta": { "external_id": "T1130", "refs": [ - "https://attack.mitre.org/techniques/T1130", + "https://attack.mitre.org/mitigations/T1130", "https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning", "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec" ] @@ -1666,7 +2141,7 @@ "meta": { "external_id": "T1031", "refs": [ - "https://attack.mitre.org/techniques/T1031", + "https://attack.mitre.org/mitigations/T1031", "https://github.com/mattifestation/PowerSploit", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", @@ -1690,7 +2165,7 @@ "meta": { "external_id": "T1105", "refs": [ - "https://attack.mitre.org/techniques/T1105", + "https://attack.mitre.org/mitigations/T1105", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -1711,7 +2186,7 @@ "meta": { "external_id": "T1106", "refs": [ - "https://attack.mitre.org/techniques/T1106", + "https://attack.mitre.org/mitigations/T1106", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -1736,7 +2211,7 @@ "meta": { "external_id": "T1061", "refs": [ - "https://attack.mitre.org/techniques/T1061", + "https://attack.mitre.org/mitigations/T1061", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -1761,7 +2236,7 @@ "meta": { "external_id": "T1017", "refs": [ - "https://attack.mitre.org/techniques/T1017" + "https://attack.mitre.org/mitigations/T1017" ] }, "related": [ @@ -1781,7 +2256,7 @@ "meta": { "external_id": "T1081", "refs": [ - "https://attack.mitre.org/techniques/T1081", + "https://attack.mitre.org/mitigations/T1081", "http://support.microsoft.com/kb/2962486" ] }, @@ -1802,7 +2277,7 @@ "meta": { "external_id": "T1018", "refs": [ - "https://attack.mitre.org/techniques/T1018", + "https://attack.mitre.org/mitigations/T1018", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -1827,7 +2302,7 @@ "meta": { "external_id": "T1202", "refs": [ - "https://attack.mitre.org/techniques/T1202", + "https://attack.mitre.org/mitigations/T1202", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -1853,7 +2328,7 @@ "meta": { "external_id": "T1220", "refs": [ - "https://attack.mitre.org/techniques/T1220" + "https://attack.mitre.org/mitigations/T1220" ] }, "related": [ @@ -1873,7 +2348,7 @@ "meta": { "external_id": "T1032", "refs": [ - "https://attack.mitre.org/techniques/T1032", + "https://attack.mitre.org/mitigations/T1032", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -1894,7 +2369,7 @@ "meta": { "external_id": "T1024", "refs": [ - "https://attack.mitre.org/techniques/T1024", + "https://attack.mitre.org/mitigations/T1024", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -1910,41 +2385,16 @@ "uuid": "a569295c-a093-4db4-9fb4-7105edef85ad", "value": "Custom Cryptographic Protocol Mitigation - T1024" }, - { - "description": "This type of technique cannot be easily mitigated with preventive controls or patched since it is based on the abuse of operating system design features. For example, blocking all file compilation may have unintended side effects, such as preventing legitimate OS frameworks and code development mechanisms from operating properly. Consider removing compilers if not needed, otherwise efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.\n\nIdentify unnecessary system utilities or potentially malicious software that may be used to decrypt, deobfuscate, decode, and compile files or information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", - "meta": { - "external_id": "T1502", - "refs": [ - "https://attack.mitre.org/techniques/T1502", - "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", - "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", - "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", - "https://technet.microsoft.com/en-us/library/ee791851.aspx" - ] - }, - "related": [ - { - "dest-uuid": "cf7b3a06-8b42-4c33-bbe9-012120027925", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], - "uuid": "ae56a49d-5281-45c5-ab95-70a1439c338e", - "value": "Compile After Delivery Mitigation - T1502" - }, { "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about the operating system and underlying hardware, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "meta": { "external_id": "T1082", "refs": [ - "https://attack.mitre.org/techniques/T1082", - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://attack.mitre.org/mitigations/T1082", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, @@ -1965,7 +2415,7 @@ "meta": { "external_id": "T1028", "refs": [ - "https://attack.mitre.org/techniques/T1028", + "https://attack.mitre.org/mitigations/T1028", "https://www.iad.gov/iad/library/reports/spotting-the-adversary-with-windows-event-log-monitoring.cfm" ] }, @@ -1986,7 +2436,7 @@ "meta": { "external_id": "T1043", "refs": [ - "https://attack.mitre.org/techniques/T1043", + "https://attack.mitre.org/mitigations/T1043", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -2007,7 +2457,7 @@ "meta": { "external_id": "T1063", "refs": [ - "https://attack.mitre.org/techniques/T1063", + "https://attack.mitre.org/mitigations/T1063", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -2032,7 +2482,7 @@ "meta": { "external_id": "T1046", "refs": [ - "https://attack.mitre.org/techniques/T1046", + "https://attack.mitre.org/mitigations/T1046", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -2057,7 +2507,7 @@ "meta": { "external_id": "T1047", "refs": [ - "https://attack.mitre.org/techniques/T1047", + "https://attack.mitre.org/mitigations/T1047", "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf" ] }, @@ -2073,12 +2523,95 @@ "uuid": "ba2ec548-fb75-4b8c-88d6-d91a77a943cf", "value": "Windows Management Instrumentation Mitigation - T1047" }, + { + "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", + "meta": { + "external_id": "M1048", + "refs": [ + "https://attack.mitre.org/mitigations/M1048" + ] + }, + "related": [ + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "b9f0c069-abbe-4a07-a245-2481219a1463", + "value": "Application Isolation and Sandboxing - M1048" + }, { "description": "Consider technical controls to prevent the disabling of services or deletion of files involved in system recovery. \n\nConsider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.(Citation: Ready.gov IT DRP) Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.\n\nIdentify potentially malicious software and audit and/or block it by using whitelisting(Citation: Beechey 2010) tools, like AppLocker,(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker) or Software Restriction Policies(Citation: Corio 2008) where appropriate.(Citation: TechNet Applocker vs SRP)", "meta": { "external_id": "T1490", "refs": [ - "https://attack.mitre.org/techniques/T1490", + "https://attack.mitre.org/mitigations/T1490", "https://www.ready.gov/business/implementation/IT", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", @@ -2104,7 +2637,7 @@ "meta": { "external_id": "T1065", "refs": [ - "https://attack.mitre.org/techniques/T1065", + "https://attack.mitre.org/mitigations/T1065", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -2125,7 +2658,7 @@ "meta": { "external_id": "T1075", "refs": [ - "https://attack.mitre.org/techniques/T1075", + "https://attack.mitre.org/mitigations/T1075", "https://github.com/iadgov/Secure-Host-Baseline/blob/master/Windows/Group%20Policy%20Templates/en-US/SecGuide.adml" ] }, @@ -2146,7 +2679,7 @@ "meta": { "external_id": "T1076", "refs": [ - "https://attack.mitre.org/techniques/T1076", + "https://attack.mitre.org/mitigations/T1076", "https://security.berkeley.edu/node/94", "https://technet.microsoft.com/en-us/library/cc754272(v=ws.11).aspx" ] @@ -2168,15 +2701,15 @@ "meta": { "external_id": "T1096", "refs": [ - "https://attack.mitre.org/techniques/T1096", + "https://attack.mitre.org/mitigations/T1096", + "https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/", + "https://www.symantec.com/connect/articles/what-you-need-know-about-alternate-data-streams-windows-your-data-secure-can-you-restore", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", "https://technet.microsoft.com/en-us/library/ee791851.aspx", - "https://blog.stealthbits.com/attack-step-3-persistence-ntfs-extended-attributes-file-system-attacks", - "https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/", - "https://www.symantec.com/connect/articles/what-you-need-know-about-alternate-data-streams-windows-your-data-secure-can-you-restore" + "https://blog.stealthbits.com/attack-step-3-persistence-ntfs-extended-attributes-file-system-attacks" ] }, "related": [ @@ -2196,11 +2729,11 @@ "meta": { "external_id": "T1069", "refs": [ - "https://attack.mitre.org/techniques/T1069", - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://attack.mitre.org/mitigations/T1069", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, @@ -2221,7 +2754,7 @@ "meta": { "external_id": "T1077", "refs": [ - "https://attack.mitre.org/techniques/T1077", + "https://attack.mitre.org/mitigations/T1077", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -2246,14 +2779,14 @@ "meta": { "external_id": "T1097", "refs": [ - "https://attack.mitre.org/techniques/T1097", + "https://attack.mitre.org/mitigations/T1097", "https://adsecurity.org/?p=556", + "https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", - "https://technet.microsoft.com/en-us/library/ee791851.aspx", - "https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf" + "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, "related": [ @@ -2273,7 +2806,7 @@ "meta": { "external_id": "T1089", "refs": [ - "https://attack.mitre.org/techniques/T1089" + "https://attack.mitre.org/mitigations/T1089" ] }, "related": [ @@ -2293,7 +2826,7 @@ "meta": { "external_id": "T1151", "refs": [ - "https://attack.mitre.org/techniques/T1151" + "https://attack.mitre.org/mitigations/T1151" ] }, "related": [ @@ -2313,7 +2846,7 @@ "meta": { "external_id": "T1214", "refs": [ - "https://attack.mitre.org/techniques/T1214" + "https://attack.mitre.org/mitigations/T1214" ] }, "related": [ @@ -2333,12 +2866,12 @@ "meta": { "external_id": "T1124", "refs": [ - "https://attack.mitre.org/techniques/T1124", + "https://attack.mitre.org/mitigations/T1124", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", - "https://technet.microsoft.com/en-us/library/ee791851.aspx", - "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html" + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, "related": [ @@ -2358,7 +2891,7 @@ "meta": { "external_id": "T1217", "refs": [ - "https://attack.mitre.org/techniques/T1217", + "https://attack.mitre.org/mitigations/T1217", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -2383,10 +2916,10 @@ "meta": { "external_id": "T1127", "refs": [ - "https://attack.mitre.org/techniques/T1127", + "https://attack.mitre.org/mitigations/T1127", + "https://github.com/Microsoft/windows-itpro-docs/blob/master/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md", "http://www.exploit-monday.com/2016/09/using-device-guard-to-mitigate-against.html", - "https://github.com/mattifestation/DeviceGuardBypassMitigationRules", - "https://github.com/Microsoft/windows-itpro-docs/blob/master/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md" + "https://github.com/mattifestation/DeviceGuardBypassMitigationRules" ] }, "related": [ @@ -2406,7 +2939,7 @@ "meta": { "external_id": "T1128", "refs": [ - "https://attack.mitre.org/techniques/T1128", + "https://attack.mitre.org/mitigations/T1128", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm" @@ -2429,7 +2962,7 @@ "meta": { "external_id": "T1219", "refs": [ - "https://attack.mitre.org/techniques/T1219" + "https://attack.mitre.org/mitigations/T1219" ] }, "related": [ @@ -2445,11 +2978,11 @@ "value": "Remote Access Tools Mitigation - T1219" }, { - "description": "Limit access to remote services through centrally managed concentrators such as VPNs and other managed remote access systems. Deny direct remote access to internal systems through uses of network proxies, gateways, and firewalls as appropriate. Disable or block services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1028) can be used externally. Use strong two-factor or multi-factor authentication for remote service accounts to mitigate an adversary's ability to leverage stolen credentials, but be aware of [Two-Factor Authentication Interception](https://attack.mitre.org/techniques/T1111) techniques for some two-factor authentication implementations.", + "description": "Limit access to remote services through centrally managed concentrators such as VPNs and other managed remote access systems. Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. Disable or block remotely available services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1028). Use strong two-factor or multi-factor authentication for remote service accounts to mitigate an adversary's ability to leverage stolen credentials, but be aware of [Two-Factor Authentication Interception](https://attack.mitre.org/techniques/T1111) techniques for some two-factor authentication implementations.", "meta": { "external_id": "T1133", "refs": [ - "https://attack.mitre.org/techniques/T1133" + "https://attack.mitre.org/mitigations/T1133" ] }, "related": [ @@ -2469,7 +3002,7 @@ "meta": { "external_id": "T1134", "refs": [ - "https://attack.mitre.org/techniques/T1134", + "https://attack.mitre.org/mitigations/T1134", "https://docs.microsoft.com/windows/device-security/security-policy-settings/create-a-token-object", "https://docs.microsoft.com/windows/device-security/security-policy-settings/replace-a-process-level-token" ] @@ -2491,7 +3024,7 @@ "meta": { "external_id": "T1135", "refs": [ - "https://attack.mitre.org/techniques/T1135", + "https://attack.mitre.org/mitigations/T1135", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -2516,7 +3049,7 @@ "meta": { "external_id": "T1137", "refs": [ - "https://attack.mitre.org/techniques/T1137", + "https://attack.mitre.org/mitigations/T1137", "https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/", "https://researchcenter.paloaltonetworks.com/2016/07/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/", "https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/", @@ -2541,7 +3074,7 @@ "meta": { "external_id": "T1173", "refs": [ - "https://attack.mitre.org/techniques/T1173", + "https://attack.mitre.org/mitigations/T1173", "https://technet.microsoft.com/library/security/4053440", "https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-dde-feature-in-word-to-prevent-further-malware-attacks/", "https://gist.github.com/wdormann/732bb88d9b5dd5a66c9f1e1498f31a1b", @@ -2568,7 +3101,7 @@ "meta": { "external_id": "T1146", "refs": [ - "https://attack.mitre.org/techniques/T1146", + "https://attack.mitre.org/mitigations/T1146", "http://www.akyl.net/securing-bashhistory-file-make-sure-your-linux-system-users-won%E2%80%99t-hide-or-delete-their-bashhistory" ] }, @@ -2589,7 +3122,7 @@ "meta": { "external_id": "T1174", "refs": [ - "https://attack.mitre.org/techniques/T1174", + "https://attack.mitre.org/mitigations/T1174", "https://msdn.microsoft.com/library/windows/desktop/ms721766.aspx" ] }, @@ -2610,7 +3143,7 @@ "meta": { "external_id": "T1194", "refs": [ - "https://attack.mitre.org/techniques/T1194" + "https://attack.mitre.org/mitigations/T1194" ] }, "related": [ @@ -2630,7 +3163,7 @@ "meta": { "external_id": "T1195", "refs": [ - "https://attack.mitre.org/techniques/T1195", + "https://attack.mitre.org/mitigations/T1195", "https://www.mitre.org/sites/default/files/publications/se-guide-book-interactive.pdf", "http://dx.doi.org/10.6028/NIST.IR.7622", "https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf" @@ -2653,7 +3186,7 @@ "meta": { "external_id": "T1166", "refs": [ - "https://attack.mitre.org/techniques/T1166" + "https://attack.mitre.org/mitigations/T1166" ] }, "related": [ @@ -2693,7 +3226,7 @@ "meta": { "external_id": "T1196", "refs": [ - "https://attack.mitre.org/techniques/T1196", + "https://attack.mitre.org/mitigations/T1196", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -2717,7 +3250,7 @@ "meta": { "external_id": "T1222", "refs": [ - "https://attack.mitre.org/techniques/T1222" + "https://attack.mitre.org/mitigations/T1222" ] }, "related": [ @@ -2737,7 +3270,7 @@ "meta": { "external_id": "T1223", "refs": [ - "https://attack.mitre.org/techniques/T1223", + "https://attack.mitre.org/mitigations/T1223", "https://live.paloaltonetworks.com/t5/Ignite-2016-Blog/Breakout-Recap-Cybersecurity-Best-Practices-Part-1-Preventing/ba-p/75913" ] }, @@ -2758,7 +3291,7 @@ "meta": { "external_id": "T1482", "refs": [ - "https://attack.mitre.org/techniques/T1482", + "https://attack.mitre.org/mitigations/T1482", "http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/ " ] }, @@ -2775,11 +3308,11 @@ "value": "Domain Trust Discovery Mitigation - T1482" }, { - "description": "Identify critical business and system processes that may be targeted by adversaries and work to secure the data related to those processes against tampering. least privilege principles are applied to important information resources to reduce exposure to data manipulation risk. Consider encrypting important information to reduce an adversaries ability to perform tailor data modifications. Where applicable, examine using file monitoring software to check integrity on important files and directories as well as take corrective actions when unauthorized changes are detected. \n\nConsider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.(Citation: Ready.gov IT DRP) Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and manipulate backups.", + "description": "Identify critical business and system processes that may be targeted by adversaries and work to secure the data related to those processes against tampering. Ensure least privilege principles are applied to important information resources to reduce exposure to data manipulation risk. Consider encrypting important information to reduce an adversaries ability to perform tailor data modifications. Where applicable, examine using file monitoring software to check integrity on important files and directories as well as take corrective actions when unauthorized changes are detected. \n\nConsider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.(Citation: Ready.gov IT DRP) Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and manipulate backups.", "meta": { "external_id": "T1492", "refs": [ - "https://attack.mitre.org/techniques/T1492", + "https://attack.mitre.org/mitigations/T1492", "https://www.ready.gov/business/implementation/IT" ] }, @@ -2800,7 +3333,7 @@ "meta": { "external_id": "T1483", "refs": [ - "https://attack.mitre.org/techniques/T1483", + "https://attack.mitre.org/mitigations/T1483", "http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf", "https://umbrella.cisco.com/blog/2015/02/18/at-high-noon-algorithms-do-battle/", "https://blogs.akamai.com/2018/01/a-death-match-of-domain-generation-algorithms.html", @@ -2824,7 +3357,7 @@ "meta": { "external_id": "T1493", "refs": [ - "https://attack.mitre.org/techniques/T1493" + "https://attack.mitre.org/mitigations/T1493" ] }, "related": [ @@ -2844,7 +3377,7 @@ "meta": { "external_id": "T1484", "refs": [ - "https://attack.mitre.org/techniques/T1484", + "https://attack.mitre.org/mitigations/T1484", "https://github.com/BloodHoundAD/BloodHound", "https://wald0.com/?p=179", "https://blogs.technet.microsoft.com/askds/2008/09/11/fun-with-wmi-filters-in-group-policy/", @@ -2868,7 +3401,7 @@ "meta": { "external_id": "T1494", "refs": [ - "https://attack.mitre.org/techniques/T1494", + "https://attack.mitre.org/mitigations/T1494", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -2893,7 +3426,7 @@ "meta": { "external_id": "T1171", "refs": [ - "https://attack.mitre.org/techniques/T1171", + "https://attack.mitre.org/mitigations/T1171", "https://adsecurity.org/?p=3299", "https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html", "https://blog.secureideas.com/2018/04/ever-run-a-relay-why-smb-relays-should-be-on-your-mind.html", @@ -2912,12 +3445,81 @@ "uuid": "54246e2e-683f-4bf2-be4c-d7d5a60e7d22", "value": "LLMNR/NBT-NS Poisoning Mitigation - T1171" }, + { + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "meta": { + "external_id": "M1021", + "refs": [ + "https://attack.mitre.org/mitigations/M1021" + ] + }, + "related": [ + { + "dest-uuid": "d21a2069-23d5-4043-ad6d-64f6b644cb1a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d3df754e-997b-4cf9-97d4-70feb3120847", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "54456690-84de-4538-9101-643e26437e09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "21da4fd4-27ad-4e9c-b93d-0b9b14d02c96", + "value": "Restrict Web-Based Content - M1021" + }, { "description": "Command and control infrastructure used in a multi-stage channel may be blocked if known ahead of time. If unique signatures are present in the C2 traffic, they could also be used as the basis of identifying and blocking the channel. (Citation: University of Birmingham C2)", "meta": { "external_id": "T1104", "refs": [ - "https://attack.mitre.org/techniques/T1104", + "https://attack.mitre.org/mitigations/T1104", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -2934,11 +3536,11 @@ "value": "Multi-Stage Channels Mitigation - T1104" }, { - "description": "Evaluate the security of third-party software that could be used to deploy or execute programs. Ensure that access to management systems for deployment systems is limited, monitored, and secure. Have a strict approval policy for use of deployment systems.\n\nGrant access to application deployment systems only to a limited number of authorized administrators. Ensure proper system and access isolation for critical network systems through use of firewalls, account privilege separation, group policy, and multifactor authentication. Verify that account credentials that may be used to access deployment systems are unique and not used throughout the enterprise network. Patch deployment systems regularly to prevent potential remote access through [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068). \n\nIf the application deployment system can be configured to deploy only signed binaries, then ensure that the trusted signing certificates are not co-located with the application deployment system and are instead located on a system that cannot be accessed remotely or to which remote access is tightly controlled.", + "description": "Evaluate the security of third-party software that could be used in the enterprise environment. Ensure that access to management systems for third-party systems is limited, monitored, and secure. Have a strict approval policy for use of third-party systems.\n\nGrant access to Third-party systems only to a limited number of authorized administrators. Ensure proper system and access isolation for critical network systems through use of firewalls, account privilege separation, group policy, and multi-factor authentication. Verify that account credentials that may be used to access third-party systems are unique and not used throughout the enterprise network. Ensure that any accounts used by third-party providers to access these systems are traceable to the third-party and are not used throughout the network or used by other third-party providers in the same environment. Ensure third-party systems are regularly patched by users or the provider to prevent potential remote access through [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068). \n\nEnsure there are regular reviews of accounts provisioned to these systems to verify continued business need, and ensure there is governance to trace de-provisioning of access that is no longer required.\n\nWhere the third-party system is used for deployment services, ensure that it can be configured to deploy only signed binaries, then ensure that the trusted signing certificates are not co-located with the third-party system and are instead located on a system that cannot be accessed remotely or to which remote access is tightly controlled.", "meta": { "external_id": "T1072", "refs": [ - "https://attack.mitre.org/techniques/T1072" + "https://attack.mitre.org/mitigations/T1072" ] }, "related": [ @@ -2958,7 +3560,7 @@ "meta": { "external_id": "T1073", "refs": [ - "https://attack.mitre.org/techniques/T1073" + "https://attack.mitre.org/mitigations/T1073" ] }, "related": [ @@ -2978,7 +3580,7 @@ "meta": { "external_id": "T1059", "refs": [ - "https://attack.mitre.org/techniques/T1059", + "https://attack.mitre.org/mitigations/T1059", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -3003,7 +3605,7 @@ "meta": { "external_id": "T1164", "refs": [ - "https://attack.mitre.org/techniques/T1164", + "https://attack.mitre.org/mitigations/T1164", "https://support.apple.com/en-us/HT204005" ] }, @@ -3024,11 +3626,10 @@ "meta": { "external_id": "T1178", "refs": [ - "https://attack.mitre.org/techniques/T1178", - "https://msdn.microsoft.com/library/windows/desktop/aa379571.aspx", + "https://attack.mitre.org/mitigations/T1178", + "https://technet.microsoft.com/library/cc755321.aspx", "https://technet.microsoft.com/library/cc794757.aspx", "https://technet.microsoft.com/library/cc835085.aspx", - "https://technet.microsoft.com/library/cc755321.aspx", "https://adsecurity.org/?p=1640" ] }, @@ -3049,7 +3650,7 @@ "meta": { "external_id": "T1188", "refs": [ - "https://attack.mitre.org/techniques/T1188" + "https://attack.mitre.org/mitigations/T1188" ] }, "related": [ @@ -3069,7 +3670,7 @@ "meta": { "external_id": "T1189", "refs": [ - "https://attack.mitre.org/techniques/T1189", + "https://attack.mitre.org/mitigations/T1189", "https://blogs.windows.com/msedgedev/2017/03/23/strengthening-microsoft-edge-sandbox/", "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/", "https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/", @@ -3093,7 +3694,7 @@ "meta": { "external_id": "T1497", "refs": [ - "https://attack.mitre.org/techniques/T1497" + "https://attack.mitre.org/mitigations/T1497" ] }, "related": [ @@ -3113,7 +3714,7 @@ "meta": { "external_id": "T1001", "refs": [ - "https://attack.mitre.org/techniques/T1001", + "https://attack.mitre.org/mitigations/T1001", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -3134,7 +3735,7 @@ "meta": { "external_id": "T1100", "refs": [ - "https://attack.mitre.org/techniques/T1100", + "https://attack.mitre.org/mitigations/T1100", "https://www.us-cert.gov/ncas/alerts/TA15-314A" ] }, @@ -3155,7 +3756,7 @@ "meta": { "external_id": "T1020", "refs": [ - "https://attack.mitre.org/techniques/T1020", + "https://attack.mitre.org/mitigations/T1020", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -3180,7 +3781,7 @@ "meta": { "external_id": "T1200", "refs": [ - "https://attack.mitre.org/techniques/T1200", + "https://attack.mitre.org/mitigations/T1200", "https://en.wikipedia.org/wiki/IEEE_802.1X" ] }, @@ -3201,7 +3802,7 @@ "meta": { "external_id": "T1002", "refs": [ - "https://attack.mitre.org/techniques/T1002", + "https://attack.mitre.org/mitigations/T1002", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -3226,7 +3827,8 @@ "meta": { "external_id": "T1003", "refs": [ - "https://attack.mitre.org/techniques/T1003", + "https://attack.mitre.org/mitigations/T1003", + "https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#a-nameesaebmaesae-administrative-forest-design-approach", "https://technet.microsoft.com/en-us/library/dn408187.aspx", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", @@ -3237,8 +3839,7 @@ "https://github.com/iadgov/Secure-Host-Baseline/tree/master/Credential%20Guard", "https://adsecurity.org/?p=1729", "https://support.microsoft.com/help/303972/how-to-grant-the-replicating-directory-changes-permission-for-the-micr", - "https://technet.microsoft.com/library/jj865668.aspx", - "https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#a-nameesaebmaesae-administrative-forest-design-approach" + "https://technet.microsoft.com/library/jj865668.aspx" ] }, "related": [ @@ -3278,12 +3879,12 @@ "meta": { "external_id": "T1040", "refs": [ - "https://attack.mitre.org/techniques/T1040", + "https://attack.mitre.org/mitigations/T1040", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", - "https://technet.microsoft.com/en-us/library/ee791851.aspx", - "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html" + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, "related": [ @@ -3303,7 +3904,7 @@ "meta": { "external_id": "T1050", "refs": [ - "https://attack.mitre.org/techniques/T1050", + "https://attack.mitre.org/mitigations/T1050", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -3328,7 +3929,7 @@ "meta": { "external_id": "T1008", "refs": [ - "https://attack.mitre.org/techniques/T1008", + "https://attack.mitre.org/mitigations/T1008", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -3349,7 +3950,7 @@ "meta": { "external_id": "T1009", "refs": [ - "https://attack.mitre.org/techniques/T1009", + "https://attack.mitre.org/mitigations/T1009", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -3374,7 +3975,7 @@ "meta": { "external_id": "T1090", "refs": [ - "https://attack.mitre.org/techniques/T1090", + "https://attack.mitre.org/mitigations/T1090", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -3459,7 +4060,7 @@ "meta": { "external_id": "T1110", "refs": [ - "https://attack.mitre.org/techniques/T1110", + "https://attack.mitre.org/mitigations/T1110", "https://pages.nist.gov/800-63-3/sp800-63b.html" ] }, @@ -3480,7 +4081,7 @@ "meta": { "external_id": "T1012", "refs": [ - "https://attack.mitre.org/techniques/T1012", + "https://attack.mitre.org/mitigations/T1012", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -3505,7 +4106,7 @@ "meta": { "external_id": "T1021", "refs": [ - "https://attack.mitre.org/techniques/T1021" + "https://attack.mitre.org/mitigations/T1021" ] }, "related": [ @@ -3525,7 +4126,7 @@ "meta": { "external_id": "T1102", "refs": [ - "https://attack.mitre.org/techniques/T1102", + "https://attack.mitre.org/mitigations/T1102", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -3566,7 +4167,7 @@ "meta": { "external_id": "T1103", "refs": [ - "https://attack.mitre.org/techniques/T1103", + "https://attack.mitre.org/mitigations/T1103", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm" @@ -3584,12 +4185,221 @@ "uuid": "10571bf2-8073-4edf-a71c-23bad225532e", "value": "AppInit DLLs Mitigation - T1103" }, + { + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "meta": { + "external_id": "M1031", + "refs": [ + "https://attack.mitre.org/mitigations/M1031" + ] + }, + "related": [ + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "54456690-84de-4538-9101-643e26437e09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "99709758-2b96-48f2-a68a-ad7fbd828091", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "428ca9f8-0e33-442a-be87-f869cb4cf73e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "12241367-a8b7-49b4-b86e-2236901ba50c", + "value": "Network Intrusion Prevention - M1031" + }, { "description": "Identify and block potentially malicious software that may persist in this manner by using whitelisting (Citation: Beechey 2010) tools capable of monitoring DLL loads by processes running under SYSTEM permissions.", "meta": { "external_id": "T1013", "refs": [ - "https://attack.mitre.org/techniques/T1013", + "https://attack.mitre.org/mitigations/T1013", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599" ] }, @@ -3605,12 +4415,129 @@ "uuid": "1c6bc7f3-d517-4971-aed4-8f939090846b", "value": "Port Monitors Mitigation - T1013" }, + { + "description": "Protect sensitive information with strong encryption.", + "meta": { + "external_id": "M1041", + "refs": [ + "https://attack.mitre.org/mitigations/M1041" + ] + }, + "related": [ + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0bf78622-e8d2-41da-a857-731472d61a92", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "cc1e737c-236c-4e3b-83ba-32039a626ef8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b39d03cb-7b98-41c4-a878-c40c1a913dc0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "feff9142-e8c2-46f4-842b-bd6fb3d41157", + "value": "Encrypt Sensitive Information - M1041" + }, + { + "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", + "meta": { + "external_id": "M1015", + "refs": [ + "https://attack.mitre.org/mitigations/M1015" + ] + }, + "related": [ + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "1df0326d-2fbc-4d08-a16b-48365f1e742d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "e3388c78-2a8d-47c2-8422-c1398b324462", + "value": "Active Directory Configuration - M1015" + }, { "description": "To use this technique remotely, an adversary must use it in conjunction with RDP. Ensure that Network Level Authentication is enabled to force the remote desktop session to authenticate before the session is created and the login screen displayed. It is enabled by default on Windows Vista and later. (Citation: TechNet RDP NLA)\n\nIf possible, use a Remote Desktop Gateway to manage connections and security configuration of RDP within a network. (Citation: TechNet RDP Gateway)\n\nIdentify and block potentially malicious software that may be executed by an adversary with this technique by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "meta": { "external_id": "T1015", "refs": [ - "https://attack.mitre.org/techniques/T1015", + "https://attack.mitre.org/mitigations/T1015", "https://technet.microsoft.com/en-us/library/cc732713.aspx", "https://technet.microsoft.com/en-us/library/cc731150.aspx", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", @@ -3637,7 +4564,7 @@ "meta": { "external_id": "T1150", "refs": [ - "https://attack.mitre.org/techniques/T1150" + "https://attack.mitre.org/mitigations/T1150" ] }, "related": [ @@ -3657,7 +4584,7 @@ "meta": { "external_id": "T1501", "refs": [ - "https://attack.mitre.org/techniques/T1501" + "https://attack.mitre.org/mitigations/T1501" ] }, "related": [ @@ -3677,7 +4604,7 @@ "meta": { "external_id": "T1051", "refs": [ - "https://attack.mitre.org/techniques/T1051", + "https://attack.mitre.org/mitigations/T1051", "https://www.acunetix.com/websitesecurity/webserver-security/", "https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-123.pdf" ] @@ -3699,7 +4626,7 @@ "meta": { "external_id": "T1160", "refs": [ - "https://attack.mitre.org/techniques/T1160" + "https://attack.mitre.org/mitigations/T1160" ] }, "related": [ @@ -3719,7 +4646,7 @@ "meta": { "external_id": "T1107", "refs": [ - "https://attack.mitre.org/techniques/T1107", + "https://attack.mitre.org/mitigations/T1107", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -3739,12 +4666,249 @@ "uuid": "34efb2fd-4dc2-40d4-a564-0c147c85034d", "value": "File Deletion Mitigation - T1107" }, + { + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "meta": { + "external_id": "M1018", + "refs": [ + "https://attack.mitre.org/mitigations/M1018" + ] + }, + "related": [ + { + "dest-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "aa8bfbc9-78dc-41a4-a03b-7453e0fdccda", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0ca7beef-9bbc-4e35-97cf-437384ddce6a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6a5848a8-6201-4a2c-8a6a-ca5af8c6f3df", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "dd901512-6e37-4155-943b-453e3777b125", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "e99ec083-abdd-48de-ad87-4dbf6f8ba2a4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "53bfc8bf-8f76-4cd7-8958-49a884ddb3ee", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c0a384a4-9a25-40e1-97b6-458388474bc8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "36675cd3-fe00-454c-8516-aebecacbe9d9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c4ad009b-6e13-4419-8d21-918a1652de02", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "18d4ab39-12ed-4a16-9fdb-ae311bba4a0f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2ba5aa71-9d15-4b22-b726-56af06d9ad2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0fff2797-19cb-41ea-a5f1-8a9303b8158e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "804c042c-cfe6-449e-bc1a-ba0a998a70db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "93e7968a-9074-4eac-8ae9-9f5200ec3317", + "value": "User Account Management - M1018" + }, { "description": "Identify and block potentially malicious software that may be used as a remote access tool, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)\n\nNetwork intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and will be different across various malware families and versions. Adversaries will likely change tool signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)", "meta": { "external_id": "T1108", "refs": [ - "https://attack.mitre.org/techniques/T1108", + "https://attack.mitre.org/mitigations/T1108", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -3770,7 +4934,7 @@ "meta": { "external_id": "T1109", "refs": [ - "https://attack.mitre.org/techniques/T1109" + "https://attack.mitre.org/mitigations/T1109" ] }, "related": [ @@ -3790,7 +4954,7 @@ "meta": { "external_id": "T1019", "refs": [ - "https://attack.mitre.org/techniques/T1019", + "https://attack.mitre.org/mitigations/T1019", "http://www.trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-Summary_04292008.pdf" ] }, @@ -3806,12 +4970,53 @@ "uuid": "25e53928-6f33-49b7-baee-8180578286f6", "value": "System Firmware Mitigation - T1019" }, + { + "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.", + "meta": { + "external_id": "M1019", + "refs": [ + "https://attack.mitre.org/mitigations/M1019" + ] + }, + "related": [ + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "874c0166-e407-45c2-a1d9-e4e3a6570fd8", + "value": "Threat Intelligence Program - M1019" + }, { "description": "Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to encrypt files, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "meta": { "external_id": "T1022", "refs": [ - "https://attack.mitre.org/techniques/T1022", + "https://attack.mitre.org/mitigations/T1022", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -3836,13 +5041,13 @@ "meta": { "external_id": "T1023", "refs": [ - "https://attack.mitre.org/techniques/T1023", + "https://attack.mitre.org/mitigations/T1023", + "https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2015-06-25/finding/V-26482", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", - "https://technet.microsoft.com/en-us/library/ee791851.aspx", - "https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2015-06-25/finding/V-26482" + "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, "related": [ @@ -3858,11 +5063,11 @@ "value": "Shortcut Modification Mitigation - T1023" }, { - "description": "Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events. Application whitelisting may be able to prevent the running of executables masquerading as other files.\n\nIf a link is being visited by a user, block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some download scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious files in [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).\n\nIf a link is being visited by a user, network intrusion prevention systems and systems designed to scan and remove malicious downloads can be used to block activity. Solutions can be signature and behavior based, but adversaries may construct files in a way to avoid these systems.", + "description": "Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events. Application whitelisting may be able to prevent the running of executables masquerading as other files.\n\nIf a link is being visited by a user, block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as .scr, .exe, .lnk, .pif, .cpl, etc. Some download scanning devices can open and analyze compressed and encrypted formats, such as zip and RAR that may be used to conceal malicious files in [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).\n\nIf a link is being visited by a user, network intrusion prevention systems and systems designed to scan and remove malicious downloads can be used to block activity. Solutions can be signature and behavior based, but adversaries may construct files in a way to avoid these systems.", "meta": { "external_id": "T1204", "refs": [ - "https://attack.mitre.org/techniques/T1204" + "https://attack.mitre.org/mitigations/T1204" ] }, "related": [ @@ -3877,12 +5082,149 @@ "uuid": "548bf7ad-e19c-4d74-84bf-84ac4e57f505", "value": "User Execution Mitigation - T1204" }, + { + "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", + "meta": { + "external_id": "M1024", + "refs": [ + "https://attack.mitre.org/mitigations/M1024" + ] + }, + "related": [ + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "72b5ef57-325c-411b-93ca-a3ca6fa17e31", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "39a130e1-6ab7-434a-8bd2-418e7d9d6427", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "dce31a00-1e90-4655-b0f9-e2e71a748a87", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "a2c36a5d-4058-475e-8e77-fff75e50d3b9", + "value": "Restrict Registry Permissions - M1024" + }, + { + "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", + "meta": { + "external_id": "M1052", + "refs": [ + "https://attack.mitre.org/mitigations/M1052" + ] + }, + "related": [ + { + "dest-uuid": "7c93aa74-4bc0-4a9e-90ea-f25f86301566", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9fa07bef-9c81-421e-a8e5-ad4366c5a925", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c1b11bf7-c68e-4fbf-a95b-28efbe7953bb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0ca7beef-9bbc-4e35-97cf-437384ddce6a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "2c2ad92a-d710-41ab-a996-1db143bb4808", + "value": "User Account Control - M1052" + }, + { + "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.", + "meta": { + "external_id": "M1025", + "refs": [ + "https://attack.mitre.org/mitigations/M1025" + ] + }, + "related": [ + { + "dest-uuid": "52d40641-c480-4ad5-81a3-c80ccaddf82d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6c174520-beea-43d9-aac6-28fb77f3e446", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "72dade3e-1cba-4182-b3b3-a77ca52f02a1", + "value": "Privileged Process Integrity - M1025" + }, { "description": "Mitigation of some variants of this technique could be achieved through the use of stateful firewalls, depending upon how it is implemented.", "meta": { "external_id": "T1205", "refs": [ - "https://attack.mitre.org/techniques/T1205" + "https://attack.mitre.org/mitigations/T1205" ] }, "related": [ @@ -3897,12 +5239,270 @@ "uuid": "f6b7c116-0821-4eb7-9b24-62bd09b3e575", "value": "Port Knocking Mitigation - T1205" }, + { + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "meta": { + "external_id": "M1026", + "refs": [ + "https://attack.mitre.org/mitigations/M1026" + ] + }, + "related": [ + { + "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f5bb433e-bdf6-4781-84bc-35e97e43be89", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6856ddd6-2df3-4379-8b87-284603c189c3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9e80ddfb-ce32-4961-a778-ca6a10cfae72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c1b11bf7-c68e-4fbf-a95b-28efbe7953bb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2169ba87-1146-4fc7-a118-12b72251db7e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b39d03cb-7b98-41c4-a878-c40c1a913dc0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "327f3cc5-eea1-42d4-a6cd-ed34b7ce8f61", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2edd9d6a-5674-4326-a600-ba56de467286", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c3bce4f4-9795-46c6-976e-8676300bbc39", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6be14413-578e-46c1-8304-310762b3ecd5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0fff2797-19cb-41ea-a5f1-8a9303b8158e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "804c042c-cfe6-449e-bc1a-ba0a998a70db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "9bb9e696-bff8-4ae1-9454-961fc7d91d5f", + "value": "Privileged Account Management - M1026" + }, { "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)", "meta": { "external_id": "T1026", "refs": [ - "https://attack.mitre.org/techniques/T1026", + "https://attack.mitre.org/mitigations/T1026", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -3923,7 +5523,7 @@ "meta": { "external_id": "T1206", "refs": [ - "https://attack.mitre.org/techniques/T1206" + "https://attack.mitre.org/mitigations/T1206" ] }, "related": [ @@ -3938,12 +5538,192 @@ "uuid": "dbf0186e-722d-4a0a-af6a-b3460f162f84", "value": "Sudo Caching Mitigation - T1206" }, + { + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "meta": { + "external_id": "M1028", + "refs": [ + "https://attack.mitre.org/mitigations/M1028" + ] + }, + "related": [ + { + "dest-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c0df6533-30ee-4a4a-9c6d-17af5abdf0b2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2169ba87-1146-4fc7-a118-12b72251db7e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "086952c4-5b90-4185-b573-02bad8e11953", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ce73ea43-8e77-47ba-9c11-5e9c9c58b9ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "44dca04b-808d-46ca-b25f-d85236d4b9f8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "64196062-5210-42c3-9a02-563a0d1797ef", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "51ea26b1-ff1e-4faa-b1a0-1114cd298c87", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d519cfd5-f3a8-43a9-a846-ed0bb40672b1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b8c5c9dd-a662-479d-9428-ae745872537c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "2f316f6c-ae42-44fe-adf8-150989e0f6d3", + "value": "Operating System Configuration - M1028" + }, + { + "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.", + "meta": { + "external_id": "M1029", + "refs": [ + "https://attack.mitre.org/mitigations/M1029" + ] + }, + "related": [ + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0bf78622-e8d2-41da-a857-731472d61a92", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "20a2baeb-98c2-4901-bad7-dc62d0a03dea", + "value": "Remote Data Storage - M1029" + }, { "description": "Identify and block potentially malicious software that may be executed as a time provider by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown DLLs.\n\nConsider using Group Policy to configure and block subsequent modifications to W32Time parameters. (Citation: Microsoft W32Time May 2017)", "meta": { "external_id": "T1209", "refs": [ - "https://attack.mitre.org/techniques/T1209", + "https://attack.mitre.org/mitigations/T1209", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -3967,7 +5747,7 @@ "meta": { "external_id": "T1029", "refs": [ - "https://attack.mitre.org/techniques/T1029", + "https://attack.mitre.org/mitigations/T1029", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -3983,18 +5763,99 @@ "uuid": "1c0711c8-2a73-48a1-893d-ff88bcd23824", "value": "Scheduled Transfer Mitigation - T1029" }, + { + "description": "Block users or groups from installing unapproved software.", + "meta": { + "external_id": "M1033", + "refs": [ + "https://attack.mitre.org/mitigations/M1033" + ] + }, + "related": [ + { + "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0fff2797-19cb-41ea-a5f1-8a9303b8158e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "23843cff-f7b9-4659-a7b7-713ef347f547", + "value": "Limit Software Installation - M1033" + }, + { + "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.", + "meta": { + "external_id": "M1043", + "refs": [ + "https://attack.mitre.org/mitigations/M1043" + ] + }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6e6845c2-347a-4a6f-a2d1-b74a18ebd352", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "49c06d54-9002-491d-9147-8efb537fbd26", + "value": "Credential Access Protection - M1043" + }, + { + "description": "Block users or groups from installing or using unapproved hardware on systems, including USB devices.", + "meta": { + "external_id": "M1034", + "refs": [ + "https://attack.mitre.org/mitigations/M1034" + ] + }, + "related": [ + { + "dest-uuid": "d40239b3-05ff-46d8-9bdd-b46d13463ef9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "2995bc22-2851-4345-ad19-4e7e295be264", + "value": "Limit Hardware Installation - M1034" + }, { "description": "Eliminate path interception weaknesses in program configuration files, scripts, the PATH environment variable, services, and in shortcuts by surrounding PATH variables with quotation marks when functions allow for them (Citation: Microsoft CreateProcess). Be aware of the search order Windows uses for executing or loading binaries and use fully qualified paths wherever appropriate (Citation: MSDN DLL Security). Clean up old Windows Registry keys when software is uninstalled to avoid keys with no associated legitimate binaries.\n\nPeriodically search for and correct or report path interception weaknesses on systems that may have been introduced using custom or available tools that report software using insecure path configurations (Citation: Kanthak Sentinel). \n\nRequire that all executables be placed in write-protected directories. Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C: and system directories, such as C:\\Windows\\, to reduce places where malicious files could be placed for execution.\n\nIdentify and block potentially malicious software that may be executed through the path interception by using whitelisting (Citation: Beechey 2010) tools, like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies, (Citation: Corio 2008) that are capable of auditing and/or blocking unknown executables.", "meta": { "external_id": "T1034", "refs": [ - "https://attack.mitre.org/techniques/T1034", + "https://attack.mitre.org/mitigations/T1034", "http://msdn.microsoft.com/en-us/library/ms682425", + "https://msdn.microsoft.com/en-us/library/ff919712.aspx", + "https://skanthak.homepage.t-online.de/sentinel.html", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", - "https://msdn.microsoft.com/en-us/library/ff919712.aspx", - "https://skanthak.homepage.t-online.de/sentinel.html", "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx" ] }, @@ -4015,12 +5876,12 @@ "meta": { "external_id": "T1035", "refs": [ - "https://attack.mitre.org/techniques/T1035", + "https://attack.mitre.org/mitigations/T1035", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", - "https://technet.microsoft.com/en-us/library/ee791851.aspx", - "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html" + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, "related": [ @@ -4040,15 +5901,15 @@ "meta": { "external_id": "T1053", "refs": [ - "https://attack.mitre.org/techniques/T1053", + "https://attack.mitre.org/mitigations/T1053", + "https://github.com/mattifestation/PowerSploit", + "https://technet.microsoft.com/library/jj852168.aspx", + "https://technet.microsoft.com/library/dn221960.aspx", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", - "https://technet.microsoft.com/en-us/library/ee791851.aspx", - "https://github.com/mattifestation/PowerSploit", - "https://technet.microsoft.com/library/jj852168.aspx", - "https://technet.microsoft.com/library/dn221960.aspx" + "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, "related": [ @@ -4063,12 +5924,122 @@ "uuid": "f2cb6ce2-188d-4162-8feb-594f949b13dd", "value": "Scheduled Task Mitigation - T1053" }, + { + "description": "Configure features related to account use like login attempt lockouts, specific login times, etc.", + "meta": { + "external_id": "M1036", + "refs": [ + "https://attack.mitre.org/mitigations/M1036" + ] + }, + "related": [ + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "f9f9e6ef-bc0a-41ad-ba11-0924e5e84c4c", + "value": "Account Use Policies - M1036" + }, + { + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering.", + "meta": { + "external_id": "M1037", + "refs": [ + "https://attack.mitre.org/mitigations/M1037" + ] + }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c675646d-e204-4aa8-978d-e3d6d65885c4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d74c4a7e-ffbf-432f-9365-7ebf1f787cab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0dbf5f1b-a560-4d51-ac1b-d70caab3e1f0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "20f6a9df-37c4-4e20-9e47-025983b1b39d", + "value": "Filter Network Traffic - M1037" + }, { "description": "Restrict write access to logon scripts to specific administrators. Prevent access to administrator accounts by mitigating Credential Access techniques and limiting account access and permissions of [Valid Accounts](https://attack.mitre.org/techniques/T1078).\n\nIdentify and block potentially malicious software that may be executed through logon script modification by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown programs.", "meta": { "external_id": "T1037", "refs": [ - "https://attack.mitre.org/techniques/T1037", + "https://attack.mitre.org/mitigations/T1037", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm" @@ -4086,12 +6057,39 @@ "uuid": "9ab7de33-99b2-4d8d-8cf3-182fa0015cc2", "value": "Logon Scripts Mitigation - T1037" }, + { + "description": "Prevent modification of environment variables by unauthorized users and groups.", + "meta": { + "external_id": "M1039", + "refs": [ + "https://attack.mitre.org/mitigations/M1039" + ] + }, + "related": [ + { + "dest-uuid": "d3046a90-580c-4004-8208-66915bc29830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "086952c4-5b90-4185-b573-02bad8e11953", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "609191bf-7d06-40e4-b1f8-9e11eb3ff8a6", + "value": "Environment Variable Permissions - M1039" + }, { "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating specific API calls will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior. \n\nAlthough process hollowing may be used to evade certain types of defenses, it is still good practice to identify potentially malicious software that may be used to perform adversarial actions and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "meta": { "external_id": "T1093", "refs": [ - "https://attack.mitre.org/techniques/T1093", + "https://attack.mitre.org/mitigations/T1093", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -4111,12 +6109,39 @@ "uuid": "7c39ebbf-244e-4d1c-b0ac-b282453ece43", "value": "Process Hollowing Mitigation - T1093" }, + { + "description": "Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.", + "meta": { + "external_id": "M1044", + "refs": [ + "https://attack.mitre.org/mitigations/M1044" + ] + }, + "related": [ + { + "dest-uuid": "46944654-fcc1-4f63-9dad-628102376586", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6e6845c2-347a-4a6f-a2d1-b74a18ebd352", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "e8242a33-481c-4891-af63-4cf3e4cf6aff", + "value": "Restrict Library Loading - M1044" + }, { "description": "Ensure event tracers/forwarders (Citation: Microsoft ETW May 2018), firewall policies, and other associated mechanisms are secured with appropriate permissions and access controls. Consider automatically relaunching forwarding mechanisms at recurring intervals (ex: temporal, on-logon, etc.) as well as applying appropriate change management to firewall rules and other related system configurations.", "meta": { "external_id": "T1054", "refs": [ - "https://attack.mitre.org/techniques/T1054", + "https://attack.mitre.org/mitigations/T1054", "https://docs.microsoft.com/windows/desktop/etw/event-tracing-portal" ] }, @@ -4137,7 +6162,7 @@ "meta": { "external_id": "T1045", "refs": [ - "https://attack.mitre.org/techniques/T1045", + "https://attack.mitre.org/mitigations/T1045", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -4158,16 +6183,11 @@ "value": "Software Packing Mitigation - T1045" }, { - "description": "Identify unnecessary system utilities or potentially malicious software that may be used to collect data from removable media, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", + "description": "Identify system utilities, remote access or third-party tools, users or potentially malicious software that may be used to store compressed or encrypted data in a publicly writeable directory, central location, or commonly used staging directories (e.g. recycle bin) that is indicative of non-standard behavior, and audit and/or block them by using file integrity monitoring tools where appropriate. Consider applying data size limits or blocking file writes of common compression and encryption utilities such as 7zip, RAR, ZIP, or zlib on frequently used staging directories or central locations and monitor attempted violations of those restrictions.", "meta": { "external_id": "T1074", "refs": [ - "https://attack.mitre.org/techniques/T1074", - "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", - "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", - "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", - "https://technet.microsoft.com/en-us/library/ee791851.aspx" + "https://attack.mitre.org/mitigations/T1074" ] }, "related": [ @@ -4187,7 +6207,7 @@ "meta": { "external_id": "T1480", "refs": [ - "https://attack.mitre.org/techniques/T1480" + "https://attack.mitre.org/mitigations/T1480" ] }, "related": [ @@ -4202,18 +6222,38 @@ "uuid": "c61e2da1-f51f-424c-b152-dc930d4f2e70", "value": "Environmental Keying Mitigation - T1480" }, + { + "description": "This category is to associate techniques that mitigation might increase risk of compromise and therefore mitigation is not recommended.", + "meta": { + "external_id": "M1055", + "refs": [ + "https://attack.mitre.org/mitigations/M1055" + ] + }, + "related": [ + { + "dest-uuid": "853c4192-4311-43e1-bfbb-b11b14911852", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "787fb64d-c87b-4ee5-a341-0ef17ec4c15c", + "value": "Do Not Mitigate - M1055" + }, { "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating specific Windows API calls will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior. (Citation: GDSecurity Linux injection)\n\nIdentify or block potentially malicious software that may contain process injection functionality by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)\n\nUtilize Yama (Citation: Linux kernel Yama) to mitigate ptrace based process injection by restricting the use of ptrace to privileged users only. Other mitigation controls involve the deployment of security kernel modules that provide advanced access control and process restrictions such as SELinux (Citation: SELinux official), grsecurity (Citation: grsecurity official), and AppAmour (Citation: AppArmor official).", "meta": { "external_id": "T1055", "refs": [ - "https://attack.mitre.org/techniques/T1055", + "https://attack.mitre.org/mitigations/T1055", + "https://blog.gdssecurity.com/labs/2017/9/5/linux-based-inter-process-code-injection-without-ptrace2.html", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", "https://technet.microsoft.com/en-us/library/ee791851.aspx", - "https://blog.gdssecurity.com/labs/2017/9/5/linux-based-inter-process-code-injection-without-ptrace2.html", "https://www.kernel.org/doc/Documentation/security/Yama.txt", "https://selinuxproject.org/page/Main_Page", "https://grsecurity.net/", @@ -4237,12 +6277,12 @@ "meta": { "external_id": "T1056", "refs": [ - "https://attack.mitre.org/techniques/T1056", + "https://attack.mitre.org/mitigations/T1056", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", - "https://technet.microsoft.com/en-us/library/ee791851.aspx", - "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html" + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, "related": [ @@ -4262,7 +6302,7 @@ "meta": { "external_id": "T1057", "refs": [ - "https://attack.mitre.org/techniques/T1057", + "https://attack.mitre.org/mitigations/T1057", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -4287,13 +6327,13 @@ "meta": { "external_id": "T1087", "refs": [ - "https://attack.mitre.org/techniques/T1087", - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://attack.mitre.org/mitigations/T1087", + "https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-CC-000077", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", - "https://technet.microsoft.com/en-us/library/ee791851.aspx", - "https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-CC-000077" + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, "related": [ @@ -4313,7 +6353,7 @@ "meta": { "external_id": "T1078", "refs": [ - "https://attack.mitre.org/techniques/T1078", + "https://attack.mitre.org/mitigations/T1078", "https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#a-nameesaebmaesae-administrative-forest-design-approach", "https://technet.microsoft.com/en-us/library/dn535501.aspx", "https://technet.microsoft.com/en-us/library/dn487450.aspx", @@ -4337,7 +6377,7 @@ "meta": { "external_id": "T1079", "refs": [ - "https://attack.mitre.org/techniques/T1079", + "https://attack.mitre.org/mitigations/T1079", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -4358,7 +6398,7 @@ "meta": { "external_id": "T1098", "refs": [ - "https://attack.mitre.org/techniques/T1098" + "https://attack.mitre.org/mitigations/T1098" ] }, "related": [ @@ -4378,7 +6418,7 @@ "meta": { "external_id": "T1112", "refs": [ - "https://attack.mitre.org/techniques/T1112", + "https://attack.mitre.org/mitigations/T1112", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -4403,7 +6443,7 @@ "meta": { "external_id": "T1131", "refs": [ - "https://attack.mitre.org/techniques/T1131", + "https://attack.mitre.org/mitigations/T1131", "http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html", "https://technet.microsoft.com/en-us/library/dn408187.aspx" ] @@ -4425,7 +6465,7 @@ "meta": { "external_id": "T1113", "refs": [ - "https://attack.mitre.org/techniques/T1113", + "https://attack.mitre.org/mitigations/T1113", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -4450,7 +6490,7 @@ "meta": { "external_id": "T1114", "refs": [ - "https://attack.mitre.org/techniques/T1114", + "https://attack.mitre.org/mitigations/T1114", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -4475,7 +6515,7 @@ "meta": { "external_id": "T1141", "refs": [ - "https://attack.mitre.org/techniques/T1141" + "https://attack.mitre.org/mitigations/T1141" ] }, "related": [ @@ -4495,7 +6535,7 @@ "meta": { "external_id": "T1115", "refs": [ - "https://attack.mitre.org/techniques/T1115", + "https://attack.mitre.org/mitigations/T1115", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -4520,7 +6560,7 @@ "meta": { "external_id": "T1161", "refs": [ - "https://attack.mitre.org/techniques/T1161" + "https://attack.mitre.org/mitigations/T1161" ] }, "related": [ @@ -4540,10 +6580,10 @@ "meta": { "external_id": "T1116", "refs": [ - "https://attack.mitre.org/techniques/T1116", - "https://securelist.com/why-you-shouldnt-completely-trust-files-signed-with-digital-certificates/68593/", + "https://attack.mitre.org/mitigations/T1116", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", - "https://technet.microsoft.com/en-us/library/cc733026.aspx" + "https://technet.microsoft.com/en-us/library/cc733026.aspx", + "https://securelist.com/why-you-shouldnt-completely-trust-files-signed-with-digital-certificates/68593/" ] }, "related": [ @@ -4563,7 +6603,7 @@ "meta": { "external_id": "T1119", "refs": [ - "https://attack.mitre.org/techniques/T1119", + "https://attack.mitre.org/mitigations/T1119", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -4588,9 +6628,9 @@ "meta": { "external_id": "T1221", "refs": [ - "https://attack.mitre.org/techniques/T1221", - "https://forum.anomali.com/t/credential-harvesting-and-malicious-file-delivery-using-microsoft-office-template-injection/2104", - "https://support.office.com/article/enable-or-disable-macros-in-office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6" + "https://attack.mitre.org/mitigations/T1221", + "https://support.office.com/article/enable-or-disable-macros-in-office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6", + "https://forum.anomali.com/t/credential-harvesting-and-malicious-file-delivery-using-microsoft-office-template-injection/2104" ] }, "related": [ @@ -4610,7 +6650,7 @@ "meta": { "external_id": "T1123", "refs": [ - "https://attack.mitre.org/techniques/T1123", + "https://attack.mitre.org/mitigations/T1123", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -4635,7 +6675,7 @@ "meta": { "external_id": "T1132", "refs": [ - "https://attack.mitre.org/techniques/T1132", + "https://attack.mitre.org/mitigations/T1132", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -4656,7 +6696,7 @@ "meta": { "external_id": "T1125", "refs": [ - "https://attack.mitre.org/techniques/T1125", + "https://attack.mitre.org/mitigations/T1125", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -4681,7 +6721,7 @@ "meta": { "external_id": "T1162", "refs": [ - "https://attack.mitre.org/techniques/T1162", + "https://attack.mitre.org/mitigations/T1162", "https://support.apple.com/en-us/HT204005" ] }, @@ -4702,9 +6742,9 @@ "meta": { "external_id": "T1172", "refs": [ - "https://attack.mitre.org/techniques/T1172", - "http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016", - "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html" + "https://attack.mitre.org/mitigations/T1172", + "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html", + "http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016" ] }, "related": [ @@ -4724,7 +6764,7 @@ "meta": { "external_id": "T1182", "refs": [ - "https://attack.mitre.org/techniques/T1182", + "https://attack.mitre.org/mitigations/T1182", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm" @@ -4743,11 +6783,11 @@ "value": "AppCert DLLs Mitigation - T1182" }, { - "description": "Because this technique involves user interaction on the endpoint, it's difficult to fully mitigate. However, there are potential mitigations. Users can be trained to identify social engineering techniques and spearphishing emails with malicious links. Other mitigations can take place as [User Execution](https://attack.mitre.org/techniques/T1204) occurs.", + "description": "Because this technique involves user interaction on the endpoint, it's difficult to fully mitigate. However, there are potential mitigations. Users can be trained to identify social engineering techniques and spearphishing emails with malicious links. Determine if certain websites that can be used for spearphishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk. Other mitigations can take place as [User Execution](https://attack.mitre.org/techniques/T1204) occurs.", "meta": { "external_id": "T1192", "refs": [ - "https://attack.mitre.org/techniques/T1192" + "https://attack.mitre.org/mitigations/T1192" ] }, "related": [ @@ -4767,7 +6807,7 @@ "meta": { "external_id": "T1143", "refs": [ - "https://attack.mitre.org/techniques/T1143" + "https://attack.mitre.org/mitigations/T1143" ] }, "related": [ @@ -4787,7 +6827,7 @@ "meta": { "external_id": "T1136", "refs": [ - "https://attack.mitre.org/techniques/T1136" + "https://attack.mitre.org/mitigations/T1136" ] }, "related": [ @@ -4807,7 +6847,7 @@ "meta": { "external_id": "T1138", "refs": [ - "https://attack.mitre.org/techniques/T1138" + "https://attack.mitre.org/mitigations/T1138" ] }, "related": [ @@ -4827,7 +6867,7 @@ "meta": { "external_id": "T1193", "refs": [ - "https://attack.mitre.org/techniques/T1193" + "https://attack.mitre.org/mitigations/T1193" ] }, "related": [ @@ -4847,7 +6887,7 @@ "meta": { "external_id": "T1139", "refs": [ - "https://attack.mitre.org/techniques/T1139" + "https://attack.mitre.org/mitigations/T1139" ] }, "related": [ @@ -4867,7 +6907,7 @@ "meta": { "external_id": "T1144", "refs": [ - "https://attack.mitre.org/techniques/T1144" + "https://attack.mitre.org/mitigations/T1144" ] }, "related": [ @@ -4887,7 +6927,7 @@ "meta": { "external_id": "T1145", "refs": [ - "https://attack.mitre.org/techniques/T1145" + "https://attack.mitre.org/mitigations/T1145" ] }, "related": [ @@ -4907,7 +6947,7 @@ "meta": { "external_id": "T1147", "refs": [ - "https://attack.mitre.org/techniques/T1147" + "https://attack.mitre.org/mitigations/T1147" ] }, "related": [ @@ -4927,7 +6967,7 @@ "meta": { "external_id": "T1184", "refs": [ - "https://attack.mitre.org/techniques/T1184", + "https://attack.mitre.org/mitigations/T1184", "https://www.symantec.com/connect/articles/ssh-and-ssh-agent" ] }, @@ -4948,7 +6988,7 @@ "meta": { "external_id": "T1149", "refs": [ - "https://attack.mitre.org/techniques/T1149" + "https://attack.mitre.org/mitigations/T1149" ] }, "related": [ @@ -4968,7 +7008,7 @@ "meta": { "external_id": "T1491", "refs": [ - "https://attack.mitre.org/techniques/T1491", + "https://attack.mitre.org/mitigations/T1491", "https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf" ] }, @@ -4989,7 +7029,7 @@ "meta": { "external_id": "T1165", "refs": [ - "https://attack.mitre.org/techniques/T1165" + "https://attack.mitre.org/mitigations/T1165" ] }, "related": [ @@ -5009,7 +7049,7 @@ "meta": { "external_id": "T1157", "refs": [ - "https://attack.mitre.org/techniques/T1157" + "https://attack.mitre.org/mitigations/T1157" ] }, "related": [ @@ -5029,7 +7069,7 @@ "meta": { "external_id": "T1159", "refs": [ - "https://attack.mitre.org/techniques/T1159" + "https://attack.mitre.org/mitigations/T1159" ] }, "related": [ @@ -5049,7 +7089,7 @@ "meta": { "external_id": "T1176", "refs": [ - "https://attack.mitre.org/techniques/T1176", + "https://attack.mitre.org/mitigations/T1176", "http://www.technospot.net/blogs/block-chrome-extensions-using-google-chrome-group-policy-settings/" ] }, @@ -5070,7 +7110,7 @@ "meta": { "external_id": "T1186", "refs": [ - "https://attack.mitre.org/techniques/T1186", + "https://attack.mitre.org/mitigations/T1186", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -5095,7 +7135,7 @@ "meta": { "external_id": "T1177", "refs": [ - "https://attack.mitre.org/techniques/T1177", + "https://attack.mitre.org/mitigations/T1177", "https://technet.microsoft.com/library/dn408187.aspx", "https://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-manage", "https://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-how-it-works", @@ -5119,7 +7159,7 @@ "meta": { "external_id": "T1187", "refs": [ - "https://attack.mitre.org/techniques/T1187", + "https://attack.mitre.org/mitigations/T1187", "https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices", "https://www.us-cert.gov/ncas/alerts/TA17-293A" ] @@ -5141,10 +7181,10 @@ "meta": { "external_id": "T1197", "refs": [ - "https://attack.mitre.org/techniques/T1197", - "https://msdn.microsoft.com/library/windows/desktop/bb968799.aspx", + "https://attack.mitre.org/mitigations/T1197", "https://arstechnica.com/information-technology/2007/05/malware-piggybacks-on-windows-background-intelligent-transfer-service/", - "https://www.symantec.com/connect/blogs/malware-update-windows-update" + "https://www.symantec.com/connect/blogs/malware-update-windows-update", + "https://msdn.microsoft.com/library/windows/desktop/bb968799.aspx" ] }, "related": [ @@ -5164,7 +7204,7 @@ "meta": { "external_id": "T1199", "refs": [ - "https://attack.mitre.org/techniques/T1199" + "https://attack.mitre.org/mitigations/T1199" ] }, "related": [ @@ -5184,7 +7224,7 @@ "meta": { "external_id": "T1495", "refs": [ - "https://attack.mitre.org/techniques/T1495" + "https://attack.mitre.org/mitigations/T1495" ] }, "related": [ @@ -5204,7 +7244,7 @@ "meta": { "external_id": "T1496", "refs": [ - "https://attack.mitre.org/techniques/T1496", + "https://attack.mitre.org/mitigations/T1496", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -5229,7 +7269,7 @@ "meta": { "external_id": "T1488", "refs": [ - "https://attack.mitre.org/techniques/T1488", + "https://attack.mitre.org/mitigations/T1488", "https://www.ready.gov/business/implementation/IT", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", @@ -5247,14 +7287,14 @@ "type": "mitigates" }, { - "dest-uuid": "2e114e45-2c50-404c-804a-3af9564d240e", + "dest-uuid": "b82f7d37-b826-4ec9-9391-8e121c78aed7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" }, { - "dest-uuid": "b82f7d37-b826-4ec9-9391-8e121c78aed7", + "dest-uuid": "2e114e45-2c50-404c-804a-3af9564d240e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5269,7 +7309,7 @@ "meta": { "external_id": "T1489", "refs": [ - "https://attack.mitre.org/techniques/T1489" + "https://attack.mitre.org/mitigations/T1489" ] }, "related": [ @@ -5284,12 +7324,95 @@ "uuid": "417fed8c-bd76-48b5-90a2-a88882a95241", "value": "Service Stop Mitigation - T1489" }, + { + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "meta": { + "external_id": "M1032", + "refs": [ + "https://attack.mitre.org/mitigations/M1032" + ] + }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "327f3cc5-eea1-42d4-a6cd-ed34b7ce8f61", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "b045d015-6bed-4490-bd38-56b41ece59a0", + "value": "Multi-factor Authentication - M1032" + }, { "description": "Limit privileges of user accounts so only authorized users can edit the rc.common file.", "meta": { "external_id": "T1163", "refs": [ - "https://attack.mitre.org/techniques/T1163" + "https://attack.mitre.org/mitigations/T1163" ] }, "related": [ @@ -5304,12 +7427,39 @@ "uuid": "c3cf2312-3aab-4aaf-86e6-ab3505430482", "value": "Rc.common Mitigation - T1163" }, + { + "description": "Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.", + "meta": { + "external_id": "M1020", + "refs": [ + "https://attack.mitre.org/mitigations/M1020" + ] + }, + "related": [ + { + "dest-uuid": "1ce03c65-5946-4ac9-9d4d-66db87e024bd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "7bb5fae9-53ad-4424-866b-f0ea2a8b731d", + "value": "SSL/TLS Inspection - M1020" + }, { "description": "Regsvcs and Regasm may not be necessary within a given environment. Block execution of Regsvcs.exe and Regasm.exe if they are not required for a given system or network to prevent potential misuse by adversaries.", "meta": { "external_id": "T1121", "refs": [ - "https://attack.mitre.org/techniques/T1121" + "https://attack.mitre.org/mitigations/T1121" ] }, "related": [ @@ -5497,6 +7647,173 @@ "uuid": "8ccd428d-39da-4e8f-a55b-d48ea1d56e58", "value": "Lock Bootloader - M1003" }, + { + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", + "meta": { + "external_id": "M1030", + "refs": [ + "https://attack.mitre.org/mitigations/M1030" + ] + }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "327f3cc5-eea1-42d4-a6cd-ed34b7ce8f61", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c3bce4f4-9795-46c6-976e-8676300bbc39", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9fa07bef-9c81-421e-a8e5-ad4366c5a925", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "804c042c-cfe6-449e-bc1a-ba0a998a70db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ca205a36-c1ad-488b-aa6c-ab34bdd3a36b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "86598de0-b347-4928-9eb0-0acbfc21908c", + "value": "Network Segmentation - M1030" + }, { "description": "Enterprises can vet applications for exploitable vulnerabilities or unwanted (privacy-invasive or malicious) behaviors. Enterprises can inspect applications themselves or use a third-party service.\n\nEnterprises may impose policies to only allow pre-approved applications to be installed on their devices or may impose policies to block use of specific applications known to have issues. In Bring Your Own Device (BYOD) environments, enterprises may only be able to impose these policies over an enterprise-managed portion of the device.\n\nApplication Vetting is not a complete mitigation. Techniques such as [Detect App Analysis Environment](https://attack.mitre.org/techniques/T1440) exist that can enable adversaries to bypass vetting.", "meta": { @@ -5741,6 +8058,89 @@ "uuid": "1553b156-6767-47f7-9eb4-2a692505666d", "value": "Application Vetting - M1005" }, + { + "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", + "meta": { + "external_id": "M1050", + "refs": [ + "https://attack.mitre.org/mitigations/M1050" + ] + }, + "related": [ + { + "dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "d2a24649-9694-4c97-9c62-ce7b270bf6a3", + "value": "Exploit Protection - M1050" + }, { "description": "Describes any guidance or training given to users to set particular configuration settings or avoid specific potentially risky behaviors.", "meta": { @@ -5867,6 +8267,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" + }, + { + "dest-uuid": "2204c371-6100-4ae0-82f3-25c07c29772a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" } ], "uuid": "649f7268-4c12-483b-ac84-4b7bca9fe2ee", @@ -5905,7 +8312,7 @@ "meta": { "external_id": "T1014", "refs": [ - "https://attack.mitre.org/techniques/T1014", + "https://attack.mitre.org/mitigations/T1014", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -5925,12 +8332,178 @@ "uuid": "95ddb356-7ba0-4bd9-a889-247262b8946f", "value": "Rootkit Mitigation - T1014" }, + { + "description": "Perform regular software updates to mitigate exploitation risk.", + "meta": { + "external_id": "M1051", + "refs": [ + "https://attack.mitre.org/mitigations/M1051" + ] + }, + "related": [ + { + "dest-uuid": "327f3cc5-eea1-42d4-a6cd-ed34b7ce8f61", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f5bb433e-bdf6-4781-84bc-35e97e43be89", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6856ddd6-2df3-4379-8b87-284603c189c3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "3f18edba-28f4-4bb9-82c3-8aa60dcac5f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "317fefa6-46c7-4062-adb6-2008cf6bcb41", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "7c93aa74-4bc0-4a9e-90ea-f25f86301566", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "e5d930e9-775a-40ad-9bdb-b941d8dfe86b", + "value": "Update Software - M1051" + }, + { + "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.", + "meta": { + "external_id": "M1016", + "refs": [ + "https://attack.mitre.org/mitigations/M1016" + ] + }, + "related": [ + { + "dest-uuid": "3f18edba-28f4-4bb9-82c3-8aa60dcac5f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "15437c6d-b998-4a36-be41-4ace3d54d266", + "value": "Vulnerability Scanning - M1016" + }, { "description": "Mshta.exe may not be necessary within a given environment since its functionality is tied to older versions of Internet Explorer that have reached end of life. Use application whitelisting configured to block execution of mshta.exe if it is not required for a given system or network to prevent potential misuse by adversaries.", "meta": { "external_id": "T1170", "refs": [ - "https://attack.mitre.org/techniques/T1170" + "https://attack.mitre.org/mitigations/T1170" ] }, "related": [ @@ -5945,12 +8518,130 @@ "uuid": "d2dce10b-3562-4d61-b2f5-7c6384b038e2", "value": "Mshta Mitigation - T1170" }, + { + "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "meta": { + "external_id": "M1017", + "refs": [ + "https://attack.mitre.org/mitigations/M1017" + ] + }, + "related": [ + { + "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "dd43c543-bb85-4a6f-aa6e-160d90d06a49", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d3df754e-997b-4cf9-97d4-70feb3120847", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6a3be63a-64c5-4678-a036-03ff8fc35300", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "36675cd3-fe00-454c-8516-aebecacbe9d9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "91ce1ede-107f-4d8b-bf4c-735e8789c94b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a", + "value": "User Training - M1017" + }, { "description": "Block .scr files from being executed from non-standard locations. Set Group Policy to force users to have a dedicated screensaver where local changes should not override the settings to prevent changes. Use Group Policy to disable screensavers if they are unnecessary. (Citation: TechNet Screensaver GP)", "meta": { "external_id": "T1180", "refs": [ - "https://attack.mitre.org/techniques/T1180", + "https://attack.mitre.org/mitigations/T1180", "https://technet.microsoft.com/library/cc938799.aspx" ] }, @@ -5971,7 +8662,7 @@ "meta": { "external_id": "T1085", "refs": [ - "https://attack.mitre.org/techniques/T1085", + "https://attack.mitre.org/mitigations/T1085", "https://github.com/iadgov/Secure-Host-Baseline/tree/master/EMET" ] }, @@ -5992,7 +8683,7 @@ "meta": { "external_id": "T1062", "refs": [ - "https://attack.mitre.org/techniques/T1062" + "https://attack.mitre.org/mitigations/T1062" ] }, "related": [ @@ -6012,7 +8703,7 @@ "meta": { "external_id": "T1207", "refs": [ - "https://attack.mitre.org/techniques/T1207" + "https://attack.mitre.org/mitigations/T1207" ] }, "related": [ @@ -6027,12 +8718,130 @@ "uuid": "b70627f7-3b43-4c6f-8fc0-c918c41f8f72", "value": "DCShadow Mitigation - T1207" }, + { + "description": "Set and enforce secure password policies for accounts.", + "meta": { + "external_id": "M1027", + "refs": [ + "https://attack.mitre.org/mitigations/M1027" + ] + }, + "related": [ + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c1b11bf7-c68e-4fbf-a95b-28efbe7953bb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b39d03cb-7b98-41c4-a878-c40c1a913dc0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2edd9d6a-5674-4326-a600-ba56de467286", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9e09ddb2-1746-4448-9cad-7f8b41777d6d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "90c218c3-fbf8-4830-98a7-e8cfb7eaa485", + "value": "Password Policies - M1027" + }, { "description": "Ensure strong password length (ideally 25+ characters) and complexity for service accounts and that these passwords periodically expire. (Citation: AdSecurity Cracking Kerberos Dec 2015) Also consider using Group Managed Service Accounts or another third party product such as password vaulting. (Citation: AdSecurity Cracking Kerberos Dec 2015)\n\nLimit service accounts to minimal required privileges, including membership in privileged groups such as Domain Administrators. (Citation: AdSecurity Cracking Kerberos Dec 2015)\n\nEnable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible. (Citation: AdSecurity Cracking Kerberos Dec 2015)", "meta": { "external_id": "T1208", "refs": [ - "https://attack.mitre.org/techniques/T1208", + "https://attack.mitre.org/mitigations/T1208", "https://adsecurity.org/?p=2293" ] }, @@ -6048,12 +8857,67 @@ "uuid": "a3e12b04-8598-4909-8855-2c97c1e7d549", "value": "Kerberoasting Mitigation - T1208" }, + { + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", + "meta": { + "external_id": "M1053", + "refs": [ + "https://attack.mitre.org/mitigations/M1053" + ] + }, + "related": [ + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "5909f20f-3c39-4795-be06-ef1ea40d350b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b82f7d37-b826-4ec9-9391-8e121c78aed7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2e114e45-2c50-404c-804a-3af9564d240e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "3efe43d1-6f3f-4fcb-ab39-4a730971f70b", + "value": "Data Backup - M1053" + }, { "description": "When creating security rules, avoid exclusions based on file name or file path. Require signed binaries. Use file system access controls to protect folders such as C:\\Windows\\System32. Use tools that restrict program execution via whitelisting by attributes other than file name.\n\nIdentify potentially malicious software that may look like a legitimate program based on name and location, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "meta": { "external_id": "T1036", "refs": [ - "https://attack.mitre.org/techniques/T1036", + "https://attack.mitre.org/mitigations/T1036", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -6073,12 +8937,379 @@ "uuid": "45e7f570-6a0b-4095-bf02-4bca05da6bae", "value": "Masquerading Mitigation - T1036" }, + { + "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", + "meta": { + "external_id": "M1038", + "refs": [ + "https://attack.mitre.org/mitigations/M1038" + ] + }, + "related": [ + { + "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "7d6f590f-544b-45b4-9a42-e0805f342af3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d21a2069-23d5-4043-ad6d-64f6b644cb1a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "72b5ef57-325c-411b-93ca-a3ca6fa17e31", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "46944654-fcc1-4f63-9dad-628102376586", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2892b9ee-ca9f-4723-b332-0dc6e843a8ae", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c4ad009b-6e13-4419-8d21-918a1652de02", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "a127c32c-cbb0-4f9d-be07-881a792408ec", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6be14413-578e-46c1-8304-310762b3ecd5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f792d02f-813d-402b-86a5-ab98cb391d3b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "04ee0cb7-dac3-4c6c-9387-4c6aa096f4cf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6fb6408c-0db3-41d9-a3a1-a32e5f16454e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "4bf5845d-a814-4490-bc5c-ccdee6043025", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "317fefa6-46c7-4062-adb6-2008cf6bcb41", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "8df54627-376c-487c-a09c-7d2b5620f56e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "1ce03c65-5946-4ac9-9d4d-66db87e024bd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "04ef4356-8926-45e2-9441-634b6f3dcecb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "215190a9-9f02-4e83-bb5f-e0589965a302", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "47e0e9fe-96ce-4f65-8bb1-8be1feacb5db", + "value": "Execution Prevention - M1038" + }, + { + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "meta": { + "external_id": "M1054", + "refs": [ + "https://attack.mitre.org/mitigations/M1054" + ] + }, + "related": [ + { + "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6a5848a8-6201-4a2c-8a6a-ca5af8c6f3df", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d519cfd5-f3a8-43a9-a846-ed0bb40672b1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067", + "value": "Software Configuration - M1054" + }, + { + "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", + "meta": { + "external_id": "M1045", + "refs": [ + "https://attack.mitre.org/mitigations/M1045" + ] + }, + "related": [ + { + "dest-uuid": "5ad95aaa-49c1-4784-821d-2e83f47b079b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "327f3cc5-eea1-42d4-a6cd-ed34b7ce8f61", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6e6845c2-347a-4a6f-a2d1-b74a18ebd352", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "a0a189c8-d3bd-4991-bf6f-153d185ee373", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "04ef4356-8926-45e2-9441-634b6f3dcecb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "590777b3-b475-4c7c-aaf8-f4a73b140312", + "value": "Code Signing - M1045" + }, + { + "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", + "meta": { + "external_id": "M1046", + "refs": [ + "https://attack.mitre.org/mitigations/M1046" + ] + }, + "related": [ + { + "dest-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f5bb433e-bdf6-4781-84bc-35e97e43be89", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6856ddd6-2df3-4379-8b87-284603c189c3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "7da0387c-ba92-4553-b291-b636ee42b2eb", + "value": "Boot Integrity - M1046" + }, { "description": "Turn off unused features or restrict access to scripting engines such as VBScript or scriptable administration frameworks such as PowerShell.\n\nConfigure Office security settings enable Protected View, to execute within a sandbox environment, and to block macros through Group Policy. (Citation: Microsoft Block Office Macros) Other types of virtualization and application microsegmentation may also mitigate the impact of compromise. The risks of additional exploits and weaknesses in implementation may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)", "meta": { "external_id": "T1064", "refs": [ - "https://attack.mitre.org/techniques/T1064", + "https://attack.mitre.org/mitigations/T1064", "https://cloudblogs.microsoft.com/microsoftsecure/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/", "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/" ] @@ -6100,7 +9331,7 @@ "meta": { "external_id": "T1067", "refs": [ - "https://attack.mitre.org/techniques/T1067", + "https://attack.mitre.org/mitigations/T1067", "http://www.trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-Summary_04292008.pdf", "https://technet.microsoft.com/en-us/windows/dn168167.aspx" ] @@ -6122,7 +9353,7 @@ "meta": { "external_id": "T1086", "refs": [ - "https://attack.mitre.org/techniques/T1086", + "https://attack.mitre.org/mitigations/T1086", "https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/" ] }, @@ -6143,7 +9374,7 @@ "meta": { "external_id": "T1099", "refs": [ - "https://attack.mitre.org/techniques/T1099", + "https://attack.mitre.org/mitigations/T1099", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -6168,7 +9399,7 @@ "meta": { "external_id": "T1117", "refs": [ - "https://attack.mitre.org/techniques/T1117", + "https://attack.mitre.org/mitigations/T1117", "https://github.com/iadgov/Secure-Host-Baseline/tree/master/EMET" ] }, @@ -6189,7 +9420,7 @@ "meta": { "external_id": "T1118", "refs": [ - "https://attack.mitre.org/techniques/T1118" + "https://attack.mitre.org/mitigations/T1118" ] }, "related": [ @@ -6209,7 +9440,7 @@ "meta": { "external_id": "T1191", "refs": [ - "https://attack.mitre.org/techniques/T1191", + "https://attack.mitre.org/mitigations/T1191", "https://msitpros.com/?p=3960" ] }, @@ -6230,7 +9461,7 @@ "meta": { "external_id": "T1142", "refs": [ - "https://attack.mitre.org/techniques/T1142" + "https://attack.mitre.org/mitigations/T1142" ] }, "related": [ @@ -6250,7 +9481,7 @@ "meta": { "external_id": "T1152", "refs": [ - "https://attack.mitre.org/techniques/T1152" + "https://attack.mitre.org/mitigations/T1152" ] }, "related": [ @@ -6270,7 +9501,7 @@ "meta": { "external_id": "T1153", "refs": [ - "https://attack.mitre.org/techniques/T1153" + "https://attack.mitre.org/mitigations/T1153" ] }, "related": [ @@ -6290,7 +9521,7 @@ "meta": { "external_id": "T1154", "refs": [ - "https://attack.mitre.org/techniques/T1154" + "https://attack.mitre.org/mitigations/T1154" ] }, "related": [ @@ -6310,7 +9541,7 @@ "meta": { "external_id": "T1148", "refs": [ - "https://attack.mitre.org/techniques/T1148", + "https://attack.mitre.org/mitigations/T1148", "http://www.akyl.net/securing-bashhistory-file-make-sure-your-linux-system-users-won%E2%80%99t-hide-or-delete-their-bashhistory" ] }, @@ -6331,7 +9562,7 @@ "meta": { "external_id": "T1155", "refs": [ - "https://attack.mitre.org/techniques/T1155", + "https://attack.mitre.org/mitigations/T1155", "https://www.engadget.com/2013/10/23/applescript-and-automator-gain-new-features-in-os-x-mavericks/" ] }, @@ -6352,7 +9583,7 @@ "meta": { "external_id": "T1169", "refs": [ - "https://attack.mitre.org/techniques/T1169" + "https://attack.mitre.org/mitigations/T1169" ] }, "related": [ @@ -6372,7 +9603,7 @@ "meta": { "external_id": "T1179", "refs": [ - "https://attack.mitre.org/techniques/T1179" + "https://attack.mitre.org/mitigations/T1179" ] }, "related": [ @@ -6387,6 +9618,61 @@ "uuid": "7aee8ea0-0baa-4232-b379-5d9ce98352cf", "value": "Hooking Mitigation - T1179" }, + { + "description": "Use signatures or heuristics to detect malicious software.", + "meta": { + "external_id": "M1049", + "refs": [ + "https://attack.mitre.org/mitigations/M1049" + ] + }, + "related": [ + { + "dest-uuid": "d3df754e-997b-4cf9-97d4-70feb3120847", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6be14413-578e-46c1-8304-310762b3ecd5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "a6a47a06-08fc-4ec4-bdc3-20373375ebb9", + "value": "Antivirus/Antimalware - M1049" + }, { "description": "Enable remote attestation capabilities when available (such as Android SafetyNet or Samsung Knox TIMA Attestation) and prohibit devices that fail the attestation from accessing enterprise resources.", "meta": { @@ -6406,7 +9692,132 @@ ], "uuid": "ff4821f6-5afb-481b-8c0f-26c28c0d666c", "value": "Attestation - M1002" + }, + { + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "meta": { + "external_id": "M1047", + "refs": [ + "https://attack.mitre.org/mitigations/M1047" + ] + }, + "related": [ + { + "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2edd9d6a-5674-4326-a600-ba56de467286", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "46944654-fcc1-4f63-9dad-628102376586", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0ca7beef-9bbc-4e35-97cf-437384ddce6a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c4ad009b-6e13-4419-8d21-918a1652de02", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "04ef4356-8926-45e2-9441-634b6f3dcecb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8", + "value": "Audit - M1047" } ], - "version": 12 + "version": 14 } diff --git a/clusters/mitre-enterprise-attack-course-of-action.json b/clusters/mitre-enterprise-attack-course-of-action.json index 2fadd8f..d770d14 100644 --- a/clusters/mitre-enterprise-attack-course-of-action.json +++ b/clusters/mitre-enterprise-attack-course-of-action.json @@ -3672,5 +3672,5 @@ "value": "Security Software Discovery Mitigation - T1063" } ], - "version": 7 + "version": 8 } diff --git a/clusters/mitre-intrusion-set.json b/clusters/mitre-intrusion-set.json index 0520025..b8d173f 100644 --- a/clusters/mitre-intrusion-set.json +++ b/clusters/mitre-intrusion-set.json @@ -9,6 +9,93 @@ "type": "mitre-intrusion-set", "uuid": "10df003c-7831-11e7-bdb9-971cdd1218df", "values": [ + { + "description": "[The White Company](https://attack.mitre.org/groups/G0089) is a likely state-sponsored threat actor with advanced capabilities. From 2017 through 2018, the group led an espionage campaign called Operation Shaheen targeting government and military organizations in Pakistan.(Citation: Cylance Shaheen Nov 2018)", + "meta": { + "external_id": "G0089", + "refs": [ + "https://attack.mitre.org/groups/G0089", + "https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/WhiteCompanyOperationShaheenReport.pdf?_ga=2.161661948.1943296560.1555683782-1066572390.1555511517" + ], + "synonyms": [ + "The White Company" + ] + }, + "related": [ + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2a70812b-f1ef-44db-8578-a496a227aef2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bdb27a1d-1844-42f1-a0c0-826027ae0326", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "6688d679-ccdb-4f12-abf6-c7545dd767a4", + "value": "The White Company - G0089" + }, { "description": "[Threat Group-3390](https://attack.mitre.org/groups/G0027) is a Chinese threat group that has extensively used strategic Web compromises to target victims. (Citation: Dell TG-3390) The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, and manufacturing sectors. (Citation: SecureWorks BRONZE UNION June 2017) (Citation: Securelist LuckyMouse June 2018)", "meta": { @@ -20,7 +107,8 @@ "https://securelist.com/luckymouse-hits-national-data-center/86083/", "https://thehackernews.com/2018/06/chinese-watering-hole-attack.html", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/emissary-panda-a-potential-new-malicious-tool/", - "http://arstechnica.com/security/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/" + "http://arstechnica.com/security/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/", + "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/" ], "synonyms": [ "Threat Group-3390", @@ -396,6 +484,48 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9de2308e-7bed-43a3-8e58-f194b3586700", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "5e814485-012d-423d-b769-026bfed0f451", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "26c87906-d750-42c5-946c-d4162c73fc7b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", @@ -1263,6 +1393,27 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "c41a8b7c-3e42-4eee-b87d-ad8a100ee878", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "8a831aaa-f3e0-47a3-bed8-a9ced744dd12", @@ -1800,6 +1951,13 @@ ], "type": "uses" }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54", "tags": [ @@ -1849,13 +2007,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", "tags": [ @@ -2070,6 +2221,62 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "5dd649c0-bca4-488b-bd85-b180474ec62e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cb444a16-3ea5-4a91-88c6-f329adcb8af3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "56319646-eb6e-41fc-ae53-aadfa7adb924", @@ -2986,6 +3193,303 @@ "uuid": "894aab42-3371-47b1-8859-a4a074c804c8", "value": "Stealth Falcon - G0038" }, + { + "description": "Operation [Soft Cell](https://attack.mitre.org/groups/G0093) is a group that is reportedly affiliated with China and is likely state-sponsored. The group has operated since at least 2012 and has compromised high-profile telecommunications networks.(Citation: Cybereason Soft Cell June 2019)", + "meta": { + "external_id": "G0093", + "refs": [ + "https://attack.mitre.org/groups/G0093", + "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" + ], + "synonyms": [ + "Soft Cell" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2edd9d6a-5674-4326-a600-ba56de467286", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "5a3a31fe-5a8f-48e1-bff0-a753e5b1be70", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d5e96a35-7b0b-4c6a-9533-d63ecbda563e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "06a11b7e-2a36-47fe-8d3e-82c265df3258", + "value": "Soft Cell - G0093" + }, { "description": "[Winnti Group](https://attack.mitre.org/groups/G0044) is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting. (Citation: Kaspersky Winnti April 2013) (Citation: Kaspersky Winnti June 2015) (Citation: Novetta Winnti April 2015) Some reporting suggests a number of other groups, including [Axiom](https://attack.mitre.org/groups/G0001), [APT17](https://attack.mitre.org/groups/G0025), and [Ke3chang](https://attack.mitre.org/groups/G0004), are closely linked to [Winnti Group](https://attack.mitre.org/groups/G0044). (Citation: 401 TRG Winnti Umbrella May 2018)", "meta": { @@ -3714,6 +4218,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "d906e6f7-434c-44c0-b51a-ed50af8f7945", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "1f21da59-6a13-455b-afd0-d58d0a5a7d27", @@ -3976,7 +4487,7 @@ "value": "FIN10 - G0051" }, { - "description": "[APT12](https://attack.mitre.org/groups/G0005) is a threat group that has been attributed to China. (Citation: Meyers Numbered Panda)", + "description": "[APT12](https://attack.mitre.org/groups/G0005) is a threat group that has been attributed to China. The group has targeted a variety of victims including but not limited to media outlets, high-tech companies, and multiple governments.(Citation: Meyers Numbered Panda)", "meta": { "external_id": "G0005", "refs": [ @@ -4013,6 +4524,41 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d5e96a35-7b0b-4c6a-9533-d63ecbda563e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb", @@ -4137,6 +4683,13 @@ ], "type": "uses" }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "5a84dc36-df0d-4053-9b7c-f0c388a57283", "tags": [ @@ -4270,13 +4823,6 @@ ], "type": "uses" }, - { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "tags": [ @@ -4510,7 +5056,8 @@ "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-march-venomous-bear/", "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf", "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf", - "https://securelist.com/introducing-whitebear/81638/" + "https://securelist.com/introducing-whitebear/81638/", + "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" ], "synonyms": [ "Turla", @@ -4801,6 +5348,139 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dcac85c1-6485-4790-84f6-de5e6f6b91dd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6ba1d7ae-d60b-43e6-9f08-a8b787e9d9cb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", @@ -5313,7 +5993,152 @@ "value": "APT32 - G0050" }, { - "description": "[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's Main Intelligence Directorate of the Russian General Staff by a July 2018 U.S. Department of Justice indictment. This group reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. [APT28](https://attack.mitre.org/groups/G0007) has been active since at least January 2007.(Citation: DOJ GRU Indictment Jul 2018) (Citation: Ars Technica GRU indictment Jul 2018) (Citation: Crowdstrike DNC June 2016) (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28 January 2017) (Citation: GRIZZLY STEPPE JAR) (Citation: Sofacy DealersChoice) (Citation: Palo Alto Sofacy 06-2018) (Citation: Symantec APT28 Oct 2018)", + "description": "[TA505](https://attack.mitre.org/groups/G0092) is a financially motivated threat group that has been active since at least 2014. The group is known for frequently changing malware and driving global trends in criminal malware distribution.(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: Proofpoint TA505 Jan 2019)", + "meta": { + "external_id": "G0092", + "refs": [ + "https://attack.mitre.org/groups/G0092", + "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter", + "https://www.proofpoint.com/us/threat-insight/post/ta505-shifts-times", + "https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505" + ], + "synonyms": [ + "TA505" + ] + }, + "related": [ + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "00806466-754d-44ea-ad6f-0caf59cb8556", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "432555de-63bf-4f2a-a3fa-f720a4561078", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "aae22730-e571-4d17-b037-65f2a3e26213", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43155329-3edf-47a6-9a14-7dac899b01e4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f01e2711-4b48-4192-a2e8-5f56c945ca19", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "7eda3dd8-b09b-4705-8090-c2ad9fb8c14d", + "value": "TA505 - G0092" + }, + { + "description": "[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's Main Intelligence Directorate of the Russian General Staff by a July 2018 U.S. Department of Justice indictment. This group reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. [APT28](https://attack.mitre.org/groups/G0007) has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018) (Citation: Ars Technica GRU indictment Jul 2018) (Citation: Crowdstrike DNC June 2016) (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28 January 2017) (Citation: GRIZZLY STEPPE JAR) (Citation: Sofacy DealersChoice) (Citation: Palo Alto Sofacy 06-2018) (Citation: Symantec APT28 Oct 2018) (Citation: ESET Zebrocy May 2019)", "meta": { "external_id": "G0007", "refs": [ @@ -5328,6 +6153,7 @@ "https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/", "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/", "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government", + "https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/", "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf", "https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html", @@ -5833,6 +6659,20 @@ ], "type": "uses" }, + { + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b865dded-0553-4962-a44b-6fe7863effed", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "56660521-6db4-4e5a-a927-464f22954b7c", "tags": [ @@ -6668,13 +7508,6 @@ ], "type": "uses" }, - { - "dest-uuid": "e494ad79-37ee-4cd0-866b-299c521d8b94", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", "tags": [ @@ -6820,6 +7653,72 @@ "uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", "value": "Carbanak - G0008" }, + { + "description": "[WIRTE](https://attack.mitre.org/groups/G0090) is a threat group that has been active since at least August 2018. The group focuses on targeting Middle East defense and diplomats.(Citation: Lab52 WIRTE Apr 2019)", + "meta": { + "external_id": "G0090", + "refs": [ + "https://attack.mitre.org/groups/G0090", + "https://lab52.io/blog/wirte-group-attacking-the-middle-east/" + ], + "synonyms": [ + "WIRTE" + ] + }, + "related": [ + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3433a9e8-1c47-4320-b9bf-ed449061d1c3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "f8cb7b36-62ef-4488-8a6d-a7033e3271c1", + "value": "WIRTE - G0090" + }, { "description": "[PittyTiger](https://attack.mitre.org/groups/G0011) is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control. (Citation: Bizeul 2014) (Citation: Villeneuve 2014)", "meta": { @@ -7337,7 +8236,7 @@ "type": "uses" }, { - "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7461,6 +8360,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", @@ -8544,6 +9450,115 @@ "uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", "value": "Naikon - G0019" }, + { + "description": "[Silence](https://attack.mitre.org/groups/G0091) is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank's Automated Workstation Client, ATMs, and card processing. (Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017) ", + "meta": { + "external_id": "G0091", + "refs": [ + "https://attack.mitre.org/groups/G0091", + "https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/", + "https://securelist.com/the-silence/83009/" + ], + "synonyms": [ + "Silence" + ] + }, + "related": [ + { + "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d21a2069-23d5-4043-ad6d-64f6b644cb1a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "96fd6cc4-a693-4118-83ec-619e5352d07d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "d13c8a7f-740b-4efa-a232-de7d6bb05321", + "value": "Silence - G0091" + }, { "description": "[APT3](https://attack.mitre.org/groups/G0022) is a China-based threat group that researchers have attributed to China's Ministry of State Security. (Citation: FireEye Clandestine Wolf) (Citation: Recorded Future APT3 May 2017) This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap. (Citation: FireEye Clandestine Wolf) (Citation: FireEye Operation Double Tap) As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong. (Citation: Symantec Buckeye)\n\nMITRE has also developed an APT3 Adversary Emulation Plan.(Citation: APT3 Adversary Emulation Plan)", "meta": { @@ -9213,7 +10228,10 @@ "meta": { "external_id": "G0052", "refs": [ - "https://attack.mitre.org/groups/G0052" + "https://attack.mitre.org/groups/G0052", + "http://www.clearskysec.com/copykitten-jpost/", + "http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf", + "https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf" ], "synonyms": [ "CopyKittens" @@ -9767,6 +10785,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "8dbadf80-468c-4a62-b817-4e4d8b606887", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "fbd29c89-18ba-4c2d-b792-51c0adee049f", @@ -9807,12 +10832,12 @@ "value": "APT34 - G0057" }, { - "description": "[Group5](https://attack.mitre.org/groups/G0043) is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. [Group5](https://attack.mitre.org/groups/G0043) has used two commonly available remote access tools (RATs), njRAT and NanoCore, as well as an Android RAT, DroidJack. (Citation: Citizen Lab Group5)", + "description": "[Group5](https://attack.mitre.org/groups/G0043) is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. [Group5](https://attack.mitre.org/groups/G0043) has used two commonly available remote access tools (RATs), [njRAT](https://attack.mitre.org/software/S0385) and [NanoCore](https://attack.mitre.org/software/S0336), as well as an Android RAT, DroidJack. (Citation: Citizen Lab Group5)", "meta": { "external_id": "G0043", "refs": [ "https://attack.mitre.org/groups/G0043", - "https://citizenlab.org/2016/08/group5-syria/" + "https://citizenlab.ca/2016/08/group5-syria/" ], "synonyms": [ "Group5" @@ -9860,6 +10885,20 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "d906e6f7-434c-44c0-b51a-ed50af8f7945", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b4d80f8b-d2b9-4448-8844-4bef777ed676", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "7331c66a-5601-4d3f-acf6-ad9e3035eb40", @@ -10038,7 +11077,7 @@ "value": "Dragonfly - G0035" }, { - "description": "[APT37](https://attack.mitre.org/groups/G0067) is a suspected North Korean cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. [APT37](https://attack.mitre.org/groups/G0067) has also been linked to following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, Northern Korean Human Rights, and Evil New Year 2018. (Citation: FireEye APT37 Feb 2018) (Citation: Securelist ScarCruft Jun 2016) (Citation: Talos Group123)\n\nNorth Korean group definitions are known to have significant overlap, and the name [Lazarus Group](https://attack.mitre.org/groups/G0032) is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea.(Citation: US-CERT HIDDEN COBRA June 2017) Some organizations track North Korean clusters or groups such as Bluenoroff,(Citation: Kaspersky Lazarus Under The Hood Blog 2017), [APT37](https://attack.mitre.org/groups/G0067), and [APT38](https://attack.mitre.org/groups/G0082) separately, while other organizations may track some activity associated with those group names by the name Lazarus Group.", + "description": "[APT37](https://attack.mitre.org/groups/G0067) is a suspected North Korean cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. [APT37](https://attack.mitre.org/groups/G0067) has also been linked to following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, Northern Korean Human Rights, and Evil New Year 2018. (Citation: FireEye APT37 Feb 2018) (Citation: Securelist ScarCruft Jun 2016) (Citation: Talos Group123)\n\nNorth Korean group definitions are known to have significant overlap, and the name [Lazarus Group](https://attack.mitre.org/groups/G0032) is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea.(Citation: US-CERT HIDDEN COBRA June 2017) Some organizations track North Korean clusters or groups such as Bluenoroff,(Citation: Kaspersky Lazarus Under The Hood Blog 2017) [APT37](https://attack.mitre.org/groups/G0067), and [APT38](https://attack.mitre.org/groups/G0082) separately, while other organizations may track some activity associated with those group names by the name Lazarus Group.", "meta": { "external_id": "G0067", "refs": [ @@ -10047,7 +11086,8 @@ "https://securelist.com/operation-daybreak/75100/", "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", "https://www.us-cert.gov/ncas/alerts/TA17-164A", - "https://securelist.com/lazarus-under-the-hood/77908/" + "https://securelist.com/lazarus-under-the-hood/77908/", + "https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/" ], "synonyms": [ "APT37", @@ -10316,6 +11356,20 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "4a2ce82e-1a74-468a-a6fb-bbead541383c", @@ -10986,7 +12040,8 @@ "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf", "https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html", "https://www.justice.gov/opa/press-release/file/1121706/download", - "https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf" + "https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf", + "https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html" ], "synonyms": [ "menuPass", @@ -11666,6 +12721,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "8fc6c9e7-a162-4ca4-a488-f1819e9a7b06", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", @@ -11769,7 +12831,7 @@ "value": "RTM - G0048" }, { - "description": "[OilRig](https://attack.mitre.org/groups/G0049) is a threat group with suspected Iranian origins that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests. (Citation: Palo Alto OilRig April 2017) (Citation: ClearSky OilRig Jan 2017) (Citation: Palo Alto OilRig May 2016) (Citation: Palo Alto OilRig Oct 2016) (Citation: Unit 42 Playbook Dec 2017) (Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018) This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity.", + "description": "[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests. (Citation: Palo Alto OilRig April 2017) (Citation: ClearSky OilRig Jan 2017) (Citation: Palo Alto OilRig May 2016) (Citation: Palo Alto OilRig Oct 2016) (Citation: Unit 42 Playbook Dec 2017) (Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018) This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity.", "meta": { "external_id": "G0049", "refs": [ @@ -12923,7 +13985,8 @@ "meta": { "external_id": "G0068", "refs": [ - "https://attack.mitre.org/groups/G0068" + "https://attack.mitre.org/groups/G0068", + "https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf" ], "synonyms": [ "PLATINUM" @@ -13301,6 +14364,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "269e8108-68c6-4f99-b911-14b2e765dec2", @@ -13498,5 +14568,5 @@ "value": "DarkHydrus - G0079" } ], - "version": 15 + "version": 17 } diff --git a/clusters/mitre-malware.json b/clusters/mitre-malware.json index bc1fbae..6a2f263 100644 --- a/clusters/mitre-malware.json +++ b/clusters/mitre-malware.json @@ -610,7 +610,8 @@ "Windows" ], "refs": [ - "https://attack.mitre.org/software/S0007" + "https://attack.mitre.org/software/S0007", + "https://www.secureworks.com/research/skeleton-key-malware-analysis" ], "synonyms": [ "Skeleton Key" @@ -1685,7 +1686,7 @@ "type": "uses" }, { - "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1697,6 +1698,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "0efefea5-78da-4022-92bc-d726139e8883", @@ -1739,6 +1747,20 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "5af7a825-2d9f-400d-931a-e00eb9e27f48", @@ -2334,6 +2356,509 @@ "uuid": "3249e92a-870b-426d-8790-ba311c1abfb4", "value": "Olympic Destroyer - S0365" }, + { + "description": "[Ursnif ](https://attack.mitre.org/software/S0386) is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193)s, and malicious links.(Citation: NJCCIC Ursnif Sept 2016)(Citation: ProofPoint Ursnif Aug 2016) [Ursnif ](https://attack.mitre.org/software/S0386) is associated primarily with data theft, but variants also include components (backdoors, spyware, file injectors, etc.) capable of a wide variety of behaviors.(Citation: TrendMicro Ursnif Mar 2015)", + "meta": { + "external_id": "S0386", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0386", + "https://www.cyber.nj.gov/threat-profiles/trojan-variants/ursnif", + "https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality", + "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-the-multifaceted-malware/?_ga=2.165628854.808042651.1508120821-744063452.1505819992", + "https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html" + ], + "synonyms": [ + "Ursnif ", + "Gozi-ISFB", + "PE_URSNIF", + "Dreambot" + ] + }, + "related": [ + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "66f73398-8394-4711-85e5-34c8540b22a5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "54456690-84de-4538-9101-643e26437e09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "1492d0f8-7e14-4af3-9239-bc3fe10d3407", + "value": "Ursnif - S0386" + }, + { + "description": "[Revenge RAT](https://attack.mitre.org/software/S0379) is a freely available remote access tool written in .NET (C#).(Citation: Cylance Shaheen Nov 2018)(Citation: Cofense RevengeRAT Feb 2019)", + "meta": { + "external_id": "S0379", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0379", + "https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/WhiteCompanyOperationShaheenReport.pdf?_ga=2.161661948.1943296560.1555683782-1066572390.1555511517", + "https://cofense.com/upgrades-delivery-support-infrastructure-revenge-rat-malware-bigger-threat/" + ], + "synonyms": [ + "Revenge RAT" + ] + }, + "related": [ + { + "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a127c32c-cbb0-4f9d-be07-881a792408ec", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "bdb27a1d-1844-42f1-a0c0-826027ae0326", + "value": "Revenge RAT - S0379" + }, + { + "description": "[HyperBro ](https://attack.mitre.org/software/S0398) is a custom in-memory backdoor used by [Threat Group-3390](https://attack.mitre.org/groups/G0027).(Citation: Unit42 Emissary Panda May 2019)(Citation: Securelist LuckyMouse June 2018)(Citation: Hacker News LuckyMouse June 2018)", + "meta": { + "external_id": "S0398", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0398", + "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", + "https://securelist.com/luckymouse-hits-national-data-center/86083/", + "https://thehackernews.com/2018/06/chinese-watering-hole-attack.html" + ], + "synonyms": [ + "HyperBro " + ] + }, + "related": [ + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "5e814485-012d-423d-b769-026bfed0f451", + "value": "HyperBro - S0398" + }, { "description": "[Trojan-SMS.AndroidOS.FakeInst.a](https://attack.mitre.org/software/S0306) is Android malware. (Citation: Kaspersky-MobileMalware)", "meta": { @@ -2875,6 +3400,13 @@ ], "type": "uses" }, + { + "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "89fcd02f-62dc-40b9-a54b-9ac4b1baef05", "tags": [ @@ -2889,13 +3421,6 @@ ], "type": "uses" }, - { - "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "c6a146ae-9c63-4606-97ff-e261e76e8380", "tags": [ @@ -3408,7 +3933,8 @@ "Windows" ], "refs": [ - "https://attack.mitre.org/software/S0060" + "https://attack.mitre.org/software/S0060", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" ], "synonyms": [ "Sys10" @@ -5709,7 +6235,7 @@ "value": "POSHSPY - S0150" }, { - "description": "[Ixeshe](https://attack.mitre.org/software/S0015) is a malware family that has been used since 2009 to attack targets in East Asia. (Citation: Moran 2013)", + "description": "[Ixeshe](https://attack.mitre.org/software/S0015) is a malware family that has been used since at least 2009 against targets in East Asia. (Citation: Moran 2013)", "meta": { "external_id": "S0015", "mitre_platforms": [ @@ -5730,6 +6256,111 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "8beac7c2-48d2-4cd9-9b15-6c452f38ac06", @@ -6700,6 +7331,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "52f3d5a6-8a0f-4f82-977e-750abf90d0b0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "6b62e336-176f-417b-856a-8552dd8c44e1", @@ -6832,13 +7470,6 @@ ], "type": "uses" }, - { - "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", "tags": [ @@ -6866,6 +7497,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "5bcd5511-6756-4824-a692-e8bb109364af", @@ -7571,7 +8209,7 @@ "value": "LOWBALL - S0042" }, { - "description": "[ROKRAT](https://attack.mitre.org/software/S0240) is a remote access tool (RAT) used by [APT37](https://attack.mitre.org/groups/G0067). This software has been used to target victims in South Korea. [APT37](https://attack.mitre.org/groups/G0067) used ROKRAT during several campaigns in 2016 through 2018. (Citation: Talos ROKRAT) (Citation: Talos Group123)", + "description": "[ROKRAT](https://attack.mitre.org/software/S0240) is a cloud-based remote access tool (RAT) used by [APT37](https://attack.mitre.org/groups/G0067). This software has been used to target victims in South Korea. [APT37](https://attack.mitre.org/groups/G0067) used ROKRAT during several campaigns in 2016 through 2018. (Citation: Talos ROKRAT) (Citation: Talos Group123)", "meta": { "external_id": "S0240", "mitre_platforms": [ @@ -7671,6 +8309,20 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f", @@ -10086,6 +10738,133 @@ "uuid": "4d56e6e9-1a6d-46e3-896c-dfdf3cc96e62", "value": "SamSam - S0370" }, + { + "description": "[StoneDrill](https://attack.mitre.org/software/S0380) is wiper malware discovered in destructive campaigns against both Middle Eastern and European targets in association with [APT33](https://attack.mitre.org/groups/G0064).(Citation: FireEye APT33 Sept 2017)(Citation: Kaspersky StoneDrill 2017)", + "meta": { + "external_id": "S0380", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0380", + "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf" + ], + "synonyms": [ + "StoneDrill", + "DROPSHOT" + ] + }, + "related": [ + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b82f7d37-b826-4ec9-9391-8e121c78aed7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2e114e45-2c50-404c-804a-3af9564d240e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "8dbadf80-468c-4a62-b817-4e4d8b606887", + "value": "StoneDrill - S0380" + }, { "description": "[Duqu](https://attack.mitre.org/software/S0038) is a malware platform that uses a modular approach to extend functionality after deployment within a target network. (Citation: Symantec W32.Duqu)", "meta": { @@ -10441,6 +11220,79 @@ "uuid": "f6ac21b6-2592-400c-8472-10d0e2f1bfaf", "value": "Adups - S0309" }, + { + "description": "[SQLRat](https://attack.mitre.org/software/S0390) is malware that executes SQL scripts to avoid leaving traditional host artifacts. [FIN7](https://attack.mitre.org/groups/G0046) has been observed using it.(Citation: Flashpoint FIN 7 March 2019)", + "meta": { + "external_id": "S0390", + "refs": [ + "https://attack.mitre.org/software/S0390", + "https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/ " + ], + "synonyms": [ + "SQLRat" + ] + }, + "related": [ + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "8fc6c9e7-a162-4ca4-a488-f1819e9a7b06", + "value": "SQLRat - S0390" + }, { "description": "[JHUHUGIT](https://attack.mitre.org/software/S0044) is malware used by [APT28](https://attack.mitre.org/groups/G0007). It is based on Carberp source code and serves as reconnaissance malware. (Citation: Kaspersky Sofacy) (Citation: F-Secure Sofacy 2015) (Citation: ESET Sednit Part 1) (Citation: FireEye APT28 January 2017)", "meta": { @@ -11452,7 +12304,8 @@ "Windows" ], "refs": [ - "https://attack.mitre.org/software/S0059" + "https://attack.mitre.org/software/S0059", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" ], "synonyms": [ "WinMM" @@ -12578,13 +13431,6 @@ ], "type": "uses" }, - { - "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ @@ -13067,13 +13913,6 @@ ], "type": "uses" }, - { - "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "tags": [ @@ -13751,6 +14590,7 @@ ], "refs": [ "https://attack.mitre.org/software/S0241", + "https://blog.trendmicro.com/trendlabs-security-intelligence/ratankba-watering-holes-against-enterprises/", "https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/" ], "synonyms": [ @@ -14477,10 +15317,13 @@ "https://attack.mitre.org/software/S0251", "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/", "https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/", - "https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/" + "https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/", + "https://www.cyberscoop.com/apt28-brexit-phishing-accenture/", + "https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50" ], "synonyms": [ - "Zebrocy" + "Zebrocy", + "Zekapab" ] }, "related": [ @@ -14644,6 +15487,48 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "a4f57468-fbd5-49e4-8476-52088220b92d", @@ -15662,7 +16547,8 @@ "meta": { "external_id": "S0182", "mitre_platforms": [ - "Windows" + "Windows", + "Android" ], "refs": [ "https://attack.mitre.org/software/S0182", @@ -15838,6 +16724,48 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3911658a-6506-4deb-9ab4-595a51ae71ad", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "a5528622-3a8a-4633-86ce-8cdaf8423858", @@ -16094,9 +17022,9 @@ ], "refs": [ "https://attack.mitre.org/software/S0143", + "https://securelist.com/the-flame-questions-and-answers-51/34344/", "https://www.symantec.com/connect/blogs/flamer-recipe-bluetoothache", - "https://www.crysys.hu/publications/files/skywiper.pdf", - "https://securelist.com/the-flame-questions-and-answers-51/34344/" + "https://www.crysys.hu/publications/files/skywiper.pdf" ], "synonyms": [ "Flame", @@ -16286,6 +17214,20 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "6a92d80f-cc65-45f6-aa66-3cdea6786b3c", @@ -17204,6 +18146,96 @@ "uuid": "2dd34b01-6110-4aac-835d-b5e7b936b0be", "value": "OLDBAIT - S0138" }, + { + "description": "[FlawedAmmyy](https://attack.mitre.org/software/S0381) is a remote access tool (RAT) that was first seen in early 2016. The code for [FlawedAmmyy](https://attack.mitre.org/software/S0381) was based on leaked source code for a version of Ammyy Admin, a remote access software.(Citation: Proofpoint TA505 Mar 2018)", + "meta": { + "external_id": "S0381", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0381", + "https://www.proofpoint.com/us/threat-insight/post/leaked-ammyy-admin-source-code-turned-malware" + ], + "synonyms": [ + "FlawedAmmyy" + ] + }, + "related": [ + { + "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "432555de-63bf-4f2a-a3fa-f720a4561078", + "value": "FlawedAmmyy - S0381" + }, { "description": "[XLoader](https://attack.mitre.org/software/S0318) is a malicious Android app that was observed targeting Japan, Korea, China, Taiwan, and Hong Kong in 2018. (Citation: TrendMicro-XLoader)", "meta": { @@ -17252,6 +18284,124 @@ "uuid": "2740eaf6-2db2-4a40-a63f-f5b166c7059c", "value": "XLoader - S0318" }, + { + "description": "[HAWKBALL](https://attack.mitre.org/software/S0391) is a backdoor that was observed in targeting of the government sector in Central Asia.(Citation: FireEye HAWKBALL Jun 2019)", + "meta": { + "external_id": "S0391", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0391", + "https://www.fireeye.com/blog/threat-research/2019/06/government-in-central-asia-targeted-with-hawkball-backdoor.html" + ], + "synonyms": [ + "HAWKBALL" + ] + }, + "related": [ + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "12a7450d-b03e-4990-a5b8-b405ab9c803b", + "value": "HAWKBALL - S0391" + }, { "description": "[Allwinner](https://attack.mitre.org/software/S0319) is a company that supplies processors used in Android tablets and other devices. A Linux kernel distributed by [Allwinner](https://attack.mitre.org/software/S0319) for use on these devices reportedly contained a backdoor. (Citation: HackerNews-Allwinner)", "meta": { @@ -19234,7 +20384,7 @@ "value": "Gazer - S0168" }, { - "description": "[PUNCHBUGGY](https://attack.mitre.org/software/S0196) is a dynamic-link library (DLL) downloader utilized by [FIN8](https://attack.mitre.org/groups/G0061). (Citation: FireEye Fin8 May 2016) (Citation: FireEye Know Your Enemy FIN8 Aug 2016)", + "description": "[PUNCHBUGGY](https://attack.mitre.org/software/S0196) is a backdoor malware used by [FIN8](https://attack.mitre.org/groups/G0061) that has been observed targeting POS networks in the hospitality industry. (Citation: Morphisec ShellTea June 2019)(Citation: FireEye Fin8 May 2016) (Citation: FireEye Know Your Enemy FIN8 Aug 2016)", "meta": { "external_id": "S0196", "mitre_platforms": [ @@ -19242,11 +20392,13 @@ ], "refs": [ "https://attack.mitre.org/software/S0196", + "http://blog.morphisec.com/security-alert-fin8-is-back", "https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html", "https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html" ], "synonyms": [ - "PUNCHBUGGY" + "PUNCHBUGGY", + "ShellTea" ] }, "related": [ @@ -19305,6 +20457,69 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "5c6ed2dc-37f4-40ea-b2e1-4c76140a388c", @@ -19741,7 +20956,7 @@ "value": "ISMInjector - S0189" }, { - "description": "[TURNEDUP](https://attack.mitre.org/software/S0199) is a non-public backdoor. It has been dropped by [APT33](https://attack.mitre.org/groups/G0064)'s DROPSHOT malware (also known as Stonedrill). (Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)", + "description": "[TURNEDUP](https://attack.mitre.org/software/S0199) is a non-public backdoor. It has been dropped by [APT33](https://attack.mitre.org/groups/G0064)'s [StoneDrill](https://attack.mitre.org/software/S0380) malware. (Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)", "meta": { "external_id": "S0199", "mitre_platforms": [ @@ -20232,6 +21447,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "04227b24-7817-4de1-9050-b7b1b57f5866", @@ -22175,6 +23397,117 @@ "uuid": "efece7e8-e40b-49c2-9f84-c55c5c93d05c", "value": "jRAT - S0283" }, + { + "description": "[ServHelper](https://attack.mitre.org/software/S0382) is a backdoor first observed in late 2018. The backdoor is written in Delphi and is typically delivered as a DLL file.(Citation: Proofpoint TA505 Jan 2019)", + "meta": { + "external_id": "S0382", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0382", + "https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505" + ], + "synonyms": [ + "ServHelper" + ] + }, + "related": [ + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "aae22730-e571-4d17-b037-65f2a3e26213", + "value": "ServHelper - S0382" + }, { "description": "[Proxysvc](https://attack.mitre.org/software/S0238) is a malicious DLL used by [Lazarus Group](https://attack.mitre.org/groups/G0032) in a campaign known as Operation GhostSecret. It has appeared to be operating undetected since 2017 and was mostly observed in higher education organizations. The goal of [Proxysvc](https://attack.mitre.org/software/S0238) is to deliver additional payloads to the target and to maintain control for the attacker. It is in the form of a DLL that can also be executed as a standalone process. (Citation: McAfee GhostSecret)", "meta": { @@ -26614,6 +27947,47 @@ "uuid": "9af05de0-bc09-4511-a350-5eb8b06185c1", "value": "BadPatch - S0337" }, + { + "description": "[FlawedGrace](https://attack.mitre.org/software/S0383) is a fully featured remote access tool (RAT) written in C++ that was first observed in late 2017.(Citation: Proofpoint TA505 Jan 2019)", + "meta": { + "external_id": "S0383", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0383", + "https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505" + ], + "synonyms": [ + "FlawedGrace" + ] + }, + "related": [ + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "43155329-3edf-47a6-9a14-7dac899b01e4", + "value": "FlawedGrace - S0383" + }, { "description": "[Micropsia](https://attack.mitre.org/software/S0339) is a remote access tool written in Delphi.(Citation: Talos Micropsia June 2017)(Citation: Radware Micropsia July 2018)", "meta": { @@ -26747,6 +28121,68 @@ "uuid": "8c050cea-86e1-4b63-bf21-7af4fa483349", "value": "Micropsia - S0339" }, + { + "description": "[PowerStallion](https://attack.mitre.org/software/S0393) is a lightweight [PowerShell](https://attack.mitre.org/techniques/T1086) backdoor used by [Turla](https://attack.mitre.org/groups/G0010), possibly as a recovery access tool to install other backdoors.(Citation: ESET Turla PowerShell May 2019)", + "meta": { + "external_id": "S0393", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0393", + "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" + ], + "synonyms": [ + "PowerStallion" + ] + }, + "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "dcac85c1-6485-4790-84f6-de5e6f6b91dd", + "value": "PowerStallion - S0393" + }, { "description": "[Azorult](https://attack.mitre.org/software/S0344) is a commercial Trojan that is used to steal information from compromised hosts. [Azorult](https://attack.mitre.org/software/S0344) has been observed in the wild as early as 2016.\nIn July 2018, [Azorult](https://attack.mitre.org/software/S0344) was seen used in a spearphishing campaign against targets in North America. [Azorult](https://attack.mitre.org/software/S0344) has been seen used for cryptocurrency theft. (Citation: Unit42 Azorult Nov 2018)(Citation: Proofpoint Azorult July 2018)", "meta": { @@ -26862,13 +28298,6 @@ ], "type": "uses" }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ @@ -27417,6 +28846,160 @@ "uuid": "a5575606-9b85-4e3d-9cd2-40ef30e3672d", "value": "SpeakUp - S0374" }, + { + "description": "[Dridex](https://attack.mitre.org/software/S0384) is a banking Trojan that has been used for financial gain. Dridex was created from the source code of the Bugat banking trojan (also known as Cridex).(Citation: Dell Dridex Oct 2015)(Citation: Kaspersky Dridex May 2017)", + "meta": { + "external_id": "S0384", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0384", + "https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation", + "https://securelist.com/dridex-a-history-of-evolution/78531/" + ], + "synonyms": [ + "Dridex", + "Bugat v5" + ] + }, + "related": [ + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "f01e2711-4b48-4192-a2e8-5f56c945ca19", + "value": "Dridex - S0384" + }, + { + "description": "[HiddenWasp](https://attack.mitre.org/software/S0394) is a Linux-based Trojan used to target systems for remote control. It comes in the form of a statistically linked ELF binary with stdlibc++.(Citation: Intezer HiddenWasp Map 2019)", + "meta": { + "external_id": "S0394", + "mitre_platforms": [ + "Linux" + ], + "refs": [ + "https://attack.mitre.org/software/S0394", + "https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/" + ], + "synonyms": [ + "HiddenWasp" + ] + }, + "related": [ + { + "dest-uuid": "01df3350-ce05-4bdf-bdf8-0a919a66d4a8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "fc774af4-533b-4724-96d2-ac1026316794", + "value": "HiddenWasp - S0394" + }, { "description": "[KONNI](https://attack.mitre.org/software/S0356) is a Windows remote administration too that has been seen in use since 2014 and evolved in its capabilities through at least 2017. [KONNI](https://attack.mitre.org/software/S0356) has been linked to several campaigns involving North Korean themes.(Citation: Talos Konni May 2017) [KONNI](https://attack.mitre.org/software/S0356) has significant code overlap with the [NOKKI](https://attack.mitre.org/software/S0353) malware family. There is some evidence potentially linking [KONNI](https://attack.mitre.org/software/S0356) to [APT37](https://attack.mitre.org/groups/G0067).(Citation: Unit 42 NOKKI Sept 2018)(Citation: Unit 42 Nokki Oct 2018)", "meta": { @@ -27463,13 +29046,6 @@ ], "type": "uses" }, - { - "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ @@ -27690,6 +29266,346 @@ "uuid": "ecc2f65a-b452-4eaf-9689-7e181f17f7a5", "value": "Remexi - S0375" }, + { + "description": "[njRAT](https://attack.mitre.org/software/S0385) is a remote access tool (RAT) that was first observed in 2012. It has been used by threat actors in the Middle East.(Citation: Fidelis njRAT June 2013)", + "meta": { + "external_id": "S0385", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0385", + "https://www.threatminer.org/_reports/2013/fta-1009---njrat-uncovered-1.pdf", + "https://www.fireeye.com/blog/threat-research/2013/08/njw0rm-brother-from-the-same-mother.html", + "https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-worm-affecting-removable-media-delivers-fileless-version-of-bladabindi-njrat-backdoor/" + ], + "synonyms": [ + "njRAT", + "Njw0rm", + "LV", + "Bladabindi" + ] + }, + "related": [ + { + "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "d906e6f7-434c-44c0-b51a-ed50af8f7945", + "value": "njRAT - S0385" + }, + { + "description": "[LightNeuron](https://attack.mitre.org/software/S0395) is a sophisticated backdoor that has targeted Microsoft Exchange servers since at least 2014. [LightNeuron](https://attack.mitre.org/software/S0395) has been used by [Turla](https://attack.mitre.org/groups/G0010) to target diplomatic and foreign affairs-related organizations. The presence of certain strings in the malware suggests a Linux variant of [LightNeuron](https://attack.mitre.org/software/S0395) exists.(Citation: ESET LightNeuron May 2019)", + "meta": { + "external_id": "S0395", + "mitre_platforms": [ + "Windows", + "Linux" + ], + "refs": [ + "https://attack.mitre.org/software/S0395", + "https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf" + ], + "synonyms": [ + "LightNeuron" + ] + }, + "related": [ + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cc1e737c-236c-4e3b-83ba-32039a626ef8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "6ba1d7ae-d60b-43e6-9f08-a8b787e9d9cb", + "value": "LightNeuron - S0395" + }, { "description": "[WannaCry](https://attack.mitre.org/software/S0366) is ransomware that was first seen in a global attack during May 2017, which affected more than 150 countries. It contains worm-like features to spread itself across a computer network using the SMBv1 exploit EternalBlue.(Citation: LogRhythm WannaCry)(Citation: US-CERT WannaCry 2017)(Citation: Washington Post WannaCry 2017)(Citation: FireEye WannaCry 2017)", "meta": { @@ -28054,6 +29970,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "32066e94-3112-48ca-b9eb-ba2b59d2f023", @@ -28320,6 +30243,110 @@ "uuid": "5719af9d-6b16-46f9-9b28-fb019541ddbb", "value": "NotPetya - S0368" }, + { + "description": "[EvilBunny](https://attack.mitre.org/software/S0396) is a C++ malware sample observed since 2011 that was designed to be a execution platform for Lua scripts.(Citation: Cyphort EvilBunny Dec 2014)", + "meta": { + "external_id": "S0396", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0396", + "https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/" + ], + "synonyms": [ + "EvilBunny" + ] + }, + "related": [ + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "a8a778f5-0035-4870-bb25-53dc05029586", + "value": "EvilBunny - S0396" + }, { "description": "[CoinTicker](https://attack.mitre.org/software/S0369) is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.(Citation: CoinTicker 2019)", "meta": { @@ -28493,7 +30520,435 @@ ], "uuid": "d6b3fcd0-1c86-4350-96f0-965ed02fcc51", "value": "Ebury - S0377" + }, + { + "description": "[KeyBoy](https://attack.mitre.org/software/S0387) is malware that has been used in targeted campaigns against members of the Tibetan Parliament in 2016.(Citation: CitizenLab KeyBoy Nov 2016)(Citation: PWC KeyBoys Feb 2017)", + "meta": { + "external_id": "S0387", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0387", + "https://citizenlab.ca/2016/11/parliament-keyboy/", + "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html", + "https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/" + ], + "synonyms": [ + "KeyBoy" + ] + }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "5dd649c0-bca4-488b-bd85-b180474ec62e", + "value": "KeyBoy - S0387" + }, + { + "description": "[LoJax](https://attack.mitre.org/software/S0397) is a UEFI rootkit used by [APT28](https://attack.mitre.org/groups/G0007) to persist remote access software on targeted systems.(Citation: ESET LoJax Sept 2018)", + "meta": { + "external_id": "S0397", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0397", + "https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf" + ], + "synonyms": [ + "LoJax" + ] + }, + "related": [ + { + "dest-uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6856ddd6-2df3-4379-8b87-284603c189c3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "b865dded-0553-4962-a44b-6fe7863effed", + "value": "LoJax - S0397" + }, + { + "description": "Yahoyah is a Trojan used by [Tropic Trooper](https://attack.mitre.org/groups/G0081) as a second-stage backdoor.(Citation: TrendMicro TropicTrooper 2015)", + "meta": { + "external_id": "S0388", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0388", + "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf" + ], + "synonyms": [ + "Yahoyah" + ] + }, + "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "cb444a16-3ea5-4a91-88c6-f329adcb8af3", + "value": "Yahoyah - S0388" + }, + { + "description": "[JCry](https://attack.mitre.org/software/S0389) is ransomware written in Go. It was identified as apart of the #OpJerusalem 2019 campaign.(Citation: Carbon Black JCry May 2019)", + "meta": { + "external_id": "S0389", + "refs": [ + "https://attack.mitre.org/software/S0389", + "https://www.carbonblack.com/2019/05/14/cb-tau-threat-intelligence-notification-jcry-ransomware-pretends-to-be-adobe-flash-player-update-installer/" + ], + "synonyms": [ + "JCry" + ] + }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "aaf3fa65-8b27-4e68-91de-2b7738fe4c82", + "value": "JCry - S0389" + }, + { + "description": "[Pallas](https://attack.mitre.org/software/S0399) is mobile surveillanceware that was custom-developed by [Dark Caracal](https://attack.mitre.org/groups/G0070).(Citation: Lookout Dark Caracal Jan 2018)", + "meta": { + "external_id": "S0399", + "mitre_platforms": [ + "Android" + ], + "refs": [ + "https://attack.mitre.org/software/S0399", + "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" + ], + "synonyms": [ + "Pallas" + ] + }, + "related": [ + { + "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8e27551a-5080-4148-a584-c64348212e4f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "c41a8b7c-3e42-4eee-b87d-ad8a100ee878", + "value": "Pallas - S0399" } ], - "version": 14 + "version": 16 } diff --git a/clusters/mitre-mobile-attack-attack-pattern.json b/clusters/mitre-mobile-attack-attack-pattern.json index c0a9a6f..e7eef0e 100644 --- a/clusters/mitre-mobile-attack-attack-pattern.json +++ b/clusters/mitre-mobile-attack-attack-pattern.json @@ -1670,5 +1670,5 @@ "value": "Malicious Software Development Tools - MOB-T1065" } ], - "version": 5 + "version": 6 } diff --git a/clusters/mitre-mobile-attack-course-of-action.json b/clusters/mitre-mobile-attack-course-of-action.json index 81b31ae..2834728 100644 --- a/clusters/mitre-mobile-attack-course-of-action.json +++ b/clusters/mitre-mobile-attack-course-of-action.json @@ -274,6 +274,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" + }, + { + "dest-uuid": "2204c371-6100-4ae0-82f3-25c07c29772a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" } ], "uuid": "649f7268-4c12-483b-ac84-4b7bca9fe2ee", @@ -304,5 +311,5 @@ "value": "Encrypt Network Traffic - MOB-M1009" } ], - "version": 6 + "version": 7 } diff --git a/clusters/mitre-mobile-attack-malware.json b/clusters/mitre-mobile-attack-malware.json index 8697db8..6ccc268 100644 --- a/clusters/mitre-mobile-attack-malware.json +++ b/clusters/mitre-mobile-attack-malware.json @@ -1117,5 +1117,5 @@ "value": "XcodeGhost - MOB-S0013" } ], - "version": 8 + "version": 9 } diff --git a/clusters/mitre-pre-attack-attack-pattern.json b/clusters/mitre-pre-attack-attack-pattern.json index 66fd09b..a61508d 100644 --- a/clusters/mitre-pre-attack-attack-pattern.json +++ b/clusters/mitre-pre-attack-attack-pattern.json @@ -2785,5 +2785,5 @@ "value": "Data Hiding - PRE-T1097" } ], - "version": 6 + "version": 7 } diff --git a/clusters/mitre-pre-attack-intrusion-set.json b/clusters/mitre-pre-attack-intrusion-set.json index 7c69222..b6893a4 100644 --- a/clusters/mitre-pre-attack-intrusion-set.json +++ b/clusters/mitre-pre-attack-intrusion-set.json @@ -222,6 +222,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb", @@ -369,5 +376,5 @@ "value": "APT17 - G0025" } ], - "version": 8 + "version": 9 } diff --git a/clusters/mitre-tool.json b/clusters/mitre-tool.json index c64f5e9..9775174 100644 --- a/clusters/mitre-tool.json +++ b/clusters/mitre-tool.json @@ -2493,8 +2493,8 @@ "refs": [ "https://attack.mitre.org/software/S0262", "https://github.com/quasar/QuasarRAT", - "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", - "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/" + "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/", + "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf" ], "synonyms": [ "QuasarRAT", @@ -3724,5 +3724,5 @@ "value": "Nltest - S0359" } ], - "version": 13 + "version": 15 } From 984be503964c316c0ef634d6f55602b59f2a5fab Mon Sep 17 00:00:00 2001 From: Andras Iklody Date: Fri, 2 Aug 2019 15:40:31 +0200 Subject: [PATCH 04/37] lowercased value field for DarkHotel --- clusters/threat-actor.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 5364b56..8f13979 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -414,7 +414,7 @@ } ], "uuid": "b8c8b96d-61e6-47b1-8e38-fd8ad5d9854d", - "value": "DarkHotel" + "value": "darkhotel" }, { "description": "A group of China-based attackers, who conducted a number of spear phishing attacks in 2013.", @@ -7639,5 +7639,5 @@ "value": "TA428" } ], - "version": 125 + "version": 126 } From 7913adad619df76d732281a2e895f1f8bb3ae787 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 2 Aug 2019 16:08:40 +0200 Subject: [PATCH 05/37] chg: [threat-actor] rollback as discussed by chat with Andras until version 2.0 --- clusters/threat-actor.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 8f13979..5364b56 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -414,7 +414,7 @@ } ], "uuid": "b8c8b96d-61e6-47b1-8e38-fd8ad5d9854d", - "value": "darkhotel" + "value": "DarkHotel" }, { "description": "A group of China-based attackers, who conducted a number of spear phishing attacks in 2013.", @@ -7639,5 +7639,5 @@ "value": "TA428" } ], - "version": 126 + "version": 125 } From 17925f3e103ec9bad773ce0aa0457562300e86a3 Mon Sep 17 00:00:00 2001 From: Nils Kuhnert <3c7@users.noreply.github.com> Date: Sat, 3 Aug 2019 18:55:00 +0200 Subject: [PATCH 06/37] Remove local file link :) --- clusters/threat-actor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 5364b56..2a2fea4 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2384,7 +2384,7 @@ "https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected", "https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf", "https://www.reuters.com/article/us-sweden-doping/swedish-sports-body-says-anti-doping-unit-hit-by-hacking-attack-idUSKCN1IG2GN", - "file:///D:/Work/ThaiCERT/Cases/researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/", + "https://researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/", "https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/", "https://www.washingtonpost.com/technology/2019/02/20/microsoft-says-it-has-found-another-russian-operation-targeting-prominent-think-tanks/?utm_term=.870ff11468ae", "https://www.handelsblatt.com/today/politics/election-risks-russia-linked-hackers-target-german-political-foundations/23569188.html?ticket=ST-2696734-GRHgtQukDIEXeSOwksXO-ap1", From 4bef48b33e4020baca7fc4340efd4e0db68dc99a Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 6 Aug 2019 13:28:32 +0200 Subject: [PATCH 07/37] add Amavaldo --- clusters/tool.json | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/clusters/tool.json b/clusters/tool.json index f9779b7..82ec890 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -7798,6 +7798,15 @@ }, "uuid": "9ff6e087-6755-447a-b537-8f06c7aa4a85", "value": "Bookworm" + }, + { + "value": "Amavaldo", + "description": "We named the malware family described in the rest of this blog post Amavaldo. This family is still in active development – the latest version we have observed (10.7) has a compilation timestamp of June 10th, 2019.", + "meta": { + "refs": [ + "https://www.welivesecurity.com/2019/08/01/banking-trojans-amavaldo/" + ] + } } ], "version": 122 From 53df0908c7268e91a34e53aa2a31d6c2c3a5cdb2 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 6 Aug 2019 15:34:23 +0200 Subject: [PATCH 08/37] update version --- clusters/tool.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 82ec890..3f38728 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -7809,5 +7809,5 @@ } } ], - "version": 122 + "version": 123 } From e239619d15f17f86d3e426c06a1af44f4a1cb7fc Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 6 Aug 2019 15:42:20 +0200 Subject: [PATCH 09/37] jq --- clusters/tool.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index 3f38728..685b8ef 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -7800,13 +7800,14 @@ "value": "Bookworm" }, { - "value": "Amavaldo", "description": "We named the malware family described in the rest of this blog post Amavaldo. This family is still in active development – the latest version we have observed (10.7) has a compilation timestamp of June 10th, 2019.", "meta": { "refs": [ "https://www.welivesecurity.com/2019/08/01/banking-trojans-amavaldo/" ] - } + }, + "uuid": "c72f8f57-fc2f-4ca2-afbe-ca5bfa5a1747", + "value": "Amavaldo" } ], "version": 123 From 1988662ee5d3a142ac186ccfe7ab657b9963c11e Mon Sep 17 00:00:00 2001 From: Thomas Dupuy Date: Fri, 9 Aug 2019 10:24:06 -0400 Subject: [PATCH 10/37] add APT41 --- clusters/threat-actor.json | 46 +++++++++++++++++++++++++++++++++++++- 1 file changed, 45 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2a2fea4..646d309 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7637,7 +7637,51 @@ }, "uuid": "5533d062-18ab-4c70-9472-0eac03f95a1d", "value": "TA428" + }, + { + "description": "APT41 is a prolific cyber threat group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity potentially outside of state control.", + "meta": { + "cfr-suspected-state-sponsor": "People's Republic of China", + "cfr-suspected-victims": [ + "France", + "India", + "Italy", + "Japan", + "Myanmar", + "Netherlands", + "Singapore", + "South Korea", + "South Africa", + "Switzerland", + "Thailand", + "Turkey", + "United Kingdom", + "United States" + ], + "cfr-target-category": [ + "Healthcare", + "High-tech", + "Media", + "Pharmaceuticals", + "Retail", + "Software companies", + "Telecoms", + "Travel services", + "Education", + "Video games", + "Virtual currencies" + ], + "country": "CN", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html" + ], + "synonyms": [ + "" + ] + }, + "uuid": "9c124874-042d-48cd-b72b-ccdc51ecbbd6", + "value": "APT41" } ], - "version": 125 + "version": 126 } From 320e298549f48c9ec9f2d72c387c2e37ded3c7ae Mon Sep 17 00:00:00 2001 From: Thomas Dupuy Date: Fri, 9 Aug 2019 10:45:10 -0400 Subject: [PATCH 11/37] update victims --- clusters/threat-actor.json | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 646d309..4daea87 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7659,17 +7659,21 @@ "United States" ], "cfr-target-category": [ + "Automotive", + "Business", + "Services", + "Cryptocurrency", + "Education", + "Energy", + "Financial", "Healthcare", - "High-tech", - "Media", + "High-Tech", + "Intergovernmental", + "Media and Entertainment", "Pharmaceuticals", "Retail", - "Software companies", - "Telecoms", - "Travel services", - "Education", - "Video games", - "Virtual currencies" + "Telecommunications", + "Travel" ], "country": "CN", "refs": [ From feac39db6b8679515adbb48ccf40581a24b365cd Mon Sep 17 00:00:00 2001 From: Rony <49360849+r0ny123@users.noreply.github.com> Date: Fri, 9 Aug 2019 22:19:09 +0530 Subject: [PATCH 12/37] added microsoft naming for the groups --- clusters/threat-actor.json | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2a2fea4..e5f8a79 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -4770,6 +4770,9 @@ "refs": [ "https://www.fireeye.com/current-threats/apt-groups.html", "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf" + ], + "synonyms": [ + "MANGANESE" ] }, "uuid": "a47b79ae-7a0c-4308-9efc-294af19cc795", @@ -5749,7 +5752,8 @@ "TEMP.Jumper", "APT 40", "APT40", - "BRONZE MOHAWK" + "BRONZE MOHAWK", + "GADOLINIUM" ] }, "related": [ From d96dc39c5a1644467ec79ef5bca2c6b8677a86cc Mon Sep 17 00:00:00 2001 From: Carlos Borges Date: Fri, 9 Aug 2019 18:00:37 -0300 Subject: [PATCH 13/37] Adding Amavaldo Banking Trojan --- clusters/rat.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/rat.json b/clusters/rat.json index cd041ba..9309583 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -3382,6 +3382,17 @@ }, "uuid": "0f117f50-9657-11e9-8e2b-83e391e0ce57", "value": "Felipe" + }, + { + "description": "Amavaldo is banking trojan writen in Delphi and known to targeting Spanish or Portuguese speaking countries. It contains backdoor functionality and can work as multi stage. Amavaldo also abuses legitimate tools and softwares", + "meta": { + "date": "2019", + "refs": [ + "https://www.welivesecurity.com/2019/08/01/banking-trojans-amavaldo/" + ] + }, + "uuid": "39c65b1d-7799-43d6-a963-4a058b1c756e", + "value": "Amavaldo Banking Trojan" } ], "version": 30 From df5c9057a15a2a797f3c6b7a0a19e05c1c75741e Mon Sep 17 00:00:00 2001 From: Thomas Dupuy Date: Fri, 9 Aug 2019 17:34:22 -0400 Subject: [PATCH 14/37] add synonyme for Turla --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 4daea87..2ebe022 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2575,7 +2575,8 @@ "Pacifier APT", "Popeye", "SIG23", - "Iron Hunter" + "Iron Hunter", + "MAKERSMARK" ] }, "related": [ From 38aebbf42a611d5dcbbb83d796b4e1d12b4addee Mon Sep 17 00:00:00 2001 From: Sebastian Wagner Date: Mon, 19 Aug 2019 16:53:29 +0200 Subject: [PATCH 15/37] remove empty strings --- clusters/exploit-kit.json | 3 --- clusters/ransomware.json | 3 +-- clusters/threat-actor.json | 6 +----- 3 files changed, 2 insertions(+), 10 deletions(-) diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json index 197d7bb..872cf17 100644 --- a/clusters/exploit-kit.json +++ b/clusters/exploit-kit.json @@ -218,9 +218,6 @@ { "description": "Taurus Builder is a tool used to generate malicious MS Word documents that contain macros. The kit is advertised on forums by the user \"badbullzvenom\". ", "meta": { - "refs": [ - "" - ], "status": "Active" }, "uuid": "63988ca2-46c8-4bda-be46-96a8670af357", diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 144fcaf..10ea030 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -12889,8 +12889,7 @@ "read_me_for_recover_your_files.txt" ], "refs": [ - "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/", - "" + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/" ] }, "uuid": "3675e50d-3f76-45f8-b3f3-4a645779e14d", diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index aee3539..31bdae9 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7423,8 +7423,7 @@ "meta": { "refs": [ "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_luckycat_hackers.pdf", - "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf", - "" + "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf" ] }, "uuid": "e502802e-8d0a-11e9-bd72-9f046529b3fd", @@ -7683,9 +7682,6 @@ "country": "CN", "refs": [ "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html" - ], - "synonyms": [ - "" ] }, "uuid": "9c124874-042d-48cd-b72b-ccdc51ecbbd6", From ea68336b969559e01dbeba951837768721587d27 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 27 Aug 2019 08:28:58 +0200 Subject: [PATCH 16/37] add ref for Gamaredon --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 31bdae9..4ebb4e1 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -4257,7 +4257,8 @@ "http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution", "https://www.lookingglasscyber.com/wp-content/uploads/2015/08/Operation_Armageddon_Final.pdf", "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution/", - "https://attack.mitre.org/groups/G0047/" + "https://attack.mitre.org/groups/G0047/", + "https://github.com/StrangerealIntel/CyberThreatIntel/tree/master/Russia/APT/Gamaredon" ] }, "related": [ From 9926ea88262d06a8155fb2756a53c487f282ba1f Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 28 Aug 2019 14:35:12 +0200 Subject: [PATCH 17/37] chg: [threat-actor] LYCEUM added - 443 #fixed --- clusters/threat-actor.json | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 31bdae9..a99c16d 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7642,6 +7642,15 @@ "uuid": "5533d062-18ab-4c70-9472-0eac03f95a1d", "value": "TA428" }, + { + "uuid": "e1b95185-8db6-4f3c-9ffd-1749087d934a", + "value": "LYCEUM", + "meta": { + "refs": [ + "https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign" + ] + } + }, { "description": "APT41 is a prolific cyber threat group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity potentially outside of state control.", "meta": { @@ -7688,5 +7697,5 @@ "value": "APT41" } ], - "version": 126 + "version": 128 } From 395dd93e0f11e879f5f404d476eb91b2b3919c26 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Wed, 28 Aug 2019 15:40:03 +0200 Subject: [PATCH 18/37] add Asruex Backdoor --- clusters/backdoor.json | 12 +++++++++++- clusters/threat-actor.json | 2 +- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/clusters/backdoor.json b/clusters/backdoor.json index 4bb7a60..ac2cc9b 100644 --- a/clusters/backdoor.json +++ b/clusters/backdoor.json @@ -80,7 +80,17 @@ ], "uuid": "a4757e11-0837-42c0-958a-7490cff58687", "value": "SLUB" + }, + { + "description": "Since it first emerged in 2015, Asruex has been known for its backdoor capabilities and connection to the spyware DarkHotel. However, when we encountered Asruex in a PDF file, we found that a variant of the malware can also act as an infector particularly through the use of old vulnerabilities CVE-2012-0158 and CVE-2010-2883, which inject code in Word and PDF files respectively.", + "meta": { + "refs": [ + "https://blog.trendmicro.com/trendlabs-security-intelligence/asruex-backdoor-variant-infects-word-documents-and-pdfs-through-old-ms-office-and-adobe-vulnerabilities/" + ] + }, + "uuid": "b7ad60a0-d648-4775-adec-c78b1a92fc34", + "value": "Asruex" } ], - "version": 5 + "version": 6 } diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 4ebb4e1..24eb9ea 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7689,5 +7689,5 @@ "value": "APT41" } ], - "version": 126 + "version": 128 } From 025cc937653e39150375ecb73436a89ac03d3c9e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Wed, 28 Aug 2019 16:49:39 +0200 Subject: [PATCH 19/37] fix: Make tests happy --- clusters/threat-actor.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index a99c16d..f392bf3 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7643,13 +7643,13 @@ "value": "TA428" }, { - "uuid": "e1b95185-8db6-4f3c-9ffd-1749087d934a", - "value": "LYCEUM", "meta": { "refs": [ "https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign" ] - } + }, + "uuid": "e1b95185-8db6-4f3c-9ffd-1749087d934a", + "value": "LYCEUM" }, { "description": "APT41 is a prolific cyber threat group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity potentially outside of state control.", From 8d78a2a108c78173cb6c02f374b3ed7a1f2e8988 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 29 Aug 2019 08:31:10 +0200 Subject: [PATCH 20/37] chg: [threat-actor] jq all --- clusters/threat-actor.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index d5a6142..7250d68 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7644,13 +7644,13 @@ "value": "TA428" }, { - "uuid": "e1b95185-8db6-4f3c-9ffd-1749087d934a", - "value": "LYCEUM", "meta": { "refs": [ "https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign" ] - } + }, + "uuid": "e1b95185-8db6-4f3c-9ffd-1749087d934a", + "value": "LYCEUM" }, { "description": "APT41 is a prolific cyber threat group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity potentially outside of state control.", From 49f8f60a85d21f9518c5173002cd2697fa2b97e3 Mon Sep 17 00:00:00 2001 From: StefanKelm Date: Thu, 29 Aug 2019 13:13:00 +0200 Subject: [PATCH 21/37] Update threat-actor.json Add ITG08 as synonym for FIN6 --- clusters/threat-actor.json | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 7250d68..222569b 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -3735,10 +3735,12 @@ "refs": [ "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf", "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", - "https://attack.mitre.org/groups/G0037/" + "https://attack.mitre.org/groups/G0037/", + "https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/" ], "synonyms": [ - "Skeleton Spider" + "Skeleton Spider", + "ITG08" ] }, "related": [ @@ -7698,5 +7700,5 @@ "value": "APT41" } ], - "version": 128 + "version": 129 } From c93103bba17c501a5cebe49b9646ccad1b8fe86e Mon Sep 17 00:00:00 2001 From: Sebastian Wagner Date: Fri, 30 Aug 2019 09:57:05 +0200 Subject: [PATCH 22/37] Add test for empty strings Should prevent MISP/misp-galaxy#438 --- .gitignore | 1 + tools/__init__.py | 0 tools/chk_dup.py | 33 ++++++++++++++++++++++++--------- tools/chk_empty_strings.py | 24 ++++++++++++++++++++++++ validate_all.sh | 3 +++ 5 files changed, 52 insertions(+), 9 deletions(-) create mode 100644 .gitignore create mode 100644 tools/__init__.py create mode 100755 tools/chk_empty_strings.py diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..bee8a64 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +__pycache__ diff --git a/tools/__init__.py b/tools/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/tools/chk_dup.py b/tools/chk_dup.py index 2ed2f89..9df3000 100755 --- a/tools/chk_dup.py +++ b/tools/chk_dup.py @@ -8,9 +8,19 @@ import os import collections -def loadjsons(path): +def loadjsons(path, return_paths=False): """ - Find all Jsons and load them in a dict + Find all Jsons and load them in a dict + + Parameters: + path: string + return_names: boolean, if the name of the file should be returned, + default: False + + Returns: + List of parsed file contents. + If return_paths is True, then every list item is a tuple of the + file name and the file content """ files = [] data = [] @@ -18,9 +28,14 @@ def loadjsons(path): if os.path.isfile(os.path.join(path, name)) and name.endswith('.json'): files.append(name) for jfile in files: - data.append(json.load(open("%s/%s" % (path, jfile)))) + filepath = os.path.join(path, jfile) + if return_paths: + data.append((filepath, json.load(open(filepath)))) + else: + data.append(json.load(json.load(open(filepath)))) return data + if __name__ == '__main__': """ Iterate all name + synonyms @@ -33,19 +48,19 @@ if __name__ == '__main__': items = djson.get('values') for entry in items: name = entry.get('value').strip().lower() - counter[name]+=1 + counter[name] += 1 namespace.append([name, djson.get('name')]) try: for synonym in entry.get('meta').get('synonyms'): name = synonym.strip().lower() - counter[name]+=1 + counter[name] += 1 namespace.append([name, djson.get('name')]) except (AttributeError, TypeError): pass counter = dict(counter) for key, val in counter.items(): - if val>1: - print ("Warning duplicate %s" % key) + if val > 1: + print("Warning duplicate %s" % key) for item in namespace: - if item[0]==key: - print (item) + if item[0] == key: + print(item) diff --git a/tools/chk_empty_strings.py b/tools/chk_empty_strings.py new file mode 100755 index 0000000..1ccac24 --- /dev/null +++ b/tools/chk_empty_strings.py @@ -0,0 +1,24 @@ +#!/usr/bin/env python3 +# coding=utf-8 +""" + Tools to find empty string entries in galaxies +""" +from .chk_dup import loadjsons +import sys + + +if __name__ == '__main__': + jsons = loadjsons("clusters", return_paths=True) + retval = 0 + for clustername, djson in jsons: + items = djson.get('values') + for entry in items: + name = entry.get('value') + for key, value in entry.get('meta', {}).items(): + if isinstance(value, list): + if '' in value: + retval = 1 + print("Empty string found in Cluster %r: values/%s/meta/%s" + "" % (clustername, name, key), + file=sys.stderr) + sys.exit(retval) diff --git a/validate_all.sh b/validate_all.sh index 7d1a842..f797c55 100755 --- a/validate_all.sh +++ b/validate_all.sh @@ -84,3 +84,6 @@ do fi echo '' done + +# check for empyt strings in clusters +python3 -m tools.chk_empty_strings From e13087a9c4d92021edef20017ed70ef8f3057014 Mon Sep 17 00:00:00 2001 From: Sebastian Wagner Date: Fri, 30 Aug 2019 10:05:29 +0200 Subject: [PATCH 23/37] target-information: fix territory-type for China --- clusters/target-information.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/target-information.json b/clusters/target-information.json index c316597..8bcc969 100644 --- a/clusters/target-information.json +++ b/clusters/target-information.json @@ -1493,7 +1493,7 @@ "Zhōnghuá Rénmín Gònghéguó" ], "territory-type": [ - "" + "Country" ] }, "uuid": "53d3d205-db31-4ec9-86aa-c2bf11fd18e6", From f5056ff02e8e08947a76839824d78a5959f7a266 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 30 Aug 2019 11:03:30 +0200 Subject: [PATCH 24/37] chg: [threat-actor] add machete-apt synonyms as reported in #445 --- clusters/threat-actor.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 7250d68..cf48517 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -4675,7 +4675,8 @@ "https://threatvector.cylance.com/en_us/home/el-machete-malware-attacks-cut-through-latam.html" ], "synonyms": [ - "Machete" + "Machete", + "machete-apt" ] }, "uuid": "827c17e0-c3f5-4ad1-a4f4-30a40ed0a2d3", @@ -7698,5 +7699,5 @@ "value": "APT41" } ], - "version": 128 + "version": 129 } From e79310c8619a96c6f627f471310f356c1a7f7429 Mon Sep 17 00:00:00 2001 From: rmkml Date: Sat, 31 Aug 2019 21:08:50 +0200 Subject: [PATCH 25/37] Add Nemty Ransomware --- clusters/ransomware.json | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 144fcaf..bc65e8e 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -13472,7 +13472,19 @@ }, "uuid": "6cfa553a-1e1b-115a-401f-015d681470b1", "value": "GetCrypt" + }, + { + "description": "A new ransomware family dubbed “Nemty” for the extension it adds to encrypted files has recently surfaced in the wild. According to a report from Bleeping Computer, New York-based reverse engineer Vitali Kremez posits that Nemty is possibly delivered through exposed remote desktop connections.", + "meta": { + "payment-method": "Bitcoin", + "price": "1000 $", + "refs": [ + "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/nemty-ransomware-possibly-spreads-through-exposed-remote-desktop-connections" + ] + }, + "uuid": "6cfa554a-1e2b-115a-400f-014d671470b1", + "value": "Nemty" } ], - "version": 64 + "version": 65 } From f40b7dd132cb67153644b5856621e6fedfbdca5f Mon Sep 17 00:00:00 2001 From: Daniel Plohmann Date: Sun, 1 Sep 2019 15:46:36 +0200 Subject: [PATCH 26/37] 'SectorJ04 Group' as alias introduced by NSHC for TA505 Not explicitly mentioned in the blog post but it looks like we just got an alias for TA505... https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/ --- clusters/threat-actor.json | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2d0799c..7a23f1e 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6914,7 +6914,11 @@ "https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware", "https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf", "https://threatpost.com/ta505-servhelper-malware/140792/", - "https://blog.yoroi.company/research/the-stealthy-email-stealer-in-the-ta505-arsenal/" + "https://blog.yoroi.company/research/the-stealthy-email-stealer-in-the-ta505-arsenal/", + "https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/" + ], + "synonyms": [ + "SectorJ04 Group" ] }, "uuid": "03c80674-35f8-4fe0-be2b-226ed0fcd69f", @@ -7701,5 +7705,5 @@ "value": "APT41" } ], - "version": 129 + "version": 130 } From 28ec6962725a350e1ab082219a478cafc7e8740d Mon Sep 17 00:00:00 2001 From: rmkml Date: Sun, 1 Sep 2019 21:20:28 +0200 Subject: [PATCH 27/37] Add Buran Ransomware --- clusters/ransomware.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index bc65e8e..1586fcd 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -13484,7 +13484,17 @@ }, "uuid": "6cfa554a-1e2b-115a-400f-014d671470b1", "value": "Nemty" + }, + { + "description": "Buran is a new version of the Vega ransomware strain (a.k.a. Jamper, Ghost, Buhtrap) that attacked accountants from February through April 2019. The new Buran ransomware first was discovered by nao_sec in June 2019, delivered by the RIG Exploit Kit, as reported by BleepingComputer.", + "meta": { + "refs": [ + "https://www.acronis.com/en-us/blog/posts/meet-buran-new-delphi-ransomware-delivered-rig-exploit-kit" + ] + }, + "uuid": "6cfa554a-1e1b-114a-300f-013d671370b0", + "value": "Buran" } ], - "version": 65 + "version": 66 } From 9e3a998dfc711ec2be5cb48bc9356903e2fcfd24 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 3 Sep 2019 15:51:21 +0200 Subject: [PATCH 28/37] aff SectorJ04 group --- clusters/threat-actor.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 24eb9ea..30ad8d0 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7687,7 +7687,12 @@ }, "uuid": "9c124874-042d-48cd-b72b-ccdc51ecbbd6", "value": "APT41" + }, + { + "description": "SectorJ04 is a Russian-based cybercrime group that began operating about five years ago and conducted hacking activities for financial profit using malware such as banking trojans and ransomware against national and industrial sectors located across Europe, North America and West Africa.\nIn 2019, the SectorJ04 group expanded its hacking activities to cover various industrial sectors located across Southeast Asia and East Asia, and is changing the pattern of their attacks from targeted attacks to searching for random victims. This report includes details related to the major hacking targets of the SectorJ04 group in 2019, how those targets were hacked, characteristics of their hacking activities this year and recent cases of the SectorJ04 group’s hacking.", + "uuid": "50e25cfb-8b4d-408d-a7c6-bd0672662d39", + "value": "SectorJ04" } ], - "version": 128 + "version": 129 } From dfc6321e0c3f5545e93b3179b61e117134b9846a Mon Sep 17 00:00:00 2001 From: rmkml Date: Sat, 7 Sep 2019 19:43:08 +0200 Subject: [PATCH 29/37] Add AsyncRAT --- clusters/rat.json | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/clusters/rat.json b/clusters/rat.json index d32547a..80a06ea 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -3348,7 +3348,18 @@ }, "uuid": "1b6a066c-50ba-4aa6-a49b-823e94e110fe", "value": "Caesar RAT" + }, + { + "description": "Open-Source Remote Administration Tool For Windows C# (RAT)", + "meta": { + "refs": [ + "https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp", + "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat" + ] + }, + "uuid": "1b6a065c-40ba-4aa5-a46b-813e74e010fe", + "value": "AsyncRAT" } ], - "version": 28 + "version": 29 } From db2b5a13ef03109899bd4ec59a53341cd9cf7094 Mon Sep 17 00:00:00 2001 From: StefanKelm Date: Thu, 12 Sep 2019 11:57:03 +0200 Subject: [PATCH 30/37] Update threat-actor.json Silent Librarian --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 930ee7d..eaf64be 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7287,6 +7287,7 @@ "https://info.phishlabs.com/blog/silent-librarian-university-attacks-continue-unabated-in-days-following-indictment", "https://www.justice.gov/usao-sdny/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic", "https://www.justice.gov/opa/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic-revolutionary", + "https://www.secureworks.com/blog/cobalt-dickens-goes-back-to-school-again", "https://www.secureworks.com/blog/back-to-school-cobalt-dickens-targets-universities" ], "synonyms": [ @@ -7710,5 +7711,5 @@ "value": "SectorJ04" } ], - "version": 131 + "version": 132 } From f907797d410ed1f5e29fb4cbf4385be38df2de08 Mon Sep 17 00:00:00 2001 From: rmkml Date: Sat, 14 Sep 2019 00:08:54 +0200 Subject: [PATCH 31/37] Add InnfiRAT --- clusters/rat.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/clusters/rat.json b/clusters/rat.json index fe1ba31..70b21ab 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -3404,7 +3404,17 @@ }, "uuid": "1b6a065c-40ba-4aa5-a46b-813e74e010fe", "value": "AsyncRAT" + }, + { + "description": "new RAT called InnfiRAT, which is written in .NET and designed to perform specific tasks from an infected machine", + "meta": { + "refs": [ + "https://www.zscaler.com/blogs/research/innfirat-new-rat-aiming-your-cryptocurrency-and-more" + ] + }, + "uuid": "1b4a085c-30bb-5aa5-b46a-803e94e010ff", + "value": "InnfiRAT" } ], - "version": 30 + "version": 31 } From dff982be2072a590665627f642e4745b38f890ff Mon Sep 17 00:00:00 2001 From: rmkml Date: Sat, 14 Sep 2019 21:49:16 +0200 Subject: [PATCH 32/37] Add Hildacrypt Ransomware --- clusters/ransomware.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 36676c0..e2ce520 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -13493,7 +13493,17 @@ }, "uuid": "6cfa554a-1e1b-114a-300f-013d671370b0", "value": "Buran" + }, + { + "description": "The Hildacrypt ransomware encrypts the victim’s files with a strong encryption algorithm and the filename extension .hilda until the victim pays a fee to get them back.", + "meta": { + "refs": [ + "https://securitynews.sonicwall.com/xmlpost/hildacrypt-ransomware-actively-spreading-in-the-wild/" + ] + }, + "uuid": "6cea5549-1d1b-111a-309f-012d671360b1", + "value": "Hildacrypt" } ], - "version": 66 + "version": 67 } From 5631d210a0e53ea33cb3096b6becaba28cc14893 Mon Sep 17 00:00:00 2001 From: rmkml Date: Tue, 17 Sep 2019 00:44:56 +0200 Subject: [PATCH 33/37] Add Mr.Dec Ransomware --- clusters/ransomware.json | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index e2ce520..f5ca550 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -13503,7 +13503,23 @@ }, "uuid": "6cea5549-1d1b-111a-309f-012d671360b1", "value": "Hildacrypt" + }, + { + "description": "Mr. Dec ransomware is cryptovirus that was first spotted in mid-May 2018, and since then was updated multiple times. The ransomware encrypts all personal data on the device with the help of AES encryption algorithm and appends .[ID]random 16 characters[ID] file extension, preventing from their further usage.", + "meta": { + "encryption": "AES", + "refs": [ + "https://www.2-spyware.com/remove-mr-dec-ransomware.html", + "https://id-ransomware.blogspot.com/2018/05/mrdec-ransomware.html" + ], + "synonyms": [ + "MrDec", + "Sherminator" + ] + }, + "uuid": "7cea4438-1d1c-121a-30af-011d661260b2", + "value": "Mr.Dec" } ], - "version": 67 + "version": 68 } From b9b4b9c65152b04cb72d9824629ff780d31a5b69 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 20 Sep 2019 14:53:25 +0200 Subject: [PATCH 34/37] Add Tortoiseshell thrat actor --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index eaf64be..cc92b64 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7709,6 +7709,16 @@ "description": "SectorJ04 is a Russian-based cybercrime group that began operating about five years ago and conducted hacking activities for financial profit using malware such as banking trojans and ransomware against national and industrial sectors located across Europe, North America and West Africa.\nIn 2019, the SectorJ04 group expanded its hacking activities to cover various industrial sectors located across Southeast Asia and East Asia, and is changing the pattern of their attacks from targeted attacks to searching for random victims. This report includes details related to the major hacking targets of the SectorJ04 group in 2019, how those targets were hacked, characteristics of their hacking activities this year and recent cases of the SectorJ04 group’s hacking.", "uuid": "50e25cfb-8b4d-408d-a7c6-bd0672662d39", "value": "SectorJ04" + }, + { + "description": "A previously undocumented attack group is using both custom and off-the-shelf malware to target IT providers in Saudi Arabia in what appear to be supply chain attacks with the end goal of compromising the IT providers’ customers.\nThe group, which we are calling Tortoiseshell, has been active since at least July 2018. Symantec has identified a total of 11 organizations hit by the group, the majority of which are based in Saudi Arabia. In at least two organizations, evidence suggests that the attackers gained domain admin-level access.", + "meta": { + "refs": [ + "https://www.symantec.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain" + ] + }, + "uuid": "5f108484-db7f-11e9-aaa4-fb0176425734", + "value": "Tortoiseshell" } ], "version": 132 From 638cdd41988a35a14b1bd2230af4101bec5164e1 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 20 Sep 2019 14:54:56 +0200 Subject: [PATCH 35/37] version update --- clusters/threat-actor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index cc92b64..ae4a0be 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7721,5 +7721,5 @@ "value": "Tortoiseshell" } ], - "version": 132 + "version": 133 } From a5ae130916f890d339fa0ccb6b2353aafa5bab39 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 25 Sep 2019 11:27:03 +0200 Subject: [PATCH 36/37] chg: [threat-actor] Evil Eye and POISON CARP Ref: https://citizenlab.ca/2019/09/poison-carp-tibetan-groups-targeted-with-1-click-mobile-exploits/ Signed-off: Jean-Louis during training session --- clusters/threat-actor.json | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index ae4a0be..535720b 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7719,7 +7719,21 @@ }, "uuid": "5f108484-db7f-11e9-aaa4-fb0176425734", "value": "Tortoiseshell" + }, + { + "description": "Between November 2018 and May 2019, senior members of Tibetan groups received malicious links in individually tailored WhatsApp text exchanges with operators posing as NGO workers, journalists, and other fake personas. The links led to code designed to exploit web browser vulnerabilities to install spyware on iOS and Android devices, and in some cases to OAuth phishing pages. This campaign was carried out by what appears to be a single operator that we call POISON CARP.", + "meta": { + "refs": [ + "https://citizenlab.ca/2019/09/poison-carp-tibetan-groups-targeted-with-1-click-mobile-exploits/", + "https://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/" + ], + "synonyms": [ + "Evil Eye" + ] + }, + "uuid": "7aa99279-4255-4d26-bb95-12e7156555a0", + "value": "POISON CARP" } ], - "version": 133 + "version": 134 } From 309109eb270966a716edbbbd621bd96aa2a90726 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 25 Sep 2019 12:12:34 +0200 Subject: [PATCH 37/37] chg: [threat-actor] new LookBack (Malware?Campaign?TA?) Signed-off: During MISP training --- clusters/threat-actor.json | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 535720b..2b6af3b 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7733,7 +7733,18 @@ }, "uuid": "7aa99279-4255-4d26-bb95-12e7156555a0", "value": "POISON CARP" + }, + { + "description": "Early in August 2019, Proofpoint described what appeared to be state-sponsored activity targeting the US utilities sector with malware that we dubbed “Lookback”. Between August 21 and August 29, 2019, several spear phishing emails were identified targeting additional US companies in the utilities sector. The phishing emails originated from what appears to be an actor-controlled domain: globalenergycertification[.]net. This domain, like those used in previous campaigns, impersonated a licensing body related to the utilities sector. In this case, it masqueraded as the legitimate domain for Global Energy Certification (“GEC”). The emails include a GEC examination-themed body and a malicious Microsoft Word attachment that uses macros to install and run LookBack. (Note confusion between Malware, Campaign and ThreatActor)", + "uuid": "5cd95926-0098-435e-892d-9c9f61763ad7", + "value": "LookBack", + "meta": { + "refs": [ + "https://www.proofpoint.com/us/threat-insight/post/lookback-forges-ahead-continued-targeting-united-states-utilities-sector-reveals", + "https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks" + ] + } } ], - "version": 134 + "version": 135 }