MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

[mitre] bump to MITRE ATT&CK v11.2

pull/719/head v2.4.159
Christophe Vandeplas 2022-05-25 21:03:14 +02:00
parent 4a469299fd
commit 39073004c4
4 changed files with 252 additions and 378 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

282
clusters/mitre-attack-pattern.json
View File

File diff suppressed because it is too large Load Diff

50
clusters/mitre-intrusion-set.json
View File

@ -19,7 +19,7 @@
"https://documents.trendmicro.com/assets/wp/wp-operation-woolen-goldfish.pdf",
"https://iranthreats.github.io/resources/attribution-flying-rocket-kitten/",
"https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/",
"https://www.mandiant.com/resources/operation-saffron-rose"
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-operation-saffron-rose.pdf"
],
"synonyms": [
"Ajax Security Team",
@ -19529,8 +19529,7 @@
"external_id": "G0042",
"refs": [
"https://attack.mitre.org/groups/G0042"
],
"synonyms": []
]
},
"related": [
{
@ -20217,8 +20216,7 @@
"external_id": "G0057",
"refs": [
"https://attack.mitre.org/groups/G0057"
],
"synonyms": []
]
},
"related": [
{
@ -29037,7 +29035,7 @@
"value": "Chimera - G0114"
},
{
"description": "[Gelsemium](https://attack.mitre.org/groups/G0141) is a cyberespionage group that has been active since at least 2014, targeting governmental institutions, electronics manufacturers, universities, and religious organizations in Eastern Asia and the Middle East.(Citation: ESET Gelsemium June 2021)",
"description": "[Gelsemium](https://attack.mitre.org/groups/G0141) is a cyberespionage group that has been active since at least 2014, targeting governmental institutions, electronics manufacturers, universities, and religious organizations in East Asia and the Middle East.(Citation: ESET Gelsemium June 2021)",
"meta": {
"external_id": "G0141",
"refs": [
@ -29048,43 +29046,7 @@
"Gelsemium"
]
},
"related": [
{
"dest-uuid": "60c4b628-4807-4b0b-bbf5-fdac8643c337",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bd369cd9-abb8-41ce-b5bb-fff23ee86c00",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "efa7c4d6-8e30-41d9-a8fd-26dc337f4a1b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"related": [],
"uuid": "99910207-1741-4da1-9b5d-537410186b51",
"value": "Gelsemium - G0141"
},
@ -30747,5 +30709,5 @@
"value": "TeamTNT - G0139"
}
],
"version": 25
"version": 26
}

216
clusters/mitre-malware.json
View File

@ -13,7 +13,6 @@
"description": "[Hacking Team UEFI Rootkit](https://attack.mitre.org/software/S0047) is a rootkit developed by the company Hacking Team as a method of persistence for remote access software. (Citation: TrendMicro Hacking Team UEFI)",
"meta": {
"external_id": "S0047",
"mitre_platforms": [],
"refs": [
"http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-uses-uefi-bios-rootkit-to-keep-rcs-9-agent-in-target-systems/",
"https://attack.mitre.org/software/S0047"
@ -2248,7 +2247,7 @@
],
"refs": [
"https://attack.mitre.org/software/S0056",
"https://web.archive.org/web/20200302085133/https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf"
"https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf"
],
"synonyms": [
"Net Crawler",
@ -3609,13 +3608,11 @@
"description": "[Power Loader](https://attack.mitre.org/software/S0177) is modular code sold in the cybercrime market used as a downloader in malware families such as Carberp, Redyms and Gapz. (Citation: MalwareTech Power Loader Aug 2013) (Citation: WeLiveSecurity Gapz and Redyms Mar 2013)",
"meta": {
"external_id": "S0177",
"mitre_platforms": [],
"refs": [
"https://attack.mitre.org/software/S0177",
"https://www.malwaretech.com/2013/08/powerloader-injection-something-truly.html",
"https://www.welivesecurity.com/2013/03/19/gapz-and-redyms-droppers-based-on-power-loader-code/"
],
"synonyms": []
]
},
"related": [
{
@ -6007,12 +6004,10 @@
"description": "[Miner-C](https://attack.mitre.org/software/S0133) is malware that mines victims for the Monero cryptocurrency. It has targeted FTP servers and Network Attached Storage (NAS) devices to spread. (Citation: Softpedia MinerC)",
"meta": {
"external_id": "S0133",
"mitre_platforms": [],
"refs": [
"http://news.softpedia.com/news/cryptocurrency-mining-malware-discovered-targeting-seagate-nas-hard-drives-508119.shtml",
"https://attack.mitre.org/software/S0133"
],
"synonyms": []
]
},
"related": [
{
@ -7807,7 +7802,7 @@
],
"refs": [
"https://attack.mitre.org/software/S0004",
"https://web.archive.org/web/20200302085133/https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf"
"https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf"
],
"synonyms": [
"TinyZBot"
@ -10156,12 +10151,10 @@
"description": "[Wiper](https://attack.mitre.org/software/S0041) is a family of destructive malware used in March 2013 during breaches of South Korean banks and media companies. (Citation: Dell Wiper)",
"meta": {
"external_id": "S0041",
"mitre_platforms": [],
"refs": [
"http://www.secureworks.com/cyber-threat-intelligence/threats/wiper-malware-analysis-attacking-korean-financial-sector/",
"https://attack.mitre.org/software/S0041"
],
"synonyms": []
]
},
"related": [
{
@ -12151,12 +12144,10 @@
"description": "[Uroburos](https://attack.mitre.org/software/S0022) is a rootkit used by [Turla](https://attack.mitre.org/groups/G0010). (Citation: Kaspersky Turla)",
"meta": {
"external_id": "S0022",
"mitre_platforms": [],
"refs": [
"https://attack.mitre.org/software/S0022",
"https://securelist.com/the-epic-turla-operation/65545/"
],
"synonyms": []
]
},
"related": [
{
@ -15000,12 +14991,10 @@
"description": "[Zeroaccess](https://attack.mitre.org/software/S0027) is a kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that attempts to add victims to the ZeroAccess botnet, often for monetary gain. (Citation: Sophos ZeroAccess)",
"meta": {
"external_id": "S0027",
"mitre_platforms": [],
"refs": [
"https://attack.mitre.org/software/S0027",
"https://sophosnews.files.wordpress.com/2012/04/zeroaccess2.pdf"
],
"synonyms": []
]
},
"related": [
{
@ -15030,12 +15019,10 @@
"description": "[SHIPSHAPE](https://attack.mitre.org/software/S0028) is malware developed by [APT30](https://attack.mitre.org/groups/G0013) that allows propagation and exfiltration of data over removable devices. [APT30](https://attack.mitre.org/groups/G0013) may use this capability to exfiltrate data across air-gaps. (Citation: FireEye APT30)",
"meta": {
"external_id": "S0028",
"mitre_platforms": [],
"refs": [
"https://attack.mitre.org/software/S0028",
"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
],
"synonyms": []
]
},
"related": [
{
@ -15331,11 +15318,9 @@
"description": "",
"meta": {
"external_id": "S0209",
"mitre_platforms": [],
"refs": [
"https://attack.mitre.org/software/S0209"
],
"synonyms": []
]
},
"related": [
{
@ -16073,7 +16058,6 @@
"description": "[FrameworkPOS](https://attack.mitre.org/software/S0503) is a point of sale (POS) malware used by [FIN6](https://attack.mitre.org/groups/G0037) to steal payment card data from sytems that run physical POS devices.(Citation: SentinelOne FrameworkPOS September 2019)",
"meta": {
"external_id": "S0503",
"mitre_platforms": [],
"refs": [
"https://attack.mitre.org/software/S0503",
"https://labs.sentinelone.com/fin6-frameworkpos-point-of-sale-malware-analysis-internals-2/"
@ -16665,7 +16649,7 @@
"https://us-cert.cisa.gov/ics/advisories/ICSA-10-272-01",
"https://www.esetnod32.ru/company/viruslab/analytics/doc/Stuxnet_Under_the_Microscope.pdf",
"https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf",
"https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf "
"https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf"
],
"synonyms": [
"Stuxnet",
@ -17637,7 +17621,6 @@
"description": "[SQLRat](https://attack.mitre.org/software/S0390) is malware that executes SQL scripts to avoid leaving traditional host artifacts. [FIN7](https://attack.mitre.org/groups/G0046) has been observed using it.(Citation: Flashpoint FIN 7 March 2019)",
"meta": {
"external_id": "S0390",
"mitre_platforms": [],
"refs": [
"https://attack.mitre.org/software/S0390",
"https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/"
@ -19094,9 +19077,9 @@
],
"refs": [
"https://attack.mitre.org/software/S0604",
"https://dragos.com/blog/crashoverride/CrashOverride-01.pdf ",
"https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf ",
"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf "
"https://dragos.com/blog/crashoverride/CrashOverride-01.pdf",
"https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf",
"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"
],
"synonyms": [
"Industroyer",
@ -23022,12 +23005,10 @@
"description": "[MobileOrder](https://attack.mitre.org/software/S0079) is a Trojan intended to compromise Android mobile devices. It has been used by [Scarlet Mimic](https://attack.mitre.org/groups/G0029). (Citation: Scarlet Mimic Jan 2016)",
"meta": {
"external_id": "S0079",
"mitre_platforms": [],
"refs": [
"http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/",
"https://attack.mitre.org/software/S0079"
],
"synonyms": []
]
},
"related": [
{
@ -23679,12 +23660,10 @@
"description": "[TINYTYPHON](https://attack.mitre.org/software/S0131) is a backdoor that has been used by the actors responsible for the MONSOON campaign. The majority of its code was reportedly taken from the MyDoom worm. (Citation: Forcepoint Monsoon)",
"meta": {
"external_id": "S0131",
"mitre_platforms": [],
"refs": [
"https://attack.mitre.org/software/S0131",
"https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf"
],
"synonyms": []
]
},
"related": [
{
@ -24092,12 +24071,10 @@
"description": "[HALFBAKED](https://attack.mitre.org/software/S0151) is a malware family consisting of multiple components intended to establish persistence in victim networks. (Citation: FireEye FIN7 April 2017)",
"meta": {
"external_id": "S0151",
"mitre_platforms": [],
"refs": [
"https://attack.mitre.org/software/S0151",
"https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html"
],
"synonyms": []
]
},
"related": [
{
@ -25488,12 +25465,10 @@
"description": "[HAPPYWORK](https://attack.mitre.org/software/S0214) is a downloader used by [APT37](https://attack.mitre.org/groups/G0067) to target South Korean government and financial victims in November 2016. (Citation: FireEye APT37 Feb 2018)",
"meta": {
"external_id": "S0214",
"mitre_platforms": [],
"refs": [
"https://attack.mitre.org/software/S0214",
"https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf"
],
"synonyms": []
]
},
"related": [
{
@ -27737,12 +27712,10 @@
"description": "[SHUTTERSPEED](https://attack.mitre.org/software/S0217) is a backdoor used by [APT37](https://attack.mitre.org/groups/G0067). (Citation: FireEye APT37 Feb 2018)",
"meta": {
"external_id": "S0217",
"mitre_platforms": [],
"refs": [
"https://attack.mitre.org/software/S0217",
"https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf"
],
"synonyms": []
]
},
"related": [
{
@ -28479,12 +28452,10 @@
"description": "[WINERACK](https://attack.mitre.org/software/S0219) is a backdoor used by [APT37](https://attack.mitre.org/groups/G0067). (Citation: FireEye APT37 Feb 2018)",
"meta": {
"external_id": "S0219",
"mitre_platforms": [],
"refs": [
"https://attack.mitre.org/software/S0219",
"https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf"
],
"synonyms": []
]
},
"related": [
{
@ -30286,6 +30257,7 @@
"macOS"
],
"refs": [
"http://www.thesafemac.com/new-signed-malware-called-janicab/",
"https://attack.mitre.org/software/S0163"
],
"synonyms": [
@ -33577,12 +33549,10 @@
"description": "[WINDSHIELD](https://attack.mitre.org/software/S0155) is a signature backdoor used by [APT32](https://attack.mitre.org/groups/G0050). (Citation: FireEye APT32 May 2017)",
"meta": {
"external_id": "S0155",
"mitre_platforms": [],
"refs": [
"https://attack.mitre.org/software/S0155",
"https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html"
],
"synonyms": []
]
},
"related": [
{
@ -35328,7 +35298,6 @@
"description": "[Tomiris](https://attack.mitre.org/software/S0671) is a backdoor written in Go that continuously queries its C2 server for executables to download and execute on a victim system. It was first reported in September 2021 during an investigation of a successful DNS hijacking campaign against a Commonwealth of Independent States (CIS) member. Security researchers assess there are similarities between [Tomiris](https://attack.mitre.org/software/S0671) and [GoldMax](https://attack.mitre.org/software/S0588).(Citation: Kaspersky Tomiris Sep 2021)",
"meta": {
"external_id": "S0671",
"mitre_platforms": [],
"refs": [
"https://attack.mitre.org/software/S0671",
"https://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/"
@ -43808,12 +43777,10 @@
"description": "[DDKONG](https://attack.mitre.org/software/S0255) is a malware sample that was part of a campaign by [Rancor](https://attack.mitre.org/groups/G0075). [DDKONG](https://attack.mitre.org/software/S0255) was first seen used in February 2017. (Citation: Rancor Unit42 June 2018)",
"meta": {
"external_id": "S0255",
"mitre_platforms": [],
"refs": [
"https://attack.mitre.org/software/S0255",
"https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/"
],
"synonyms": []
]
},
"related": [
{
@ -56577,7 +56544,6 @@
"description": "[JCry](https://attack.mitre.org/software/S0389) is ransomware written in Go. It was identified as apart of the #OpJerusalem 2019 campaign.(Citation: Carbon Black JCry May 2019)",
"meta": {
"external_id": "S0389",
"mitre_platforms": [],
"refs": [
"https://attack.mitre.org/software/S0389",
"https://www.carbonblack.com/2019/05/14/cb-tau-threat-intelligence-notification-jcry-ransomware-pretends-to-be-adobe-flash-player-update-installer/"
@ -66563,7 +66529,7 @@
"value": "Kinsing - S0599"
},
{
"description": "[Gelsemium](https://attack.mitre.org/software/S0666) is a modular malware comprised of dropper (Gelsemine), loader (Gelsenicine), and main (Gelsevirine) plug ins that has been used by the [Gelsemium](https://attack.mitre.org/groups/G0141) group since at least 2014.(Citation: ESET Gelsemium June 2021)",
"description": "[Gelsemium](https://attack.mitre.org/software/S0666) is a modular malware comprised of a dropper (Gelsemine), a loader (Gelsenicine), and main (Gelsevirine) plug-ins written using the Microsoft Foundation Class (MFC) framework. [Gelsemium](https://attack.mitre.org/software/S0666) has been used by the Gelsemium group since at least 2014.(Citation: ESET Gelsemium June 2021)",
"meta": {
"external_id": "S0666",
"mitre_platforms": [
@ -66595,6 +66561,13 @@
],
"type": "uses"
},
{
"dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
"tags": [
@ -66602,6 +66575,13 @@
],
"type": "uses"
},
{
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "2de47683-f398-448f-b947-9abcc3e32fad",
"tags": [
@ -66609,6 +66589,13 @@
],
"type": "uses"
},
{
"dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
@ -66616,6 +66603,20 @@
],
"type": "uses"
},
{
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
@ -66624,14 +66625,14 @@
"type": "uses"
},
{
"dest-uuid": "41868330-6ee2-4d0f-b743-9f2294c3c9b6",
"dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611",
"dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@ -66658,6 +66659,20 @@
],
"type": "uses"
},
{
"dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
@ -66679,6 +66694,13 @@
],
"type": "uses"
},
{
"dest-uuid": "b4b7458f-81f2-4d38-84be-1c5ba0167a52",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
"tags": [
@ -66686,6 +66708,13 @@
],
"type": "uses"
},
{
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
"tags": [
@ -66693,6 +66722,13 @@
],
"type": "uses"
},
{
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
"tags": [
@ -66700,6 +66736,13 @@
],
"type": "uses"
},
{
"dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
"tags": [
@ -66714,6 +66757,13 @@
],
"type": "uses"
},
{
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
"tags": [
@ -66726,7 +66776,7 @@
"value": "Gelsemium - S0666"
},
{
"description": "[Chrommme](https://attack.mitre.org/software/S0667) is a backdoor tool, written using the Microsoft Foundation Class (MFC) framework, that has infrastructure overlaps with [Gelsemium](https://attack.mitre.org/software/S0666).(Citation: ESET Gelsemium June 2021)",
"description": "[Chrommme](https://attack.mitre.org/software/S0667) is a backdoor tool written using the Microsoft Foundation Class (MFC) framework that was first reported in June 2021; security researchers noted infrastructure overlaps with [Gelsemium](https://attack.mitre.org/software/S0666) malware.(Citation: ESET Gelsemium June 2021)",
"meta": {
"external_id": "S0667",
"mitre_platforms": [
@ -66755,6 +66805,13 @@
],
"type": "uses"
},
{
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
@ -66763,7 +66820,35 @@
"type": "uses"
},
{
"dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@ -66776,6 +66861,13 @@
],
"type": "uses"
},
{
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
@ -68231,5 +68323,5 @@
"value": "HermeticWizard - S0698"
}
],
"version": 24
"version": 25
}

82
clusters/mitre-tool.json
View File

@ -41,12 +41,10 @@
"description": "[Pass-The-Hash Toolkit](https://attack.mitre.org/software/S0122) is a toolkit that allows an adversary to \"pass\" a password hash (without knowing the original password) to log in to systems. (Citation: Mandiant APT1)",
"meta": {
"external_id": "S0122",
"mitre_platforms": [],
"refs": [
"https://attack.mitre.org/software/S0122",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"synonyms": []
]
},
"related": [
{
@ -300,12 +298,10 @@
"description": "[Invoke-PSImage](https://attack.mitre.org/software/S0231) takes a PowerShell script and embeds the bytes of the script into the pixels of a PNG image. It generates a one liner for executing either from a file of from the web. Example of usage is embedding the PowerShell code from the Invoke-Mimikatz module and embed it into an image file. By calling the image file from a macro for example, the macro will download the picture and execute the PowerShell code, which in this case will dump the passwords. (Citation: GitHub Invoke-PSImage)",
"meta": {
"external_id": "S0231",
"mitre_platforms": [],
"refs": [
"https://attack.mitre.org/software/S0231",
"https://github.com/peewpw/Invoke-PSImage"
],
"synonyms": []
]
},
"related": [
{
@ -323,12 +319,10 @@
"description": "[ipconfig](https://attack.mitre.org/software/S0100) is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration. (Citation: TechNet Ipconfig)",
"meta": {
"external_id": "S0100",
"mitre_platforms": [],
"refs": [
"https://attack.mitre.org/software/S0100",
"https://technet.microsoft.com/en-us/library/bb490921.aspx"
],
"synonyms": []
]
},
"related": [
{
@ -726,12 +720,10 @@
"description": "[ifconfig](https://attack.mitre.org/software/S0101) is a Unix-based utility used to gather information about and interact with the TCP/IP settings on a system. (Citation: Wikipedia Ifconfig)",
"meta": {
"external_id": "S0101",
"mitre_platforms": [],
"refs": [
"https://attack.mitre.org/software/S0101",
"https://en.wikipedia.org/wiki/Ifconfig"
],
"synonyms": []
]
},
"related": [
{
@ -776,12 +768,10 @@
"description": "[nbtstat](https://attack.mitre.org/software/S0102) is a utility used to troubleshoot NetBIOS name resolution. (Citation: TechNet Nbtstat)",
"meta": {
"external_id": "S0102",
"mitre_platforms": [],
"refs": [
"https://attack.mitre.org/software/S0102",
"https://technet.microsoft.com/en-us/library/cc940106.aspx"
],
"synonyms": []
]
},
"related": [
{
@ -806,12 +796,10 @@
"description": "[route](https://attack.mitre.org/software/S0103) can be used to find or change information within the local system IP routing table. (Citation: TechNet Route)",
"meta": {
"external_id": "S0103",
"mitre_platforms": [],
"refs": [
"https://attack.mitre.org/software/S0103",
"https://technet.microsoft.com/en-us/library/bb490991.aspx"
],
"synonyms": []
]
},
"related": [
{
@ -829,12 +817,10 @@
"description": "[netstat](https://attack.mitre.org/software/S0104) is an operating system utility that displays active TCP connections, listening ports, and network statistics. (Citation: TechNet Netstat)",
"meta": {
"external_id": "S0104",
"mitre_platforms": [],
"refs": [
"https://attack.mitre.org/software/S0104",
"https://technet.microsoft.com/en-us/library/bb490947.aspx"
],
"synonyms": []
]
},
"related": [
{
@ -1747,12 +1733,10 @@
"description": "The [Tasklist](https://attack.mitre.org/software/S0057) utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface. (Citation: Microsoft Tasklist)",
"meta": {
"external_id": "S0057",
"mitre_platforms": [],
"refs": [
"https://attack.mitre.org/software/S0057",
"https://technet.microsoft.com/en-us/library/bb491010.aspx"
],
"synonyms": []
]
},
"related": [
{
@ -1896,12 +1880,10 @@
"description": "[Systeminfo](https://attack.mitre.org/software/S0096) is a Windows utility that can be used to gather detailed information about a computer. (Citation: TechNet Systeminfo)",
"meta": {
"external_id": "S0096",
"mitre_platforms": [],
"refs": [
"https://attack.mitre.org/software/S0096",
"https://technet.microsoft.com/en-us/library/bb491007.aspx"
],
"synonyms": []
]
},
"related": [
{
@ -1919,12 +1901,10 @@
"description": "[Ping](https://attack.mitre.org/software/S0097) is an operating system utility commonly used to troubleshoot and verify network connections. (Citation: TechNet Ping)",
"meta": {
"external_id": "S0097",
"mitre_platforms": [],
"refs": [
"https://attack.mitre.org/software/S0097",
"https://technet.microsoft.com/en-us/library/bb490968.aspx"
],
"synonyms": []
]
},
"related": [
{
@ -2034,12 +2014,10 @@
"description": "[UACMe](https://attack.mitre.org/software/S0116) is an open source assessment tool that contains many methods for bypassing Windows User Account Control on multiple versions of the operating system. (Citation: Github UACMe)",
"meta": {
"external_id": "S0116",
"mitre_platforms": [],
"refs": [
"https://attack.mitre.org/software/S0116",
"https://github.com/hfiref0x/UACME"
],
"synonyms": []
]
},
"related": [
{
@ -2091,13 +2069,11 @@
"description": "[Winexe](https://attack.mitre.org/software/S0191) is a lightweight, open source tool similar to [PsExec](https://attack.mitre.org/software/S0029) designed to allow system administrators to execute commands on remote servers. (Citation: Winexe Github Sept 2013) [Winexe](https://attack.mitre.org/software/S0191) is unique in that it is a GNU/Linux based client. (Citation: Überwachung APT28 Forfiles June 2015)",
"meta": {
"external_id": "S0191",
"mitre_platforms": [],
"refs": [
"https://attack.mitre.org/software/S0191",
"https://github.com/skalkoto/winexe/",
"https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/"
],
"synonyms": []
]
},
"related": [
{
@ -2122,12 +2098,10 @@
"description": "[xCmd](https://attack.mitre.org/software/S0123) is an open source tool that is similar to [PsExec](https://attack.mitre.org/software/S0029) and allows the user to execute applications on remote systems. (Citation: xCmd)",
"meta": {
"external_id": "S0123",
"mitre_platforms": [],
"refs": [
"https://ashwinrayaprolu.wordpress.com/2011/04/12/xcmd-an-alternative-to-psexec/",
"https://attack.mitre.org/software/S0123"
],
"synonyms": []
]
},
"related": [
{
@ -2682,12 +2656,10 @@
"description": "[Forfiles](https://attack.mitre.org/software/S0193) is a Windows utility commonly used in batch jobs to execute commands on one or more selected files or directories (ex: list all directories in a drive, read the first line of all files created yesterday, etc.). Forfiles can be executed from either the command line, Run window, or batch files/scripts. (Citation: Microsoft Forfiles Aug 2016)",
"meta": {
"external_id": "S0193",
"mitre_platforms": [],
"refs": [
"https://attack.mitre.org/software/S0193",
"https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc753551(v=ws.11)"
],
"synonyms": []
]
},
"related": [
{
@ -2774,12 +2746,10 @@
"description": "Responder is an open source tool used for LLMNR, NBT-NS and MDNS poisoning, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. (Citation: GitHub Responder)",
"meta": {
"external_id": "S0174",
"mitre_platforms": [],
"refs": [
"https://attack.mitre.org/software/S0174",
"https://github.com/SpiderLabs/Responder"
],
"synonyms": []
]
},
"related": [
{
@ -3061,8 +3031,8 @@
"Windows"
],
"refs": [
" https://unit42.paloaltonetworks.com/ironnetinjector/",
"https://attack.mitre.org/software/S0581"
"https://attack.mitre.org/software/S0581",
"https://unit42.paloaltonetworks.com/ironnetinjector/"
],
"synonyms": [
"IronNetInjector"
@ -3237,12 +3207,10 @@
"description": "[Havij](https://attack.mitre.org/software/S0224) is an automatic SQL Injection tool distributed by the Iranian ITSecTeam security company. Havij has been used by penetration testers and adversaries. (Citation: Check Point Havij Analysis)",
"meta": {
"external_id": "S0224",
"mitre_platforms": [],
"refs": [
"https://attack.mitre.org/software/S0224",
"https://blog.checkpoint.com/2015/05/14/analysis-havij-sql-injection-tool/"
],
"synonyms": []
]
},
"related": [
{
@ -3260,12 +3228,10 @@
"description": "[sqlmap](https://attack.mitre.org/software/S0225) is an open source penetration testing tool that can be used to automate the process of detecting and exploiting SQL injection flaws. (Citation: sqlmap Introduction)",
"meta": {
"external_id": "S0225",
"mitre_platforms": [],
"refs": [
"http://sqlmap.org/",
"https://attack.mitre.org/software/S0225"
],
"synonyms": []
]
},
"related": [
{
@ -3810,7 +3776,7 @@
],
"refs": [
"https://attack.mitre.org/software/S0552",
"https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/ ",
"https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/",
"https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html",
"https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html"
],
@ -4336,7 +4302,7 @@
],
"refs": [
"https://attack.mitre.org/software/S0363",
"https://github.com/EmpireProject/Empire",
"https://github.com/PowerShellEmpire/Empire",
"https://github.com/dstepanic/attck_empire",
"https://www.ncsc.gov.uk/report/joint-report-on-publicly-available-hacking-tools"
],
@ -5607,7 +5573,6 @@
"description": "[ROADTools](https://attack.mitre.org/software/S0684) is a framework for enumerating Azure Active Directory environments. The tool is written in Python and publicly available on GitHub.(Citation: ROADtools Github)",
"meta": {
"external_id": "S0684",
"mitre_platforms": [],
"refs": [
"https://attack.mitre.org/software/S0684",
"https://github.com/dirkjanm/ROADtools"
@ -5962,7 +5927,8 @@
"refs": [
"https://attack.mitre.org/software/S0677",
"https://github.com/Gerenios/AADInternals",
"https://o365blog.com/aadinternals"
"https://o365blog.com/aadinternals",
"https://o365blog.com/aadinternals/"
],
"synonyms": [
"AADInternals"
@ -6216,5 +6182,5 @@
"value": "Mythic - S0699"
}
],
"version": 23
"version": 24
}