From 852f205c752633dedf9bc915a09892983fdae839 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 31 Oct 2023 18:04:23 +0100 Subject: [PATCH] chg: [mitre-attack] updated to ATT&CK v14.0 Enterprise --- clusters/mitre-attack-pattern.json | 1212 ++++++++-- clusters/mitre-course-of-action.json | 360 ++- clusters/mitre-intrusion-set.json | 1784 ++++++++++++++- clusters/mitre-malware.json | 3122 +++++++++++++++++++++++++- clusters/mitre-tool.json | 361 ++- 5 files changed, 6556 insertions(+), 283 deletions(-) diff --git a/clusters/mitre-attack-pattern.json b/clusters/mitre-attack-pattern.json index ca66d8d..277f4d8 100644 --- a/clusters/mitre-attack-pattern.json +++ b/clusters/mitre-attack-pattern.json @@ -378,7 +378,15 @@ "https://attack.mitre.org/techniques/T1445" ] }, - "related": [], + "related": [ + { + "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "51aedbd6-2837-4d15-aeb0-cb09f2bf22ac", "value": "Abuse of iOS Enterprise App Signing Key - T1445" }, @@ -618,7 +626,7 @@ "value": "Identify vulnerabilities in third-party software libraries - T1389" }, { - "description": "Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.\n\nPlacing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\\Users\\\\[Username]\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup. The startup folder path for all users is C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp.\n\nThe following run keys are created by default on Windows systems:\n\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n\nRun keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency.(Citation: Microsoft Run Key) For example, it is possible to load a DLL at logon using a \"Depend\" key with RunOnceEx: reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \"C:\\temp\\evil[.]dll\" (Citation: Oddvar Moe RunOnceEx Mar 2018)\n\nThe following Registry keys can be used to set startup folder items for persistence:\n\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\n* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\n* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n\nThe following Registry keys can control automatic startup of services during boot:\n\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n\nUsing policy settings to specify startup programs creates corresponding values in either of two Registry keys:\n\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\n\nThe Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit and HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell subkeys can automatically launch programs.\n\nPrograms listed in the load value of the registry key HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows run when any user logs on.\n\nBy default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.\n\nAdversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.", + "description": "Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.\n\nThe following run keys are created by default on Windows systems:\n\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n\nRun keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency.(Citation: Microsoft Run Key) For example, it is possible to load a DLL at logon using a \"Depend\" key with RunOnceEx: reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \"C:\\temp\\evil[.]dll\" (Citation: Oddvar Moe RunOnceEx Mar 2018)\n\nPlacing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\\Users\\\\[Username]\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup. The startup folder path for all users is C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp.\n\nThe following Registry keys can be used to set startup folder items for persistence:\n\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\n* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\n* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n\nThe following Registry keys can control automatic startup of services during boot:\n\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n\nUsing policy settings to specify startup programs creates corresponding values in either of two Registry keys:\n\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\n\nPrograms listed in the load value of the registry key HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows run automatically for the currently logged-on user.\n\nBy default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.\n\nAdversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.", "meta": { "external_id": "T1547.001", "kill_chain": [ @@ -684,7 +692,7 @@ "value": "Clear Linux or Mac System Logs - T1070.002" }, { - "description": "Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system from behaviors that require network connections, such as [Remote Services](https://attack.mitre.org/techniques/T1021) or [External Remote Services](https://attack.mitre.org/techniques/T1133). Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries.\n\nNetwork connection history may be stored in various locations on a system. For example, RDP connection history may be stored in Windows Registry values under (Citation: Microsoft RDP Removal):\n\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\n\nWindows may also store information about recent RDP connections in files such as C:\\Users\\\\%username%\\Documents\\Default.rdp and `C:\\Users\\%username%\\AppData\\Local\\Microsoft\\Terminal\nServer Client\\Cache\\`.(Citation: Moran RDPieces) Similarly, macOS and Linux hosts may store information highlighting connection history in system logs (such as those stored in `/Library/Logs` and/or `/var/log/`).(Citation: Apple Culprit Access)(Citation: FreeDesktop Journal)(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)\n\nMalicious network connections may also require changes to network configuration settings, such as [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004) or tampering to enable [Proxy](https://attack.mitre.org/techniques/T1090). Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis.", + "description": "Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system and/or in application logs from behaviors that require network connections, such as [Remote Services](https://attack.mitre.org/techniques/T1021) or [External Remote Services](https://attack.mitre.org/techniques/T1133). Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries.\n\nNetwork connection history may be stored in various locations. For example, RDP connection history may be stored in Windows Registry values under (Citation: Microsoft RDP Removal):\n\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\n\nWindows may also store information about recent RDP connections in files such as C:\\Users\\\\%username%\\Documents\\Default.rdp and `C:\\Users\\%username%\\AppData\\Local\\Microsoft\\Terminal\nServer Client\\Cache\\`.(Citation: Moran RDPieces) Similarly, macOS and Linux hosts may store information highlighting connection history in system logs (such as those stored in `/Library/Logs` and/or `/var/log/`).(Citation: Apple Culprit Access)(Citation: FreeDesktop Journal)(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)\n\nMalicious network connections may also require changes to third-party applications or network configuration settings, such as [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004) or tampering to enable [Proxy](https://attack.mitre.org/techniques/T1090). Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis.", "meta": { "external_id": "T1070.007", "kill_chain": [ @@ -816,7 +824,7 @@ "value": "Compromise Software Dependencies and Development Tools - T1474.001" }, { - "description": "Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line.\n\nThe PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\\system32 (e.g., C:\\Windows\\system32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line.\n\nFor example, if C:\\example path precedes C:\\Windows\\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\\example path will be called instead of the Windows system \"net\" when \"net\" is executed from the command-line.", + "description": "Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. The PATH environment variable contains a list of directories (User and System) that the OS searches sequentially through in search of the binary that was called from a script or the command line. \n\nAdversaries can place a malicious program in an earlier entry in the list of directories stored in the PATH environment variable, resulting in the operating system executing the malicious binary rather than the legitimate binary when it searches sequentially through that PATH listing.\n\nFor example, on Windows if an adversary places a malicious program named \"net.exe\" in `C:\\example path`, which by default precedes `C:\\Windows\\system32\\net.exe` in the PATH environment variable, when \"net\" is executed from the command-line the `C:\\example path` will be called instead of the system's legitimate executable at `C:\\Windows\\system32\\net.exe`. Some methods of executing a program rely on the PATH environment variable to determine the locations that are searched when the path for the program is not given, such as executing programs from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation: ExpressVPN PATH env Windows 2021)\n\nAdversaries may also directly modify the $PATH variable specifying the directories to be searched. An adversary can modify the `$PATH` variable to point to a directory they have write access. When a program using the $PATH variable is called, the OS searches the specified directory and executes the malicious binary. On macOS, this can also be performed through modifying the $HOME variable. These variables can be modified using the command-line, launchctl, [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004), or modifying the `/etc/paths.d` folder contents.(Citation: uptycs Fake POC linux malware 2023)(Citation: nixCraft macOS PATH variables)(Citation: Elastic Rules macOS launchctl 2022)", "meta": { "external_id": "T1574.007", "kill_chain": [ @@ -830,10 +838,16 @@ "Windows Registry: Windows Registry Key Modification" ], "mitre_platforms": [ - "Windows" + "Windows", + "macOS", + "Linux" ], "refs": [ - "https://attack.mitre.org/techniques/T1574/007" + "https://attack.mitre.org/techniques/T1574/007", + "https://www.cyberciti.biz/faq/appleosx-bash-unix-change-set-path-environment-variable/", + "https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-modification-of-environment-variable-via-launchctl.html", + "https://www.expressvpn.com/blog/cybersecurity-lessons-a-path-vulnerability-in-windows/", + "https://www.uptycs.com/blog/new-poc-exploit-backdoor-malware" ] }, "related": [ @@ -879,6 +893,40 @@ "uuid": "58af3705-8740-4c68-9329-ec015a7013c2", "value": "Path Interception by Search Order Hijacking - T1574.008" }, + { + "description": "Adversaries may disable or modify the Linux audit system to hide malicious activity and avoid detection. Linux admins use the Linux Audit system to track security-relevant information on a system. The Linux Audit system operates at the kernel-level and maintains event logs on application and system activity such as process, network, file, and login events based on pre-configured rules.\n\nOften referred to as `auditd`, this is the name of the daemon used to write events to disk and is governed by the parameters set in the `audit.conf` configuration file. Two primary ways to configure the log generation rules are through the command line `auditctl` utility and the file `/etc/audit/audit.rules`, containing a sequence of `auditctl` commands loaded at boot time.(Citation: Red Hat System Auditing)(Citation: IzyKnows auditd threat detection 2022)\n\nWith root privileges, adversaries may be able to ensure their activity is not logged through disabling the Audit system service, editing the configuration/rule files, or by hooking the Audit system library functions. Using the command line, adversaries can disable the Audit system service through killing processes associated with `auditd` daemon or use `systemctl` to stop the Audit service. Adversaries can also hook Audit system functions to disable logging or modify the rules contained in the `/etc/audit/audit.rules` or `audit.conf` files to ignore malicious activity.(Citation: Trustwave Honeypot SkidMap 2023)(Citation: ESET Ebury Feb 2014)", + "meta": { + "external_id": "T1562.012", + "kill_chain": [ + "mitre-attack:defense-evasion" + ], + "mitre_data_sources": [ + "Command: Command Execution", + "File: File Deletion", + "File: File Modification", + "Process: OS API Execution", + "Process: Process Modification" + ], + "mitre_platforms": [ + "Linux" + ], + "refs": [ + "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing", + "https://attack.mitre.org/techniques/T1562/012", + "https://izyknows.medium.com/linux-auditd-for-threat-detection-d06c8b941505", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-new-variant-of-skidmap-targeting-redis/", + "https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/" + ] + }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "type": "subtechnique-of" + } + ], + "uuid": "562e9b64-7239-493d-80f4-2bff900d9054", + "value": "Disable or Modify Linux Audit System - T1562.012" + }, { "description": "Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.\n\nPlacing a program within a startup folder will cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in.\n\nThe startup folder path for the current user is:\n* C:\\Users\\[Username]\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\nThe startup folder path for all users is:\n* C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\n\nThe following run keys are created by default on Windows systems:\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n\nThe HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a \"Depend\" key with RunOnceEx: reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \"C:\\temp\\evil[.]dll\" (Citation: Oddvar Moe RunOnceEx Mar 2018)\n\nThe following Registry keys can be used to set startup folder items for persistence:\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\n* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\n* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n\nThe following Registry keys can control automatic startup of services during boot:\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n\nUsing policy settings to specify startup programs creates corresponding values in either of two Registry keys:\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\n\nThe Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit and HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell subkeys can automatically launch programs.\n\nPrograms listed in the load value of the registry key HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows run when any user logs on.\n\nBy default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.\n\nAdversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.", "meta": { @@ -1039,7 +1087,15 @@ "https://attack.mitre.org/techniques/T1441" ] }, - "related": [], + "related": [ + { + "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "a21a6a79-f9a1-4c87-aed9-ba2d79536881", "value": "Stolen Developer Credentials or Signing Keys - T1441" }, @@ -1522,6 +1578,7 @@ "mitre_data_sources": [ "File: File Metadata", "Image: Image Metadata", + "Process: Process Creation", "Process: Process Metadata" ], "mitre_platforms": [ @@ -1531,10 +1588,10 @@ "Containers" ], "refs": [ - "http://pages.endgame.com/rs/627-YBU-612/images/EndgameJournal_The%20Masquerade%20Ball_Pages_R2.pdf", "https://attack.mitre.org/techniques/T1036/005", "https://docs.docker.com/engine/reference/commandline/images/", - "https://twitter.com/ItsReallyNick/status/1055321652777619457" + "https://twitter.com/ItsReallyNick/status/1055321652777619457", + "https://www.elastic.co/blog/how-hunt-masquerade-ball" ] }, "related": [ @@ -1546,6 +1603,32 @@ "uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "value": "Match Legitimate Name or Location - T1036.005" }, + { + "description": "Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by giving artifacts the name and icon of a legitimate, trusted application (i.e., Settings), or using a package name that matches legitimate, trusted applications (i.e., `com.google.android.gm`). \n\nAdversaries may also use the same icon of the file or application they are trying to mimic.\n", + "meta": { + "external_id": "T1655.001", + "kill_chain": [ + "mitre-mobile-attack:defense-evasion" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1655/001", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-14.html", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html" + ] + }, + "related": [ + { + "dest-uuid": "f856eaab-e84a-4265-a8a2-7bf37e5dc2fc", + "type": "subtechnique-of" + } + ], + "uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", + "value": "Match Legitimate Name or Location - T1655.001" + }, { "description": "Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.\n\nModifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. [Non-Standard Port](https://attack.mitre.org/techniques/T1571)).(Citation: change_rdp_port_conti)", "meta": { @@ -1607,6 +1690,45 @@ "uuid": "77532a55-c283-4cd2-bc5d-2d0b65e9d88c", "value": "Disable or Modify Cloud Firewall - T1562.007" }, + { + "description": "An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.\n\nFor example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic) They may alternatively tamper with logging functionality – for example, by removing any associated SNS topics, disabling multi-region logging, or disabling settings that validate and/or encrypt log files.(Citation: AWS Update Trail)(Citation: Pacu Detection Disruption Module) In Office 365, an adversary may disable logging on mail collection activities for specific users by using the `Set-MailboxAuditBypassAssociation` cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user’s license from an Enterprise E5 to an Enterprise E3 license.(Citation: Dark Reading Microsoft 365 Attacks 2021)", + "meta": { + "external_id": "T1562.008", + "kill_chain": [ + "mitre-attack:defense-evasion" + ], + "mitre_data_sources": [ + "Cloud Service: Cloud Service Disable", + "Cloud Service: Cloud Service Modification", + "User Account: User Account Modification" + ], + "mitre_platforms": [ + "IaaS", + "SaaS", + "Google Workspace", + "Azure AD", + "Office 365" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1562/008", + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html", + "https://cloud.google.com/logging/docs/audit/configure-data-access", + "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/stop-cloudtrail-from-sending-events-to-cloudwatch-logs.html", + "https://docs.microsoft.com/en-us/cli/azure/monitor/diagnostic-settings?view=azure-cli-latest#az_monitor_diagnostic_settings_delete", + "https://expel.io/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/", + "https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/detection__disruption/main.py", + "https://www.darkreading.com/threat-intelligence/incident-responders-explore-microsoft-365-attacks-in-the-wild/d/d-id/1341591" + ] + }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "type": "subtechnique-of" + } + ], + "uuid": "cacc40da-4c9e-462c-80d5-fd70a178b12d", + "value": "Disable or Modify Cloud Logs - T1562.008" + }, { "description": "Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. In user mode, Windows Authenticode (Citation: Microsoft Authenticode) digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe). The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, (Citation: Microsoft WinVerifyTrust) which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. (Citation: SpectorOps Subverting Trust Sept 2017)\n\nBecause of the varying executable file types and corresponding signature formats, Microsoft created software components called Subject Interface Packages (SIPs) (Citation: EduardosBlog SIPs July 2008) to provide a layer of abstraction between API functions and files. SIPs are responsible for enabling API functions to create, retrieve, calculate, and verify signatures. Unique SIPs exist for most file formats (Executable, PowerShell, Installer, etc., with catalog signing providing a catch-all (Citation: Microsoft Catalog Files and Signatures April 2017)) and are identified by globally unique identifiers (GUIDs). (Citation: SpectorOps Subverting Trust Sept 2017)\n\nSimilar to [Code Signing](https://attack.mitre.org/techniques/T1553/002), adversaries may abuse this architecture to subvert trust controls and bypass security policies that allow only legitimately signed code to execute on a system. Adversaries may hijack SIP and trust provider components to mislead operating system and application control tools to classify malicious (or any) code as signed by: (Citation: SpectorOps Subverting Trust Sept 2017)\n\n* Modifying the Dll and FuncName Registry values in HKLM\\SOFTWARE[\\WOW6432Node\\]Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{SIP_GUID} that point to the dynamic link library (DLL) providing a SIP’s CryptSIPDllGetSignedDataMsg function, which retrieves an encoded digital certificate from a signed file. By pointing to a maliciously-crafted DLL with an exported function that always returns a known good signature value (ex: a Microsoft signature for Portable Executables) rather than the file’s real signature, an adversary can apply an acceptable signature value to all files using that SIP (Citation: GitHub SIP POC Sept 2017) (although a hash mismatch will likely occur, invalidating the signature, since the hash returned by the function will not match the value computed from the file).\n* Modifying the Dll and FuncName Registry values in HKLM\\SOFTWARE\\[WOW6432Node\\]Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{SIP_GUID} that point to the DLL providing a SIP’s CryptSIPDllVerifyIndirectData function, which validates a file’s computed hash against the signed hash value. By pointing to a maliciously-crafted DLL with an exported function that always returns TRUE (indicating that the validation was successful), an adversary can successfully validate any file (with a legitimate signature) using that SIP (Citation: GitHub SIP POC Sept 2017) (with or without hijacking the previously mentioned CryptSIPDllGetSignedDataMsg function). This Registry value could also be redirected to a suitable exported function from an already present DLL, avoiding the requirement to drop and execute a new file on disk.\n* Modifying the DLL and Function Registry values in HKLM\\SOFTWARE\\[WOW6432Node\\]Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{trust provider GUID} that point to the DLL providing a trust provider’s FinalPolicy function, which is where the decoded and parsed signature is checked and the majority of trust decisions are made. Similar to hijacking SIP’s CryptSIPDllVerifyIndirectData function, this value can be redirected to a suitable exported function from an already present DLL or a maliciously-crafted DLL (though the implementation of a trust provider is complex).\n* **Note:** The above hijacks are also possible without modifying the Registry via [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).\n\nHijacking SIP or trust provider components can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation. (Citation: SpectorOps Subverting Trust Sept 2017)", "meta": { @@ -2174,7 +2296,8 @@ "File: File Access", "Network Share: Network Share Access", "Network Traffic: Network Connection Creation", - "Network Traffic: Network Traffic Content" + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow" ], "mitre_platforms": [ "Linux", @@ -2301,7 +2424,15 @@ "https://attack.mitre.org/techniques/T1431" ] }, - "related": [], + "related": [ + { + "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "6b846ad0-cc20-4db6-aa34-91561397c5e2", "value": "App Delivered via Web Download - T1431" }, @@ -2662,7 +2793,15 @@ "https://attack.mitre.org/techniques/T1434" ] }, - "related": [], + "related": [ + { + "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "1f96d624-8409-4472-ad8a-30618ee6b2e2", "value": "App Delivered via Email Attachment - T1434" }, @@ -3282,7 +3421,8 @@ "mitre_data_sources": [ "Command: Command Execution", "File: File Deletion", - "Process: OS API Execution" + "Process: OS API Execution", + "Process: Process Creation" ], "mitre_platforms": [ "Windows" @@ -3372,6 +3512,37 @@ "uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", "value": "Distributed Component Object Model - T1021.003" }, + { + "description": "Adversaries may leverage [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log directly into accessible cloud hosted compute infrastructure through cloud native methods. Many cloud providers offer interactive connections to virtual infrastructure that can be accessed through the [Cloud API](https://attack.mitre.org/techniques/T1059/009), such as Azure Serial Console(Citation: Azure Serial Console), AWS EC2 Instance Connect(Citation: EC2 Instance Connect)(Citation: lucr-3: Getting SaaS-y in the cloud), and AWS System Manager.(Citation: AWS System Manager).\n\nMethods of authentication for these connections can include passwords, application access tokens, or SSH keys. These cloud native methods may, by default, allow for privileged access on the host with SYSTEM or root level access. \n\nAdversaries may utilize these cloud native methods to directly access virtual infrastructure and pivot through an environment.(Citation: SIM Swapping and Abuse of the Microsoft Azure Serial Console) These connections typically provide direct console access to the VM rather than the execution of scripts (i.e., [Cloud Administration Command](https://attack.mitre.org/techniques/T1651)).", + "meta": { + "external_id": "T1021.008", + "kill_chain": [ + "mitre-attack:lateral-movement" + ], + "mitre_data_sources": [ + "Logon Session: Logon Session Creation" + ], + "mitre_platforms": [ + "IaaS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1021/008", + "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-connect-methods.html", + "https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html", + "https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-overview", + "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud", + "https://www.mandiant.com/resources/blog/sim-swapping-abuse-azure-serial" + ] + }, + "related": [ + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "type": "subtechnique-of" + } + ], + "uuid": "45241b9e-9bbc-4826-a2cc-78855e51ca09", + "value": "Direct Cloud VM Connections - T1021.008" + }, { "description": "An adversary may use access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM)/mobile device management (MDM) server console to track the location of mobile devices managed by the service.(Citation: Krebs-Location) ", "meta": { @@ -3463,7 +3634,8 @@ "meta": { "external_id": "T1098.002", "kill_chain": [ - "mitre-attack:persistence" + "mitre-attack:persistence", + "mitre-attack:privilege-escalation" ], "mitre_data_sources": [ "Application Log: Application Log Content", @@ -3561,6 +3733,39 @@ "uuid": "143c0cbb-a297-4142-9624-87ffc778980b", "value": "Archive via Custom Method - T1560.003" }, + { + "description": "An adversary may add additional roles or permissions to an adversary-controlled user or service account to maintain persistent access to a container orchestration system. For example, an adversary with sufficient permissions may create a RoleBinding or a ClusterRoleBinding to bind a Role or ClusterRole to a Kubernetes account.(Citation: Kubernetes RBAC)(Citation: Aquasec Kubernetes Attack 2023) Where attribute-based access control (ABAC) is in use, an adversary with sufficient permissions may modify a Kubernetes ABAC policy to give the target account additional permissions.(Citation: Kuberentes ABAC)\n \nThis account modification may immediately follow [Create Account](https://attack.mitre.org/techniques/T1136) or other malicious account activity. Adversaries may also modify existing [Valid Accounts](https://attack.mitre.org/techniques/T1078) that they have compromised. \n\nNote that where container orchestration systems are deployed in cloud environments, as with Google Kubernetes Engine, Amazon Elastic Kubernetes Service, and Azure Kubernetes Service, cloud-based role-based access control (RBAC) assignments or ABAC policies can often be used in place of or in addition to local permission assignments.(Citation: Google Cloud Kubernetes IAM)(Citation: AWS EKS IAM Roles for Service Accounts)(Citation: Microsoft Azure Kubernetes Service Service Accounts) In these cases, this technique may be used in conjunction with [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003).", + "meta": { + "external_id": "T1098.006", + "kill_chain": [ + "mitre-attack:persistence", + "mitre-attack:privilege-escalation" + ], + "mitre_data_sources": [ + "User Account: User Account Modification" + ], + "mitre_platforms": [ + "Containers" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1098/006", + "https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters", + "https://cloud.google.com/kubernetes-engine/docs/how-to/iam", + "https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html", + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://kubernetes.io/docs/reference/access-authn-authz/abac/", + "https://learn.microsoft.com/en-us/azure/aks/concepts-identity" + ] + }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "type": "subtechnique-of" + } + ], + "uuid": "35d30338-5bfa-41b0-a170-ec06dfd75f64", + "value": "Additional Container Cluster Roles - T1098.006" + }, { "description": "Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process. \n\nBefore creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data).(Citation: Microsoft Window Classes) Registration of new windows classes can include a request for up to 40 bytes of EWM to be appended to the allocated memory of each instance of that class. This EWM is intended to store data specific to that window and has specific application programming interface (API) functions to set and get its value. (Citation: Microsoft GetWindowLong function) (Citation: Microsoft SetWindowLong function)\n\nAlthough small, the EWM is large enough to store a 32-bit pointer and is often used to point to a windows procedure. Malware may possibly utilize this memory location in part of an attack chain that includes writing code to shared sections of the process’s memory, placing a pointer to the code in EWM, then invoking execution by returning execution control to the address in the process’s EWM.\n\nExecution granted through EWM injection may allow access to both the target process's memory and possibly elevated privileges. Writing payloads to shared sections also avoids the use of highly monitored API calls such as WriteProcessMemory and CreateRemoteThread.(Citation: Elastic Process Injection July 2017) More sophisticated malware samples may also potentially bypass protection mechanisms such as data execution prevention (DEP) by triggering a combination of windows procedures and other system functions that will rewrite the malicious payload inside an executable portion of the target process. (Citation: MalwareTech Power Loader Aug 2013) (Citation: WeLiveSecurity Gapz and Redyms Mar 2013)\n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via EWM injection may also evade detection from security products since the execution is masked under a legitimate process. ", "meta": { @@ -3651,7 +3856,7 @@ "value": "Code Signing Policy Modification - T1632.001" }, { - "description": "Adversaries may execute their own malicious payloads by hijacking the way an operating system run applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur at later points in time. \n\n\nOn Android, adversaries may overwrite the standard OS API library with a malicious alternative to hook into core functions to achieve persistence. By doing this, the adversary’s code will be executed every time the overwritten API function is called by an app on the infected device.", + "description": "Adversaries may execute their own malicious payloads by hijacking the way an operating system runs applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur at later points in time. \n\n\nOn Android, adversaries may overwrite the standard OS API library with a malicious alternative to hook into core functions to achieve persistence. By doing this, the adversary’s code will be executed every time the overwritten API function is called by an app on the infected device.", "meta": { "external_id": "T1625.001", "kill_chain": [ @@ -3675,7 +3880,7 @@ "value": "System Runtime API Hijacking - T1625.001" }, { - "description": "Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware)\n\nAdversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls) \n\nAdversaries may also focus on specific applications such as Sysmon. For example, the “Start” and “Enable” values in HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-Microsoft-Windows-Sysmon-Operational may be modified to tamper with and potentially disable Sysmon logging.(Citation: disable_win_evt_logging) \n\nIn cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor.\n\nFurthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk)\n\nAdditionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware)", + "description": "Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware)\n\nAdversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls) \n\nAdversaries may also focus on specific applications such as Sysmon. For example, the “Start” and “Enable” values in HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-Microsoft-Windows-Sysmon-Operational may be modified to tamper with and potentially disable Sysmon logging.(Citation: disable_win_evt_logging) \n\nOn network devices, adversaries may attempt to skip digital signature verification checks by altering startup configuration files and effectively disabling firmware verification that typically occurs at boot.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)(Citation: Analysis of FG-IR-22-369)\n\nIn cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor.\n\nFurthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk)\n\nAdditionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware)", "meta": { "external_id": "T1562.001", "kill_chain": [ @@ -3684,6 +3889,7 @@ "mitre_data_sources": [ "Command: Command Execution", "Driver: Driver Load", + "Process: Process Creation", "Process: Process Termination", "Sensor Health: Host Status", "Service: Service Metadata", @@ -3695,7 +3901,8 @@ "macOS", "Linux", "Containers", - "IaaS" + "IaaS", + "Network" ], "refs": [ "https://attack.mitre.org/techniques/T1562/001", @@ -3706,6 +3913,8 @@ "https://thehackernews.com/2022/05/avoslocker-ransomware-variant-using-new.html", "https://www.crowdstrike.com/blog/how-doppelpaymer-hunts-and-kills-windows-processes/", "https://www.crowdstrike.com/blog/targeted-dharma-ransomware-intrusions-exhibit-consistent-techniques/", + "https://www.fortinet.com/blog/psirt-blogs/fg-ir-22-369-psirt-analysis", + "https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem", "https://www.mandiant.com/resources/chasing-avaddon-ransomware", "https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/" ] @@ -4014,7 +4223,8 @@ "Process: Process Creation", "Script: Script Execution", "Sensor Health: Host Status", - "Windows Registry: Windows Registry Key Creation" + "Windows Registry: Windows Registry Key Creation", + "Windows Registry: Windows Registry Key Modification" ], "mitre_platforms": [ "Windows" @@ -4519,6 +4729,43 @@ "uuid": "2bee5ffb-7a7a-4119-b1f2-158151b19ac0", "value": "Application or System Exploitation - T1499.004" }, + { + "description": "Adversaries may abuse permission configurations that allow them to gain temporarily elevated access to cloud resources. Many cloud environments allow administrators to grant user or service accounts permission to request just-in-time access to roles, impersonate other accounts, pass roles onto resources and services, or otherwise gain short-term access to a set of privileges that may be distinct from their own. \n\nJust-in-time access is a mechanism for granting additional roles to cloud accounts in a granular, temporary manner. This allows accounts to operate with only the permissions they need on a daily basis, and to request additional permissions as necessary. Sometimes just-in-time access requests are configured to require manual approval, while other times the desired permissions are automatically granted.(Citation: Google Cloud Just in Time Access 2023)(Citation: Azure Just in Time Access 2023)\n\nAccount impersonation allows user or service accounts to temporarily act with the permissions of another account. For example, in GCP users with the `iam.serviceAccountTokenCreator` role can create temporary access tokens or sign arbitrary payloads with the permissions of a service account.(Citation: Google Cloud Service Account Authentication Roles) In Exchange Online, the `ApplicationImpersonation` role allows a service account to use the permissions associated with specified user accounts.(Citation: Microsoft Impersonation and EWS in Exchange) \n\nMany cloud environments also include mechanisms for users to pass roles to resources that allow them to perform tasks and authenticate to other services. While the user that creates the resource does not directly assume the role they pass to it, they may still be able to take advantage of the role's access -- for example, by configuring the resource to perform certain actions with the permissions it has been granted. In AWS, users with the `PassRole` permission can allow a service they create to assume a given role, while in GCP, users with the `iam.serviceAccountUser` role can attach a service account to a resource.(Citation: AWS PassRole)(Citation: Google Cloud Service Account Authentication Roles)\n\nWhile users require specific role assignments in order to use any of these features, cloud administrators may misconfigure permissions. This could result in escalation paths that allow adversaries to gain access to resources beyond what was originally intended.(Citation: Rhino Google Cloud Privilege Escalation)(Citation: Rhino Security Labs AWS Privilege Escalation)\n\n**Note:** this technique is distinct from [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003), which involves assigning permanent roles to accounts rather than abusing existing permissions structures to gain temporarily elevated access to resources. However, adversaries that compromise a sufficiently privileged account may grant another account they control [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) that would allow them to also abuse these features. This may also allow for greater stealth than would be had by directly using the highly privileged account, especially when logs do not clarify when role impersonation is taking place.(Citation: CrowdStrike StellarParticle January 2022)", + "meta": { + "external_id": "T1548.005", + "kill_chain": [ + "mitre-attack:privilege-escalation", + "mitre-attack:defense-evasion" + ], + "mitre_data_sources": [ + "User Account: User Account Modification" + ], + "mitre_platforms": [ + "IaaS", + "Azure AD", + "Office 365" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1548/005", + "https://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project", + "https://cloud.google.com/iam/docs/service-account-permissions", + "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html", + "https://learn.microsoft.com/en-us/azure/azure-resource-manager/managed-applications/approve-just-in-time-access", + "https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/impersonation-and-ews-in-exchange", + "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", + "https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/", + "https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" + ] + }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "type": "subtechnique-of" + } + ], + "uuid": "6fa224c7-5091-4595-bf15-3fc9fe2f2c7c", + "value": "Temporary Elevated Cloud Access - T1548.005" + }, { "description": "Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) \n\nWhen used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)\n\nKernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through kextload and kextunload commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)\n\nSince macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as \"Legacy System Extensions\" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)\n\nAdversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)", "meta": { @@ -4569,6 +4816,67 @@ "uuid": "a1b52199-c8c5-438a-9ded-656f1d0888c6", "value": "Kernel Modules and Extensions - T1547.006" }, + { + "description": "Adversaries may acquire credentials from cloud-native secret management solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, and Terraform Vault. \n\nSecrets managers support the secure centralized management of passwords, API keys, and other credential material. Where secrets managers are in use, cloud services can dynamically acquire credentials via API requests rather than accessing secrets insecurely stored in plain text files or environment variables. \n\nIf an adversary is able to gain sufficient privileges in a cloud environment – for example, by obtaining the credentials of high-privileged [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004) or compromising a service that has permission to retrieve secrets – they may be able to request secrets from the secrets manager. This can be accomplished via commands such as `get-secret-value` in AWS, `gcloud secrets describe` in GCP, and `az key vault secret show` in Azure.(Citation: Permiso Scattered Spider 2023)(Citation: Sysdig ScarletEel 2.0 2023)(Citation: AWS Secrets Manager)(Citation: Google Cloud Secrets)(Citation: Microsoft Azure Key Vault)\n\n**Note:** this technique is distinct from [Cloud Instance Metadata API](https://attack.mitre.org/techniques/T1552/005) in that the credentials are being directly requested from the cloud secrets manager, rather than through the medium of the instance metadata API.", + "meta": { + "external_id": "T1555.006", + "kill_chain": [ + "mitre-attack:credential-access" + ], + "mitre_data_sources": [ + "Cloud Service: Cloud Service Enumeration" + ], + "mitre_platforms": [ + "IaaS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1555/006", + "https://cloud.google.com/secret-manager/docs/view-secret-details", + "https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets.html", + "https://learn.microsoft.com/en-us/azure/key-vault/secrets/quick-create-cli", + "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud", + "https://sysdig.com/blog/scarleteel-2-0/" + ] + }, + "related": [ + { + "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "type": "subtechnique-of" + } + ], + "uuid": "cfb525cc-5494-401d-a82b-2539ca46a561", + "value": "Cloud Secrets Management Stores - T1555.006" + }, + { + "description": "Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses. These settings may include service quotas, subscription associations, tenant-wide policies, or other configurations that impact available compute. Such modifications may allow adversaries to abuse the victim’s compute resources to achieve their goals, potentially without affecting the execution of running instances and/or revealing their activities to the victim.\n\nFor example, cloud providers often limit customer usage of compute resources via quotas. Customers may request adjustments to these quotas to support increased computing needs, though these adjustments may require approval from the cloud provider. Adversaries who compromise a cloud environment may similarly request quota adjustments in order to support their activities, such as enabling additional [Resource Hijacking](https://attack.mitre.org/techniques/T1496) without raising suspicion by using up a victim’s entire quota.(Citation: Microsoft Cryptojacking 2023) Adversaries may also increase allowed resource usage by modifying any tenant-wide policies that limit the sizes of deployed virtual machines.(Citation: Microsoft Azure Policy)\n\nAdversaries may also modify settings that affect where cloud resources can be deployed, such as enabling [Unused/Unsupported Cloud Regions](https://attack.mitre.org/techniques/T1535). In Azure environments, an adversary who has gained access to a Global Administrator account may create new subscriptions in which to deploy resources, or engage in subscription hijacking by transferring an existing pay-as-you-go subscription from a victim tenant to an adversary-controlled tenant.(Citation: Microsoft Peach Sandstorm 2023) This will allow the adversary to use the victim’s compute resources without generating logs on the victim tenant.(Citation: Microsoft Azure Policy) (Citation: Microsoft Subscription Hijacking 2022)", + "meta": { + "external_id": "T1578.005", + "kill_chain": [ + "mitre-attack:defense-evasion" + ], + "mitre_data_sources": [ + "Cloud Service: Cloud Service Modification" + ], + "mitre_platforms": [ + "IaaS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1578/005", + "https://learn.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#compute", + "https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/hunt-for-compromised-azure-subscriptions-using-microsoft/ba-p/3607121", + "https://www.microsoft.com/en-us/security/blog/2023/07/25/cryptojacking-understanding-and-defending-against-cloud-compute-resource-abuse/", + "https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/" + ] + }, + "related": [ + { + "dest-uuid": "144e007b-e638-431d-a894-45d90c54ab90", + "type": "subtechnique-of" + } + ], + "uuid": "ca00366b-83a1-4c7b-a0ce-8ff950a7c87f", + "value": "Modify Cloud Compute Configurations - T1578.005" + }, { "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)\n\nIf the permissions for users and groups are not properly set and allow access to the Registry keys for a service, adversaries may change the service's binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, then the adversary-controlled program will execute, allowing the adversary to establish persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).\n\nAdversaries may also alter other Registry keys in the service’s Registry tree. For example, the FailureCommand key may be changed so that the service is executed in an elevated context anytime the service fails or is intentionally corrupted.(Citation: Kansa Service related collectors)(Citation: Tweet Registry Perms Weakness)\n\nThe Performance key contains the name of a driver service's performance DLL and the names of several exported functions in the DLL.(Citation: microsoft_services_registry_tree) If the Performance key is not already present and if an adversary-controlled user has the Create Subkey permission, adversaries may create the Performance key in the service’s Registry tree to point to a malicious DLL.(Citation: insecure_reg_perms)\n\nAdversaries may also add the Parameters key, which stores driver-specific data, or other custom subkeys for their malicious services to establish persistence or enable other malicious activities.(Citation: microsoft_services_registry_tree)(Citation: troj_zegost) Additionally, If adversaries launch their malicious services using svchost.exe, the service’s file may be identified using HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\servicename\\Parameters\\ServiceDll.(Citation: malware_hides_service)", "meta": { @@ -5131,7 +5439,7 @@ "value": "Credentials from Web Browsers - T1503" }, { - "description": "Adversaries may access data from improperly secured cloud storage.\n\nMany cloud service providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google Cloud Storage. These solutions differ from other storage solutions (such as SQL or Elasticsearch) in that there is no overarching application. Data from these solutions can be retrieved directly using the cloud provider's APIs. \n\nIn other cases, SaaS application providers such as Slack, Confluence, and Salesforce also provide cloud storage solutions as a peripheral use case of their platform. These cloud objects can be extracted directly from their associated application.(Citation: EA Hacked via Slack - June 2021)(Citation: SecureWorld - How Secure Is Your Slack Channel - Dec 2021)(Citation: HackerNews - 3 SaaS App Cyber Attacks - April 2022)(Citation: Dark Clouds_Usenix_Mulazzani_08_2011)\n\nAdversaries may collect sensitive data from these cloud storage solutions. Providers typically offer security guides to help end users configure systems, though misconfigurations are a common problem.(Citation: Amazon S3 Security, 2019)(Citation: Microsoft Azure Storage Security, 2019)(Citation: Google Cloud Storage Best Practices, 2019) There have been numerous incidents where cloud storage has been improperly secured, typically by unintentionally allowing public access to unauthenticated users, overly-broad access by all users, or even access for any anonymous person outside the control of the Identity Access Management system without even needing basic user permissions.\n\nThis open access may expose various types of sensitive data, such as credit cards, personally identifiable information, or medical records.(Citation: Trend Micro S3 Exposed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(Citation: HIPAA Journal S3 Breach, 2017)(Citation: Rclone-mega-extortion_05_2021)\n\nAdversaries may also obtain then abuse leaked credentials from source repositories, logs, or other means as a way to gain access to cloud storage objects.", + "description": "Adversaries may access data from cloud storage.\n\nMany IaaS providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google Cloud Storage. Similarly, SaaS enterprise platforms such as Office 365 and Google Workspace provide cloud-based document storage to users through services such as OneDrive and Google Drive, while SaaS application providers such as Slack, Confluence, Salesforce, and Dropbox may provide cloud storage solutions as a peripheral or primary use case of their platform. \n\nIn some cases, as with IaaS-based cloud storage, there exists no overarching application (such as SQL or Elasticsearch) with which to interact with the stored objects: instead, data from these solutions is retrieved directly though the [Cloud API](https://attack.mitre.org/techniques/T1059/009). In SaaS applications, adversaries may be able to collect this data directly from APIs or backend cloud storage objects, rather than through their front-end application or interface (i.e., [Data from Information Repositories](https://attack.mitre.org/techniques/T1213)). \n\nAdversaries may collect sensitive data from these cloud storage solutions. Providers typically offer security guides to help end users configure systems, though misconfigurations are a common problem.(Citation: Amazon S3 Security, 2019)(Citation: Microsoft Azure Storage Security, 2019)(Citation: Google Cloud Storage Best Practices, 2019) There have been numerous incidents where cloud storage has been improperly secured, typically by unintentionally allowing public access to unauthenticated users, overly-broad access by all users, or even access for any anonymous person outside the control of the Identity Access Management system without even needing basic user permissions.\n\nThis open access may expose various types of sensitive data, such as credit cards, personally identifiable information, or medical records.(Citation: Trend Micro S3 Exposed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(Citation: HIPAA Journal S3 Breach, 2017)(Citation: Rclone-mega-extortion_05_2021)\n\nAdversaries may also obtain then abuse leaked credentials from source repositories, logs, or other means as a way to gain access to cloud storage objects.", "meta": { "external_id": "T1530", "kill_chain": [ @@ -5142,7 +5450,9 @@ ], "mitre_platforms": [ "IaaS", - "SaaS" + "SaaS", + "Google Workspace", + "Office 365" ], "refs": [ "https://attack.mitre.org/techniques/T1530", @@ -5150,12 +5460,8 @@ "https://cloud.google.com/storage/docs/best-practices", "https://docs.microsoft.com/en-us/azure/storage/common/storage-security-guide", "https://redcanary.com/blog/rclone-mega-extortion/", - "https://thehackernews.com/2022/04/into-breach-breaking-down-3-saas-app.html", "https://www.hipaajournal.com/47gb-medical-records-unsecured-amazon-s3-bucket/", - "https://www.secureworld.io/industry-news/how-secure-is-your-slack-channel#:~:text=Electronic%20Arts%20hacked%20through%20Slack%20channel&text=In%20total%2C%20the%20hackers%20claim,credentials%20over%20a%20Slack%20channel.", - "https://www.techradar.com/news/ea-hack-reportedly-used-stolen-cookies-and-slack-to-hack-gaming-giant", "https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/a-misconfigured-amazon-s3-exposed-almost-50-thousand-pii-in-australia", - "https://www.usenix.org/conference/usenix-security-11/dark-clouds-horizon-using-cloud-storage-attack-vector-and-online-slack", "https://www.wired.com/story/magecart-amazon-cloud-hacks/" ] }, @@ -5265,12 +5571,20 @@ "https://attack.mitre.org/techniques/T1440" ] }, - "related": [], + "related": [ + { + "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "b765efd1-02e6-4e67-aebf-0fef5c37e54b", "value": "Detect App Analysis Environment - T1440" }, { - "description": "Adversaries may exploit software vulnerabilities in order to to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in an application, service, within the operating system software, or kernel itself to execute adversary-controlled code. Security constructions, such as permission levels, will often hinder access to information and use of certain techniques. Adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. \n\nWhen initially gaining access to a device, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and applications running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user- level permission to root permissions depending on the component that is vulnerable. ", + "description": "Adversaries may exploit software vulnerabilities in order to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in an application, service, within the operating system software, or kernel itself to execute adversary-controlled code. Security constructions, such as permission levels, will often hinder access to information and use of certain techniques. Adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. \n\nWhen initially gaining access to a device, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and applications running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user- level permission to root permissions depending on the component that is vulnerable. ", "meta": { "external_id": "T1404", "kill_chain": [ @@ -5640,7 +5954,7 @@ "value": "Bypass User Account Control - T1088" }, { - "description": "Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.\n\nAdversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001). The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection.", + "description": "Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.\n\nAdversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001). The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection.\n\nThere have also been examples of vulnerabilities in public cloud infrastructure of SaaS applications that may bypass defense boundaries (Citation: Salesforce zero-day in facebook phishing attack), evade security logs (Citation: Bypassing CloudTrail in AWS Service Catalog), or deploy hidden infrastructure.(Citation: GhostToken GCP flaw)", "meta": { "external_id": "T1211", "kill_chain": [ @@ -5653,10 +5967,15 @@ "mitre_platforms": [ "Linux", "Windows", - "macOS" + "macOS", + "SaaS", + "IaaS" ], "refs": [ - "https://attack.mitre.org/techniques/T1211" + "https://attack.mitre.org/techniques/T1211", + "https://securitylabs.datadoghq.com/articles/bypass-cloudtrail-aws-service-catalog-and-other/", + "https://www.bleepingcomputer.com/news/security/ghosttoken-gcp-flaw-let-attackers-backdoor-google-accounts/", + "https://www.bleepingcomputer.com/news/security/hackers-exploited-salesforce-zero-day-in-facebook-phishing-attack/" ] }, "uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", @@ -5697,7 +6016,7 @@ "value": "Extra Window Memory Injection - T1181" }, { - "description": "Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain access to systems. One example of this is MS14-068, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions.(Citation: Technet MS14-068)(Citation: ADSecurity Detecting Forged Tickets) Exploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained.", + "description": "Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. \n\nCredentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain authenticated access to systems. One example of this is `MS14-068`, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions.(Citation: Technet MS14-068)(Citation: ADSecurity Detecting Forged Tickets) Another example of this is replay attacks, in which the adversary intercepts data packets sent between parties and then later replays these packets. If services don't properly validate authentication requests, these replayed packets may allow an adversary to impersonate one of the parties and gain unauthorized access or privileges.(Citation: Bugcrowd Replay Attack)(Citation: Comparitech Replay Attack)(Citation: Microsoft Midnight Blizzard Replay Attack)\n\nSuch exploitation has been demonstrated in cloud environments as well. For example, adversaries have exploited vulnerabilities in public cloud infrastructure that allowed for unintended authentication token creation and renewal.(Citation: Storm-0558 techniques for unauthorized email access)\n\nExploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained.", "meta": { "external_id": "T1212", "kill_chain": [ @@ -5711,12 +6030,17 @@ "mitre_platforms": [ "Linux", "Windows", - "macOS" + "macOS", + "Azure AD" ], "refs": [ "https://adsecurity.org/?p=1515", "https://attack.mitre.org/techniques/T1212", - "https://technet.microsoft.com/en-us/library/security/ms14-068.aspx" + "https://technet.microsoft.com/en-us/library/security/ms14-068.aspx", + "https://twitter.com/MsftSecIntel/status/1671579359994343425", + "https://www.bugcrowd.com/glossary/replay-attack/", + "https://www.comparitech.com/blog/information-security/what-is-a-replay-attack/", + "https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/" ] }, "uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", @@ -6555,7 +6879,7 @@ "value": "Post compromise tool development - T1353" }, { - "description": "Adversaries may search common password storage locations to obtain user credentials. Passwords can be stored in several places on a device, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.", + "description": "Adversaries may search common password storage locations to obtain user credentials. Passwords can be stored in several places on a device, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users to manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.", "meta": { "external_id": "T1634", "kill_chain": [ @@ -6673,7 +6997,7 @@ "value": "Remote Service Session Hijacking - T1563" }, { - "description": "An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.\n\nCookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.(Citation: Pass The Cookie)\n\nThere are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) There are also open source frameworks such as Evilginx 2 and Muraena that can gather session cookies through a malicious proxy (ex: [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)) that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena)\n\nAfter an adversary acquires a valid cookie, they can then perform a [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004) technique to login to the corresponding web application.", + "description": "An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.\n\nCookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.(Citation: Pass The Cookie)\n\nThere are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) There are also open source frameworks such as `Evilginx2` and `Muraena` that can gather session cookies through a malicious proxy (ex: [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)) that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena)\n\nAfter an adversary acquires a valid cookie, they can then perform a [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004) technique to login to the corresponding web application.", "meta": { "external_id": "T1539", "kill_chain": [ @@ -6826,7 +7150,7 @@ "value": "Network Denial of Service - T1464" }, { - "description": "Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers.\n\nAdversaries may make modifications to client software binaries to carry out malicious tasks when those applications are in use. For example, an adversary may copy source code for the client software, add a backdoor, compile for the target, and replace the legitimate application binary (or support files) with the backdoored one. Since these applications may be routinely executed by the user, the adversary can leverage this for persistent access to the host.", + "description": "Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers.\n\nAdversaries may make modifications to client software binaries to carry out malicious tasks when those applications are in use. For example, an adversary may copy source code for the client software, add a backdoor, compile for the target, and replace the legitimate application binary (or support files) with the backdoored one. An adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)(Citation: Unit42 Banking Trojans Hooking 2022) prior to the binary’s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.(Citation: ESET FontOnLake Analysis 2021)\n\nSince these applications may be routinely executed by the user, the adversary can leverage this for persistent access to the host.", "meta": { "external_id": "T1554", "kill_chain": [ @@ -6844,7 +7168,9 @@ "Windows" ], "refs": [ - "https://attack.mitre.org/techniques/T1554" + "https://attack.mitre.org/techniques/T1554", + "https://unit42.paloaltonetworks.com/banking-trojan-techniques/#post-125550-_rm3d6xxbk52n", + "https://web-assets.esetstatic.com/wls/2021/10/eset_fontonlake.pdf" ] }, "uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", @@ -6885,12 +7211,17 @@ "Process: OS API Execution", "Process: Process Creation", "Process: Process Metadata", + "User Account: User Account Modification", "Windows Registry: Windows Registry Key Modification" ], "mitre_platforms": [ "Linux", "macOS", - "Windows" + "Windows", + "Office 365", + "IaaS", + "Google Workspace", + "Azure AD" ], "refs": [ "https://attack.mitre.org/techniques/T1548" @@ -7113,13 +7444,14 @@ "value": "Endpoint Denial of Service - T1499" }, { - "description": "Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.", + "description": "Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.", "meta": { "external_id": "T1555", "kill_chain": [ "mitre-attack:credential-access" ], "mitre_data_sources": [ + "Cloud Service: Cloud Service Enumeration", "Command: Command Execution", "File: File Access", "Process: OS API Execution", @@ -7129,7 +7461,8 @@ "mitre_platforms": [ "Linux", "macOS", - "Windows" + "Windows", + "IaaS" ], "refs": [ "https://attack.mitre.org/techniques/T1555" @@ -7146,6 +7479,7 @@ "mitre-attack:exfiltration" ], "mitre_data_sources": [ + "Application Log: Application Log Content", "Command: Command Execution", "File: File Access", "Network Traffic: Network Connection Creation", @@ -7155,7 +7489,10 @@ "mitre_platforms": [ "Linux", "macOS", - "Windows" + "Windows", + "Office 365", + "SaaS", + "Google Workspace" ], "refs": [ "https://attack.mitre.org/techniques/T1567" @@ -7164,6 +7501,24 @@ "uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", "value": "Exfiltration Over Web Service - T1567" }, + { + "description": "Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to insecure coding practices that can lead to unanticipated behavior. Adversaries may take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility. \n\nAdversaries may use device-based zero-click exploits for code execution. These exploits are powerful because there is no user interaction required for code execution. \n\n### SMS/iMessage Delivery \n\nSMS and iMessage in iOS are common targets through [Drive-By Compromise](https://attack.mitre.org/techniques/T1456), [Phishing](https://attack.mitre.org/techniques/T1660), etc. Adversaries may use embed malicious links, files, etc. in SMS messages or iMessages. Mobile devices may be compromised through one-click exploits, where the victim must interact with a text message, or zero-click exploits, where no user interaction is required. \n\n### AirDrop \n\nUnique to iOS, AirDrop is a network protocol that allows iOS users to transfer files between iOS devices. Before patches from Apple were released, on iOS 13.4 and earlier, adversaries may force the Apple Wireless Direct Link (AWDL) interface to activate, then exploit a buffer overflow to gain access to the device and run as root without interaction from the user. ", + "meta": { + "external_id": "T1658", + "kill_chain": [ + "mitre-mobile-attack:execution" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1658" + ] + }, + "uuid": "5abfc5e6-3c56-49e7-ad72-502d01acf28b", + "value": "Exploitation for Client Execution - T1658" + }, { "description": "Adversaries may search freely available technical databases for information about victims that can be used during targeting. Information about victims may be available in online databases and repositories, such as registrations of domains/certificates as well as public collections of network data/artifacts gathered from traffic and/or scans.(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS)(Citation: Medium SSL Cert)(Citation: SSLShopper Lookup)(Citation: DigitalShadows CDN)(Citation: Shodan)\n\nAdversaries may search in different open databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).", "meta": { @@ -7196,6 +7551,7 @@ "mitre-attack:defense-evasion" ], "mitre_data_sources": [ + "Cloud Service: Cloud Service Metadata", "Instance: Instance Creation", "Instance: Instance Deletion", "Instance: Instance Metadata", @@ -7605,7 +7961,8 @@ "Logon Session: Logon Session Creation", "Network Share: Network Share Access", "Network Traffic: Network Connection Creation", - "Network Traffic: Network Traffic Flow" + "Network Traffic: Network Traffic Flow", + "Process: Process Creation" ], "mitre_platforms": [ "Windows" @@ -7695,6 +8052,7 @@ "mitre_data_sources": [ "Command: Command Execution", "File: File Access", + "File: File Creation", "Windows Registry: Windows Registry Key Access" ], "mitre_platforms": [ @@ -7917,6 +8275,7 @@ ], "mitre_data_sources": [ "Logon Session: Logon Session Creation", + "Logon Session: Logon Session Metadata", "Network Traffic: Network Connection Creation", "Network Traffic: Network Traffic Flow", "Process: Process Creation" @@ -8070,6 +8429,7 @@ "Command: Command Execution", "Logon Session: Logon Session Creation", "Network Traffic: Network Connection Creation", + "Network Traffic: Network Traffic Flow", "Process: Process Creation", "Service: Service Metadata" ], @@ -8094,7 +8454,7 @@ "value": "Windows Remote Management - T1021.006" }, { - "description": "Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as FTP, FTPS, and TFTP that transfer files may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ", + "description": "Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as SMB, FTP, FTPS, and TFTP that transfer files may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ", "meta": { "external_id": "T1071.002", "kill_chain": [ @@ -8317,11 +8677,12 @@ "value": "Archive via Utility - T1560.001" }, { - "description": "Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.\n\nFor example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn infrastructure-as-a-service (IaaS) environments, after gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes)\n\nAdversaries may also use the CreateAccessKey API in AWS or the gcloud iam service-accounts keys create command in GCP to add access keys to an account. If the target account has different permissions from the requesting account, the adversary may also be able to escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation: Rhino Security Labs AWS Privilege Escalation)\n\nIn AWS environments, adversaries with the appropriate permissions may also use the `sts:GetFederationToken` API call to create a temporary set of credentials tied to the permissions of the original user account. These credentials may remain valid for the duration of their lifetime even if the original account’s API credentials are deactivated.\n(Citation: Crowdstrike AWS User Federation Persistence)", + "description": "Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.\n\nFor example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn infrastructure-as-a-service (IaaS) environments, after gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes)\n\nAdversaries may also use the CreateAccessKey API in AWS or the gcloud iam service-accounts keys create command in GCP to add access keys to an account. If the target account has different permissions from the requesting account, the adversary may also be able to escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation: Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel 2.0) For example, in Azure AD environments, an adversary with the Application Administrator role can add a new set of credentials to their application's service principal. In doing so the adversary would be able to access the service principal’s roles and permissions, which may be different from those of the Application Administrator.(Citation: SpecterOps Azure Privilege Escalation) \n\nIn AWS environments, adversaries with the appropriate permissions may also use the `sts:GetFederationToken` API call to create a temporary set of credentials tied to the permissions of the original user account. These credentials may remain valid for the duration of their lifetime even if the original account’s API credentials are deactivated.\n(Citation: Crowdstrike AWS User Federation Persistence)", "meta": { "external_id": "T1098.001", "kill_chain": [ - "mitre-attack:persistence" + "mitre-attack:persistence", + "mitre-attack:privilege-escalation" ], "mitre_data_sources": [ "User Account: User Account Modification" @@ -8338,8 +8699,10 @@ "https://expel.io/blog/finding-evil-in-aws/", "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/", "https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/", + "https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", "https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1", + "https://sysdig.com/blog/scarleteel-2-0/", "https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/", "https://www.youtube.com/watch?v=wQ1CuAPnrLM&feature=youtu.be&t=2815" ] @@ -8370,7 +8733,7 @@ "https://attack.mitre.org/techniques/T1430/002", "https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf", "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-38.html", - "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf", + "https://web.archive.org/web/20200330012714/https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf", "https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf", "https://www.youtube.com/watch?v=q0n5ySqbfdI" ] @@ -8629,10 +8992,10 @@ "Windows" ], "refs": [ - "http://pages.endgame.com/rs/627-YBU-612/images/EndgameJournal_The%20Masquerade%20Ball_Pages_R2.pdf", "https://attack.mitre.org/techniques/T1036/003", "https://lolbas-project.github.io/", "https://twitter.com/ItsReallyNick/status/1055321652777619457", + "https://www.elastic.co/blog/how-hunt-masquerade-ball", "https://www.f-secure.com/documents/996508/1030745/CozyDuke" ] }, @@ -8973,11 +9336,43 @@ "value": "Masquerade File Type - T1036.008" }, { - "description": "An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.(Citation: AWS IAM Policies and Permissions)(Citation: Google Cloud IAM Policies)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).(Citation: Expel AWS Attacker)\n(Citation: Microsoft O365 Admin Roles) \n\nThis account modification may immediately follow [Create Account](https://attack.mitre.org/techniques/T1136) or other malicious account activity. Adversaries may also modify existing [Valid Accounts](https://attack.mitre.org/techniques/T1078) that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts.\n\nFor example, in Azure AD environments, an adversary with the Application Administrator role can add [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) to their application's service principal. In doing so the adversary would be able to gain the service principal’s roles and permissions, which may be different from those of the Application Administrator.(Citation: SpecterOps Azure Privilege Escalation) Similarly, in AWS environments, an adversary with appropriate permissions may be able to use the CreatePolicyVersion API to define a new version of an IAM policy or the AttachUserPolicy API to attach an IAM policy with additional or distinct permissions to a compromised user account.(Citation: Rhino Security Labs AWS Privilege Escalation)\n\nSimilarly, an adversary with the Azure AD Global Administrator role can toggle the “Access management for Azure resources” option to gain the ability to assign privileged access to Azure subscriptions and virtual machines to Azure AD users, including themselves.(Citation: Azure AD to AD) ", + "description": "An adversary may attempt to evade process tree-based analysis by modifying executed malware's parent process ID (PPID). If endpoint protection software leverages the “parent-child\" relationship for detection, breaking this relationship could result in the adversary’s behavior not being associated with previous process tree activity. On Unix-based systems breaking this process tree is common practice for administrators to execute software using scripts and programs.(Citation: 3OHA double-fork 2022) \n\nOn Linux systems, adversaries may execute a series of [Native API](https://attack.mitre.org/techniques/T1106) calls to alter malware's process tree. For example, adversaries can execute their payload without any arguments, call the `fork()` API call twice, then have the parent process exit. This creates a grandchild process with no parent process that is immediately adopted by the `init` system process (PID 1), which successfully disconnects the execution of the adversary's payload from its previous process tree.\n\nAnother example is using the “daemon” syscall to detach from the current parent process and run in the background.(Citation: Sandfly BPFDoor 2022)(Citation: Microsoft XorDdos Linux Stealth 2022) ", + "meta": { + "external_id": "T1036.009", + "kill_chain": [ + "mitre-attack:defense-evasion" + ], + "mitre_data_sources": [ + "Process: OS API Execution", + "Process: Process Creation" + ], + "mitre_platforms": [ + "Linux", + "macOS" + ], + "refs": [ + "https://0xjet.github.io/3OHA/2022/04/11/post.html", + "https://attack.mitre.org/techniques/T1036/009", + "https://sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", + "https://www.microsoft.com/en-us/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/" + ] + }, + "related": [ + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "type": "subtechnique-of" + } + ], + "uuid": "34a80bc4-80f2-46e6-94ff-f3265a4b657c", + "value": "Break Process Trees - T1036.009" + }, + { + "description": "An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.(Citation: AWS IAM Policies and Permissions)(Citation: Google Cloud IAM Policies)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).(Citation: Expel AWS Attacker)\n(Citation: Microsoft O365 Admin Roles) \n\nThis account modification may immediately follow [Create Account](https://attack.mitre.org/techniques/T1136) or other malicious account activity. Adversaries may also modify existing [Valid Accounts](https://attack.mitre.org/techniques/T1078) that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts.\n\nFor example, in AWS environments, an adversary with appropriate permissions may be able to use the CreatePolicyVersion API to define a new version of an IAM policy or the AttachUserPolicy API to attach an IAM policy with additional or distinct permissions to a compromised user account.(Citation: Rhino Security Labs AWS Privilege Escalation)", "meta": { "external_id": "T1098.003", "kill_chain": [ - "mitre-attack:persistence" + "mitre-attack:persistence", + "mitre-attack:privilege-escalation" ], "mitre_data_sources": [ "User Account: User Account Modification" @@ -8990,13 +9385,11 @@ "Azure AD" ], "refs": [ - "https://adsecurity.org/?p=4277", "https://attack.mitre.org/techniques/T1098/003", "https://cloud.google.com/iam/docs/policies", "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html", "https://docs.microsoft.com/en-us/office365/admin/add-users/about-admin-roles?view=o365-worldwide", "https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/", - "https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", "https://support.office.com/en-us/article/add-another-admin-f693489f-9f55-4bd0-a637-a81ce93de22d" ] @@ -9120,11 +9513,12 @@ "value": "Credential API Hooking - T1056.004" }, { - "description": "Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <user-home>/.ssh/authorized_keys.(Citation: SSH Authorized Keys) Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value “yes” to ensure public key and RSA authentication are enabled. The SSH config file is usually located under /etc/ssh/sshd_config.\n\nAdversaries may modify SSH authorized_keys files directly with scripts or shell commands to add their own adversary-supplied public keys. In cloud environments, adversaries may be able to modify the SSH authorized_keys file of a particular virtual machine via the command line interface or rest API. For example, by using the Google Cloud CLI’s “add-metadata” command an adversary may add SSH keys to a user account.(Citation: Google Cloud Add Metadata)(Citation: Google Cloud Privilege Escalation) Similarly, in Azure, an adversary may update the authorized_keys file of a virtual machine via a PATCH request to the API.(Citation: Azure Update Virtual Machines) This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse)(Citation: Cybereason Linux Exim Worm) \n\nWhere authorized_keys files are modified via cloud APIs or command line interfaces, an adversary may achieve privilege escalation on the target virtual machine if they add a key to a higher-privileged user. \n\nSSH keys can also be added to accounts on network devices, such as with the `ip ssh pubkey-chain` [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) command.(Citation: cisco_ip_ssh_pubkey_ch_cmd)", + "description": "Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <user-home>/.ssh/authorized_keys.(Citation: SSH Authorized Keys) Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value “yes” to ensure public key and RSA authentication are enabled. The SSH config file is usually located under /etc/ssh/sshd_config.\n\nAdversaries may modify SSH authorized_keys files directly with scripts or shell commands to add their own adversary-supplied public keys. In cloud environments, adversaries may be able to modify the SSH authorized_keys file of a particular virtual machine via the command line interface or rest API. For example, by using the Google Cloud CLI’s “add-metadata” command an adversary may add SSH keys to a user account.(Citation: Google Cloud Add Metadata)(Citation: Google Cloud Privilege Escalation) Similarly, in Azure, an adversary may update the authorized_keys file of a virtual machine via a PATCH request to the API.(Citation: Azure Update Virtual Machines) This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse)(Citation: Cybereason Linux Exim Worm) It may also lead to privilege escalation where the virtual machine or instance has distinct permissions from the requesting user.\n\nWhere authorized_keys files are modified via cloud APIs or command line interfaces, an adversary may achieve privilege escalation on the target virtual machine if they add a key to a higher-privileged user. \n\nSSH keys can also be added to accounts on network devices, such as with the `ip ssh pubkey-chain` [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) command.(Citation: cisco_ip_ssh_pubkey_ch_cmd)", "meta": { "external_id": "T1098.004", "kill_chain": [ - "mitre-attack:persistence" + "mitre-attack:persistence", + "mitre-attack:privilege-escalation" ], "mitre_data_sources": [ "Command: Command Execution", @@ -9347,6 +9741,7 @@ "mitre-attack:collection" ], "mitre_data_sources": [ + "Application Log: Application Log Content", "Command: Command Execution", "Logon Session: Logon Session Creation", "Network Traffic: Network Connection Creation" @@ -9389,7 +9784,7 @@ "https://docs.microsoft.com/previous-versions/windows/desktop/htmlhelp/microsoft-html-help-1-4-sdk", "https://msdn.microsoft.com/windows/desktop/ms524405", "https://msdn.microsoft.com/windows/desktop/ms644670", - "https://msitpros.com/?p=3909", + "https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8625" ] }, @@ -9714,6 +10109,35 @@ "uuid": "ed730f20-0e44-48b9-85f8-0e2adeb76867", "value": "Determine Physical Locations - T1591.001" }, + { + "description": "Adversaries may smuggle commands to download malicious payloads past content filters by hiding them within otherwise seemingly benign windows shortcut files. Windows shortcut files (.LNK) include many metadata fields, including an icon location field (also known as the `IconEnvironmentDataBlock`) designed to specify the path to an icon file that is to be displayed for the LNK file within a host directory. \n\nAdversaries may abuse this LNK metadata to download malicious payloads. For example, adversaries have been observed using LNK files as phishing payloads to deliver malware. Once invoked (e.g., [Malicious File](https://attack.mitre.org/techniques/T1204/002)), payloads referenced via external URLs within the LNK icon location field may be downloaded. These files may also then be invoked by [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)/[System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218) arguments within the target path field of the LNK.(Citation: Unprotect Shortcut)(Citation: Booby Trap Shortcut 2017)\n\nLNK Icon Smuggling may also be utilized post compromise, such as malicious scripts executing an LNK on an infected host to download additional malicious payloads. \n", + "meta": { + "external_id": "T1027.012", + "kill_chain": [ + "mitre-attack:defense-evasion" + ], + "mitre_data_sources": [ + "File: File Creation", + "File: File Metadata" + ], + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1027/012", + "https://unprotect.it/technique/shortcut-hiding/", + "https://www.uperesia.com/booby-trapped-shortcut" + ] + }, + "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "type": "subtechnique-of" + } + ], + "uuid": "887274fc-2d63-4bdc-82f3-fae56d1d5fdc", + "value": "LNK Icon Smuggling - T1027.012" + }, { "description": "Adversaries may mimic common operating system GUI components to prompt users for sensitive information with a seemingly legitimate prompt. The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Compared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique’s use.(Citation: Felt-PhishingOnMobileDevices)\n\nThere are several approaches adversaries may use to mimic this functionality. Adversaries may impersonate the identity of a legitimate application (e.g. use the same application name and/or icon) and, when installed on the device, may prompt the user for sensitive information.(Citation: eset-finance) Adversaries may also send fake device notifications to the user that may trigger the display of an input prompt when clicked.(Citation: Group IB Gustuff Mar 2019) \n\nAdditionally, adversaries may display a prompt on top of a running, legitimate application to trick users into entering sensitive information into a malicious application rather than the legitimate application. Typically, adversaries need to know when the targeted application and the individual activity within the targeted application is running in the foreground to display the prompt at the proper time. Adversaries can abuse Android’s accessibility features to determine which application is currently in the foreground.(Citation: ThreatFabric Cerberus) Two known approaches to displaying a prompt include:\n\n* Adversaries start a new activity on top of a running legitimate application.(Citation: Felt-PhishingOnMobileDevices)(Citation: Hassell-ExploitingAndroid) Android 10 places new restrictions on the ability for an application to start a new activity on top of another application, which may make it more difficult for adversaries to utilize this technique.(Citation: Android Background)\n* Adversaries create an application overlay window on top of a running legitimate application. Applications must hold the `SYSTEM_ALERT_WINDOW` permission to create overlay windows. This permission is handled differently than typical Android permissions and, at least under certain conditions, is automatically granted to applications installed from the Google Play Store.(Citation: Cloak and Dagger)(Citation: NowSecure Android Overlay)(Citation: Skycure-Accessibility) The `SYSTEM_ALERT_WINDOW` permission and its associated ability to create application overlay windows are expected to be deprecated in a future release of Android in favor of a new API.(Citation: XDA Bubbles)", "meta": { @@ -9759,7 +10183,8 @@ ], "mitre_data_sources": [ "Command: Command Execution", - "File: File Access" + "File: File Access", + "Process: Process Creation" ], "mitre_platforms": [ "Windows", @@ -9879,7 +10304,7 @@ "value": "Suppress Application Icon - T1628.001" }, { - "description": "Adversaries may abuse the Android device administration API to prevent the user from uninstalling a target application. In earlier versions of Android, device administrator applications needed their administration capabilities explicitly deactivated by the user before the application could be uninstalled. This was later updated so the user could deactivate and uninstall the administrator application in one step.\n\nAdversaries may also abuse the device accessibility APIs to prevent removal. This set of APIs allows the application to perform certain actions on behalf of the user and programmatically determine what is being shown on the screen. The malicious application could monitor the device screen for certain modals (e.g., the confirmation modal to uninstall an application) and inject screen input or a back button tap to close the modal.", + "description": "Adversaries may abuse the Android device administration API to prevent the user from uninstalling a target application. In earlier versions of Android, device administrator applications needed their administration capabilities explicitly deactivated by the user before the application could be uninstalled. This was later updated so the user could deactivate and uninstall the administrator application in one step.\n\nAdversaries may also abuse the device accessibility APIs to prevent removal. This set of APIs allows the application to perform certain actions on behalf of the user and programmatically determine what is being shown on the screen. The malicious application could monitor the device screen for certain modals (e.g., the confirmation modal to uninstall an application) and inject screen input or a back button tap to close the modal. For example, Android's `performGlobalAction(int)` API could be utilized to prevent the user from removing the malicious application from the device after installation. If the user wants to uninstall the malicious application, two cases may occur, both preventing the user from removing the application.\n\n* Case 1: If the integer argument passed to the API call is `2` or `GLOBAL_ACTION_HOME`, the malicious application may direct the user to the home screen from settings screen \n\n* Case 2: If the integer argument passed to the API call is `1` or `GLOBAL_ACTION_BACK`, the malicious application may emulate the back press event ", "meta": { "external_id": "T1629.001", "kill_chain": [ @@ -10742,43 +11167,6 @@ "uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd", "value": "Domain Generation Algorithms - T1568.002" }, - { - "description": "An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable logging to avoid detection of their activities.\n\nFor example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic) In Office 365, an adversary may disable logging on mail collection activities for specific users by using the `Set-MailboxAuditBypassAssociation` cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user’s license from an Enterprise E5 to an Enterprise E3 license.(Citation: Dark Reading Microsoft 365 Attacks 2021)", - "meta": { - "external_id": "T1562.008", - "kill_chain": [ - "mitre-attack:defense-evasion" - ], - "mitre_data_sources": [ - "Cloud Service: Cloud Service Disable", - "Cloud Service: Cloud Service Modification", - "User Account: User Account Modification" - ], - "mitre_platforms": [ - "IaaS", - "SaaS", - "Google Workspace", - "Azure AD", - "Office 365" - ], - "refs": [ - "https://attack.mitre.org/techniques/T1562/008", - "https://cloud.google.com/logging/docs/audit/configure-data-access", - "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/stop-cloudtrail-from-sending-events-to-cloudwatch-logs.html", - "https://docs.microsoft.com/en-us/cli/azure/monitor/diagnostic-settings?view=azure-cli-latest#az_monitor_diagnostic_settings_delete", - "https://expel.io/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/", - "https://www.darkreading.com/threat-intelligence/incident-responders-explore-microsoft-365-attacks-in-the-wild/d/d-id/1341591" - ] - }, - "related": [ - { - "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", - "type": "subtechnique-of" - } - ], - "uuid": "cacc40da-4c9e-462c-80d5-fd70a178b12d", - "value": "Disable Cloud Logs - T1562.008" - }, { "description": "Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)\n\nAdversaries may abuse safe mode to disable endpoint defenses that may not start with a limited boot. Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data (BCD) stores, which are files that manage boot application settings.(Citation: Microsoft bcdedit 2021)\n\nAdversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values (i.e. [Modify Registry](https://attack.mitre.org/techniques/T1112)). Malicious [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) objects may also be registered and loaded in safe mode.(Citation: Sophos Snatch Ransomware 2019)(Citation: CyberArk Labs Safe Mode 2016)(Citation: Cybereason Nocturnus MedusaLocker 2020)(Citation: BleepingComputer REvil 2021)", "meta": { @@ -11542,6 +11930,48 @@ "uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", "value": "Dynamic Linker Hijacking - T1574.006" }, + { + "description": "Adversaries may exfiltrate data to a webhook endpoint rather than over their primary command and control channel. Webhooks are simple mechanisms for allowing a server to push data over HTTP/S to a client without the need for the client to continuously poll the server.(Citation: RedHat Webhooks) Many public and commercial services, such as Discord, Slack, and `webhook.site`, support the creation of webhook endpoints that can be used by other services, such as Github, Jira, or Trello.(Citation: Discord Intro to Webhooks) When changes happen in the linked services (such as pushing a repository update or modifying a ticket), these services will automatically post the data to the webhook endpoint for use by the consuming application. \n\nAdversaries may link an adversary-owned environment to a victim-owned SaaS service to achieve repeated [Automated Exfiltration](https://attack.mitre.org/techniques/T1020) of emails, chat messages, and other data.(Citation: Push Security SaaS Attacks Repository Webhooks) Alternatively, instead of linking the webhook endpoint to a service, an adversary can manually post staged data directly to the URL in order to exfiltrate it.(Citation: Microsoft SQL Server)\n\nAccess to webhook endpoints is often over HTTPS, which gives the adversary an additional level of protection. Exfiltration leveraging webhooks can also blend in with normal network traffic if the webhook endpoint points to a commonly used SaaS application or collaboration service.(Citation: CyberArk Labs Discord)(Citation: Talos Discord Webhook Abuse)(Citation: Checkmarx Webhooks)", + "meta": { + "external_id": "T1567.004", + "kill_chain": [ + "mitre-attack:exfiltration" + ], + "mitre_data_sources": [ + "Application Log: Application Log Content", + "Command: Command Execution", + "File: File Access", + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow" + ], + "mitre_platforms": [ + "Windows", + "macOS", + "Linux", + "SaaS", + "Office 365", + "Google Workspace" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1567/004", + "https://blog.talosintelligence.com/collab-app-abuse/", + "https://github.com/pushsecurity/saas-attacks/blob/main/techniques/webhooks/description.md", + "https://medium.com/checkmarx-security/webhook-party-malicious-packages-caught-exfiltrating-data-via-legit-webhook-services-6e046b07d191", + "https://support.discord.com/hc/en-us/articles/228383668-Intro-to-Webhooks", + "https://www.cyberark.com/resources/threat-research-blog/the-not-so-secret-war-on-discord", + "https://www.microsoft.com/security/blog/2023/10/03/defending-new-vectors-threat-actors-attempt-sql-server-to-cloud-lateral-movement/", + "https://www.redhat.com/en/topics/automation/what-is-a-webhook" + ] + }, + "related": [ + { + "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", + "type": "subtechnique-of" + } + ], + "uuid": "43f2776f-b4bd-4118-94b8-fee47e69676d", + "value": "Exfiltration Over Webhook - T1567.004" + }, { "description": "Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the New-InboxRule or Set-InboxRule [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)\n\nAdversaries may utilize email rules within a compromised user's mailbox to delete and/or move emails to less noticeable folders. Adversaries may do this to hide security alerts, C2 communication, or responses to [Internal Spearphishing](https://attack.mitre.org/techniques/T1534) emails sent from the compromised account.\n\nAny user or administrator within the organization (or adversary with valid credentials) may be able to create rules to automatically move or delete emails. These rules can be abused to impair/delay detection had the email content been immediately seen by a user or defender. Malicious rules commonly filter out emails based on key words (such as malware, suspicious, phish, and hack) found in message bodies and subject lines. (Citation: Microsoft Cloud App Security)\n\nIn some environments, administrators may be able to enable email rules that operate organization-wide rather than on individual inboxes. For example, Microsoft Exchange supports transport rules that evaluate all mail an organization receives against user-specified conditions, then performs a user-specified action on mail that adheres to those conditions.(Citation: Microsoft Mail Flow Rules 2023) Adversaries that abuse such features may be able to automatically modify or delete all emails related to specific topics (such as internal security incident notifications).", "meta": { @@ -11679,7 +12109,39 @@ "value": "Spoof Security Alerting - T1562.011" }, { - "description": "Adversaries may modify XDG autostart entries to execute programs or commands during system boot. Linux desktop environments that are XDG compliant implement functionality for XDG autostart entries. These entries will allow an application to automatically start during the startup of a desktop environment after user logon. By default, XDG autostart entries are stored within the /etc/xdg/autostart or ~/.config/autostart directories and have a .desktop file extension.(Citation: Free Desktop Application Autostart Feb 2006)\n\nWithin an XDG autostart entry file, the Type key specifies if the entry is an application (type 1), link (type 2) or directory (type 3). The Name key indicates an arbitrary name assigned by the creator and the Exec key indicates the application and command line arguments to execute.(Citation: Free Desktop Entry Keys)\n\nAdversaries may use XDG autostart entries to maintain persistence by executing malicious commands and payloads, such as remote access tools, during the startup of a desktop environment. Commands included in XDG autostart entries with execute after user logon in the context of the currently logged on user. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make XDG autostart entries look as if they are associated with legitimate programs.", + "description": "Adversaries may evade defensive mechanisms by executing commands that hide from process interrupt signals. Many operating systems use signals to deliver messages to control process behavior. Command interpreters often include specific commands/flags that ignore errors and other hangups, such as when the user of the active session logs off.(Citation: Linux Signal Man) These interrupt signals may also be used by defensive tools and/or analysts to pause or terminate specified running processes. \n\nAdversaries may invoke processes using `nohup`, [PowerShell](https://attack.mitre.org/techniques/T1059/001) `-ErrorAction SilentlyContinue`, or similar commands that may be immune to hangups.(Citation: nohup Linux Man)(Citation: Microsoft PowerShell SilentlyContinue) This may enable malicious commands and malware to continue execution through system events that would otherwise terminate its execution, such as users logging off or the termination of its C2 network connection.\n\nHiding from process interrupt signals may allow malware to continue execution, but unlike [Trap](https://attack.mitre.org/techniques/T1546/005) this does not establish [Persistence](https://attack.mitre.org/tactics/TA0003) since the process will not be re-invoked once actually terminated.", + "meta": { + "external_id": "T1564.011", + "kill_chain": [ + "mitre-attack:defense-evasion" + ], + "mitre_data_sources": [ + "Command: Command Execution", + "Process: Process Creation" + ], + "mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1564/011", + "https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_preference_variables?view=powershell-7.3#debugpreference", + "https://linux.die.net/man/1/nohup", + "https://man7.org/linux/man-pages/man7/signal.7.html" + ] + }, + "related": [ + { + "dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8", + "type": "subtechnique-of" + } + ], + "uuid": "4a2975db-414e-4c0c-bd92-775987514b4b", + "value": "Ignore Process Interrupts - T1564.011" + }, + { + "description": "Adversaries may add or modify XDG Autostart Entries to execute malicious programs or commands when a user’s desktop environment is loaded at login. XDG Autostart entries are available for any XDG-compliant Linux system. XDG Autostart entries use Desktop Entry files (`.desktop`) to configure the user’s desktop environment upon user login. These configuration files determine what applications launch upon user login, define associated applications to open specific file types, and define applications used to open removable media.(Citation: Free Desktop Application Autostart Feb 2006)(Citation: Free Desktop Entry Keys)\n\nAdversaries may abuse this feature to establish persistence by adding a path to a malicious binary or command to the `Exec` directive in the `.desktop` configuration file. When the user’s desktop environment is loaded at user login, the `.desktop` files located in the XDG Autostart directories are automatically executed. System-wide Autostart entries are located in the `/etc/xdg/autostart` directory while the user entries are located in the `~/.config/autostart` directory.\n\nAdversaries may combine this technique with [Masquerading](https://attack.mitre.org/techniques/T1036) to blend malicious Autostart entries with legitimate programs.(Citation: Red Canary Netwire Linux 2022)", "meta": { "external_id": "T1547.013", "kill_chain": [ @@ -11697,6 +12159,7 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1547/013", + "https://redcanary.com/blog/netwire-remote-access-trojan-on-linux/", "https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html", "https://specifications.freedesktop.org/desktop-entry-spec/1.2/ar01s06.html" ] @@ -12089,7 +12552,7 @@ "value": "Compile After Delivery - T1500" }, { - "description": "Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique bypasses Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)\n\nUtilities, such as NinjaCopy, exist to perform these actions in PowerShell. (Citation: Github PowerSploit Ninjacopy)", + "description": "Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)\n\nUtilities, such as `NinjaCopy`, exist to perform these actions in PowerShell.(Citation: Github PowerSploit Ninjacopy) Adversaries may also use built-in or third-party utilities (such as `vssadmin`, `wbadmin`, and [esentutl](https://attack.mitre.org/software/S0404)) to create shadow copies or backups of data from system volumes.(Citation: LOLBAS Esentutl)", "meta": { "external_id": "T1006", "kill_chain": [ @@ -12097,7 +12560,8 @@ ], "mitre_data_sources": [ "Command: Command Execution", - "Drive: Drive Access" + "Drive: Drive Access", + "File: File Creation" ], "mitre_platforms": [ "Windows" @@ -12105,7 +12569,8 @@ "refs": [ "http://www.codeproject.com/Articles/32169/FDump-Dumping-File-Sectors-Directly-from-Disk-usin", "https://attack.mitre.org/techniques/T1006", - "https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-NinjaCopy.ps1" + "https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-NinjaCopy.ps1", + "https://lolbas-project.github.io/lolbas/Binaries/Esentutl/" ] }, "uuid": "0c8ab3eb-df48-4b9c-ace7-beacaac81cc5", @@ -12356,13 +12821,14 @@ "value": "Device Administrator Permissions - T1401" }, { - "description": "Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://attack.mitre.org/software/S0095). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016)\n\nOn Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as IEX(New-Object Net.WebClient).downloadString() and Invoke-WebRequest. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)", + "description": "Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://attack.mitre.org/software/S0095). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \n\nOn Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as IEX(New-Object Net.WebClient).downloadString() and Invoke-WebRequest. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)\n\nAdversaries may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts.\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)", "meta": { "external_id": "T1105", "kill_chain": [ "mitre-attack:command-and-control" ], "mitre_data_sources": [ + "Command: Command Execution", "File: File Creation", "Network Traffic: Network Connection Creation", "Network Traffic: Network Traffic Content", @@ -12377,7 +12843,8 @@ "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf", "https://attack.mitre.org/techniques/T1105", "https://lolbas-project.github.io/#t1105", - "https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-Snatch-eng.pdf" + "https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-Snatch-eng.pdf", + "https://www.technologyreview.com/2013/08/21/83143/dropbox-and-similar-services-can-sync-malware/" ] }, "uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", @@ -12793,7 +13260,7 @@ "value": "Rogue Domain Controller - T1207" }, { - "description": "Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.).\n\nAccess to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.\n\nThe permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it's intended purpose.", + "description": "Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.). \n\nAccess to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints. Network infrastructure may also have administration tools that can be similarly abused by adversaries. (Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)\n\nThe permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it's intended purpose.", "meta": { "external_id": "T1072", "kill_chain": [ @@ -12807,10 +13274,12 @@ "mitre_platforms": [ "Linux", "macOS", - "Windows" + "Windows", + "Network" ], "refs": [ - "https://attack.mitre.org/techniques/T1072" + "https://attack.mitre.org/techniques/T1072", + "https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem" ] }, "uuid": "92a78814-b191-47ca-909c-1ccfe3777414", @@ -13052,7 +13521,8 @@ "mitre_data_sources": [ "Command: Command Execution", "Network Traffic: Network Connection Creation", - "Process: Process Creation" + "Process: Process Creation", + "WMI: WMI Creation" ], "mitre_platforms": [ "Windows" @@ -13108,7 +13578,8 @@ "macOS", "Linux", "Network", - "IaaS" + "IaaS", + "Containers" ], "refs": [ "https://attack.mitre.org/techniques/T1490", @@ -13293,7 +13764,7 @@ "value": "Pass the Hash - T1075" }, { - "description": "Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e. [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation. Adversaries may copy files between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) to connected network shares or with authenticated connections via [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001).(Citation: Unit42 LockerGoga 2019)\n\nFiles can also be transferred using native or otherwise present tools on the victim system, such as scp, rsync, curl, sftp, and [ftp](https://attack.mitre.org/software/S0095).", + "description": "Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation.\n\nAdversaries may copy files between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) to connected network shares or with authenticated connections via [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001).(Citation: Unit42 LockerGoga 2019)\n\nFiles can also be transferred using native or otherwise present tools on the victim system, such as scp, rsync, curl, sftp, and [ftp](https://attack.mitre.org/software/S0095). In some cases, adversaries may be able to leverage [Web Service](https://attack.mitre.org/techniques/T1102)s such as Dropbox or OneDrive to copy files from one machine to another via shared, automatically synced folders.(Citation: Dropbox Malware Sync)", "meta": { "external_id": "T1570", "kill_chain": [ @@ -13316,7 +13787,8 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1570", - "https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/" + "https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/", + "https://www.technologyreview.com/2013/08/21/83143/dropbox-and-similar-services-can-sync-malware/" ] }, "uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", @@ -13385,7 +13857,7 @@ "value": "Cloud Infrastructure Discovery - T1580" }, { - "description": "Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.\n\nAdversaries may generate these credential materials in order to gain access to web resources. This differs from [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539), [Steal Application Access Token](https://attack.mitre.org/techniques/T1528), and other similar behaviors in that the credentials are new and forged by the adversary, rather than stolen or intercepted from legitimate users. The generation of web credentials often requires secret values, such as passwords, [Private Keys](https://attack.mitre.org/techniques/T1552/004), or other cryptographic seed values.(Citation: GitHub AWS-ADFS-Credential-Generator) Adversaries may also forge tokens by taking advantage of features such as the `AssumeRole` and `GetFederationToken` APIs in AWS, which allow users to request temporary security credentials.(Citation: AWS Temporary Security Credentials)\n\nOnce forged, adversaries may use these web credentials to access resources (ex: [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550)), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)(Citation: Microsoft SolarWinds Customer Guidance) ", + "description": "Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.\n\nAdversaries may generate these credential materials in order to gain access to web resources. This differs from [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539), [Steal Application Access Token](https://attack.mitre.org/techniques/T1528), and other similar behaviors in that the credentials are new and forged by the adversary, rather than stolen or intercepted from legitimate users.\n\nThe generation of web credentials often requires secret values, such as passwords, [Private Keys](https://attack.mitre.org/techniques/T1552/004), or other cryptographic seed values.(Citation: GitHub AWS-ADFS-Credential-Generator) Adversaries may also forge tokens by taking advantage of features such as the `AssumeRole` and `GetFederationToken` APIs in AWS, which allow users to request temporary security credentials (i.e., [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005)), or the `zmprov gdpak` command in Zimbra, which generates a pre-authentication key that can be used to generate tokens for any user in the domain.(Citation: AWS Temporary Security Credentials)(Citation: Zimbra Preauth)\n\nOnce forged, adversaries may use these web credentials to access resources (ex: [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550)), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)(Citation: Microsoft SolarWinds Customer Guidance) ", "meta": { "external_id": "T1606", "kill_chain": [ @@ -13412,6 +13884,7 @@ "https://github.com/damianh/aws-adfs-credential-generator", "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/", "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/", + "https://wiki.zimbra.com/wiki/Preauth", "https://wunderwuzzi23.github.io/blog/passthecookie.html" ] }, @@ -13871,7 +14344,7 @@ "value": "Netsh Helper DLL - T1128" }, { - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, AnyDesk, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.(Citation: Symantec Living off the Land)\n\nRemote access tools may be installed and used post-compromise as alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system. Installation of many remote access tools may also include persistence (ex: the tool's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003)).\n\nAdmin tools such as TeamViewer have been used by several groups targeting institutions in countries of interest to the Russian state and criminal campaigns.(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy)", + "description": "An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.(Citation: Symantec Living off the Land)(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy)\n\nRemote access software may be installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system.\n \nAdversaries may similarly abuse response features included in EDR and other defensive tools that enable remote access.\n\nInstallation of many remote access software may also include persistence (e.g., the software's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003)).", "meta": { "external_id": "T1219", "kill_chain": [ @@ -14917,7 +15390,15 @@ "https://attack.mitre.org/techniques/T1442" ] }, - "related": [], + "related": [ + { + "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "e30cc912-7ea1-4683-9219-543b86cbdec9", "value": "Fake Developer Accounts - T1442" }, @@ -15117,7 +15598,7 @@ "value": "Implant Internal Image - T1525" }, { - "description": "An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.\n\nAdversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)\n\nFor example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)\n\nAdversaries may use the information gained to shape follow-on behaviors, such as targeting data or credentials from enumerated services or evading identified defenses through [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001) or [Disable Cloud Logs](https://attack.mitre.org/techniques/T1562/008).", + "description": "An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.\n\nAdversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)\n\nFor example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)\n\nAdversaries may use the information gained to shape follow-on behaviors, such as targeting data or credentials from enumerated services or evading identified defenses through [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001) or [Disable or Modify Cloud Logs](https://attack.mitre.org/techniques/T1562/008).", "meta": { "external_id": "T1526", "kill_chain": [ @@ -15437,7 +15918,15 @@ "https://attack.mitre.org/techniques/T1443" ] }, - "related": [], + "related": [ + { + "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "831e3269-da49-48ac-94dc-948008e8fd16", "value": "Remotely Install Application - T1443" }, @@ -15741,6 +16230,24 @@ "uuid": "e49920b0-6c54-40c1-9571-73723653205f", "value": "Cloud Service Dashboard - T1538" }, + { + "description": "Adversaries may use legitimate remote access software, such as `VNC`, `TeamViewer`, `AirDroid`, `AirMirror`, etc., to establish an interactive command and control channel to target mobile devices. \n\nRemote access applications may be installed and used post-compromise as an alternate communication channel for redundant access or as a way to establish an interactive remote session with the target device. They may also be used as a component of malware to establish a reverse connection to an adversary-controlled system or service. Installation of remote access tools may also include persistence. ", + "meta": { + "external_id": "T1663", + "kill_chain": [ + "mitre-mobile-attack:command-and-control" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1663" + ] + }, + "uuid": "0b761f2b-197a-40f2-b100-8152cb957c0c", + "value": "Remote Access Software - T1663" + }, { "description": "Adversaries may utilize standard operating system APIs to collect data from permission-backed data stores on a device, such as the calendar or contact list. These permissions need to be declared ahead of time. On Android, they must be included in the application’s manifest. On iOS, they must be included in the application’s `Info.plist` file. \n\n \n\nIn almost all cases, the user is required to grant access to the data store that the application is trying to access. In recent OS versions, vendors have introduced additional privacy controls for users, such as the ability to grant permission to an application only while the application is being actively used by the user. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access [Protected User Data](https://attack.mitre.org/techniques/T1636) without the user’s knowledge or approval. ", "meta": { @@ -15995,7 +16502,15 @@ "https://attack.mitre.org/techniques/T1455" ] }, - "related": [], + "related": [ + { + "dest-uuid": "2d646840-f6f5-4619-a5a8-29c8316bbac5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "c91c304a-975d-4501-9789-0db1c57afd3f", "value": "Exploit Baseband Vulnerability - T1455" }, @@ -16503,6 +17018,41 @@ "uuid": "9c99724c-a483-4d60-ad9d-7f004e42e8e8", "value": "One-Way Communication - T1102.003" }, + { + "description": "Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of [Account Discovery](https://attack.mitre.org/techniques/T1087), [Remote System Discovery](https://attack.mitre.org/techniques/T1018), and other discovery or [Credential Access](https://attack.mitre.org/tactics/TA0006) activity to support both ongoing and future campaigns.\n\nAdversaries may collect various types of information about Wi-Fi networks from hosts. For example, on Windows names and passwords of all Wi-Fi networks a device has previously connected to may be available through `netsh wlan show profiles` to enumerate Wi-Fi names and then `netsh wlan show profile “Wi-Fi name” key=clear` to show a Wi-Fi network’s corresponding password.(Citation: BleepingComputer Agent Tesla steal wifi passwords)(Citation: Malware Bytes New AgentTesla variant steals WiFi credentials)(Citation: Check Point APT35 CharmPower January 2022) Additionally, names and other details of locally reachable Wi-Fi networks can be discovered using calls to `wlanAPI.dll` [Native API](https://attack.mitre.org/techniques/T1106) functions.(Citation: Binary Defense Emotes Wi-Fi Spreader)\n\nOn Linux, names and passwords of all Wi-Fi-networks a device has previously connected to may be available in files under ` /etc/NetworkManager/system-connections/`.(Citation: Wi-Fi Password of All Connected Networks in Windows/Linux) On macOS, the password of a known Wi-Fi may be identified with ` security find-generic-password -wa wifiname` (requires admin username/password).(Citation: Find Wi-Fi Password on Mac)\n", + "meta": { + "external_id": "T1016.002", + "kill_chain": [ + "mitre-attack:discovery" + ], + "mitre_data_sources": [ + "Command: Command Execution", + "Process: OS API Execution" + ], + "mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1016/002", + "https://mackeeper.com/blog/find-wi-fi-password-on-mac/", + "https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/", + "https://www.binarydefense.com/resources/blog/emotet-evolves-with-new-wi-fi-spreader/", + "https://www.bleepingcomputer.com/news/security/hackers-steal-wifi-passwords-using-upgraded-agent-tesla-malware/", + "https://www.geeksforgeeks.org/wi-fi-password-connected-networks-windowslinux/", + "https://www.malwarebytes.com/blog/news/2020/04/new-agenttesla-variant-steals-wifi-credentials" + ] + }, + "related": [ + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "subtechnique-of" + } + ], + "uuid": "494ab9f0-36e0-4b06-b10d-57285b040a06", + "value": "Wi-Fi Discovery - T1016.002" + }, { "description": "Adversaries may prepare an operational environment to infect systems that visit a website over the normal course of browsing. Endpoint systems may be compromised through browsing to adversary controlled sites, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). In such cases, the user's web browser is typically targeted for exploitation (often not requiring any extra user interaction once landing on the site), but adversaries may also set up websites for non-exploitation behavior such as [Application Access Token](https://attack.mitre.org/techniques/T1550/001). Prior to [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), adversaries must stage resources needed to deliver that exploit to users who browse to an adversary controlled site. Drive-by content can be staged on adversary controlled infrastructure that has been acquired ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or previously compromised ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)).\n\nAdversaries may upload or inject malicious web content, such as [JavaScript](https://attack.mitre.org/techniques/T1059/007), into websites.(Citation: FireEye CFR Watering Hole 2012)(Citation: Gallagher 2015) This may be done in a number of ways, including:\n\n* Inserting malicious scripts into web pages or other user controllable web content such as forum posts\n* Modifying script files served to websites from publicly writeable cloud storage buckets\n* Crafting malicious web advertisements and purchasing ad space on a website through legitimate ad providers (i.e., [Malvertising](https://attack.mitre.org/techniques/T1583/008))\n\nIn addition to staging content to exploit a user's web browser, adversaries may also stage scripting content to profile the user's browser (as in [Gather Victim Host Information](https://attack.mitre.org/techniques/T1592)) to ensure it is vulnerable prior to attempting exploitation.(Citation: ATT ScanBox)\n\nWebsites compromised by an adversary and used to stage a drive-by may be ones visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is referred to a strategic web compromise or watering hole attack.\n\nAdversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).", "meta": { @@ -16853,7 +17403,7 @@ "value": "Command-Line Interface - T1605" }, { - "description": "Adversaries may generate network traffic using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.", + "description": "Adversaries may generate network traffic using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.", "meta": { "external_id": "T1509", "kill_chain": [ @@ -17218,9 +17768,11 @@ ], "mitre_data_sources": [ "Command: Command Execution", + "Logon Session: Logon Session Creation", "Process: OS API Execution", "Process: Process Access", - "Process: Process Creation" + "Process: Process Creation", + "Windows Registry: Windows Registry Key Modification" ], "mitre_platforms": [ "Windows" @@ -18691,7 +19243,9 @@ ], "mitre_data_sources": [ "Command: Command Execution", + "File: File Creation", "File: File Modification", + "Network Traffic: Network Traffic Flow", "Process: Process Creation", "Scheduled Job: Scheduled Job Creation", "Windows Registry: Windows Registry Key Creation" @@ -18703,7 +19257,7 @@ "https://attack.mitre.org/techniques/T1053/005", "https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events", - "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_removal_sd_value_scheduled_task_hide.yml", + "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml", "https://social.technet.microsoft.com/Forums/en-US/e5bca729-52e7-4fcb-ba12-3225c564674c/scheduled-tasks-history-retention-settings?forum=winserver8gen", "https://technet.microsoft.com/en-us/sysinternals/bb963902", "https://technet.microsoft.com/library/dd315590.aspx", @@ -18760,7 +19314,7 @@ "value": "Web Shell - T1505.003" }, { - "description": "Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the systemctl command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)\n\nEach .timer file must have a corresponding .service file with the same name, e.g., example.timer and example.service. .service files are [Systemd Service](https://attack.mitre.org/techniques/T1543/002) unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to /etc/systemd/system/ and /usr/lib/systemd/system while user level are written to ~/.config/systemd/user/.\n\nAn adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.", + "description": "Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the systemctl command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)\n\nEach .timer file must have a corresponding .service file with the same name, e.g., example.timer and example.service. .service files are [Systemd Service](https://attack.mitre.org/techniques/T1543/002) unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to /etc/systemd/system/ and /usr/lib/systemd/system while user level are written to ~/.config/systemd/user/.\n\nAn adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.(Citation: Falcon Sandbox smp: 28553b3a9d)", "meta": { "external_id": "T1053.006", "kill_chain": [ @@ -18784,6 +19338,7 @@ "https://lists.archlinux.org/pipermail/aur-general/2018-July/034153.html", "https://wiki.archlinux.org/index.php/Systemd/Timers", "https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/", + "https://www.hybrid-analysis.com/sample/28553b3a9d2ad4361d33d29ac4bf771d008e0073cec01b5561c6348a608f8dd7?environmentId=300", "https://www.tecmint.com/control-systemd-services-on-remote-linux-server/" ] }, @@ -18921,7 +19476,8 @@ "Linux", "macOS", "Windows", - "Containers" + "Containers", + "Network" ], "refs": [ "https://attack.mitre.org/techniques/T1078/003" @@ -19029,7 +19585,7 @@ "value": "Unix Shell - T1059.004" }, { - "description": "Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management systems, such as Windows Active Directory.(Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)\n\nCompromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment.\n\nOnce a cloud account is compromised, an adversary may perform [Account Manipulation](https://attack.mitre.org/techniques/T1098) - for example, by adding [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) - to maintain persistence and potentially escalate their privileges.", + "description": "Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud or be hybrid joined between on-premises systems and the cloud through federation with other identity sources such as Windows Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)\n\nService or user accounts may be targeted by adversaries through [Brute Force](https://attack.mitre.org/techniques/T1110), [Phishing](https://attack.mitre.org/techniques/T1566), or various other means to gain access to the environment. Federated accounts may be a pathway for the adversary to affect both on-premises systems and cloud environments.\n\nAn adversary may create long lasting [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) on a compromised cloud account to maintain persistence in the environment. Such credentials may also be used to bypass security controls such as multi-factor authentication. \n\nCloud accounts may also be able to assume [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005) or other privileges through various means within the environment. Misconfigurations in role assignments or role assumption policies may allow an adversary to use these mechanisms to leverage permissions outside the intended scope of the account. Such over privileged accounts may be used to harvest sensitive data from online storage accounts and databases through [Cloud API](https://attack.mitre.org/techniques/T1059/009) or other methods. \n", "meta": { "external_id": "T1078.004", "kill_chain": [ @@ -19233,7 +19789,8 @@ "meta": { "external_id": "T1098.005", "kill_chain": [ - "mitre-attack:persistence" + "mitre-attack:persistence", + "mitre-attack:privilege-escalation" ], "mitre_data_sources": [ "Active Directory: Active Directory Object Creation", @@ -19267,7 +19824,7 @@ "value": "Device Registration - T1098.005" }, { - "description": "Adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access to nearly all aspects of a tenant. These APIs may be utilized through various methods such as command line interpreters (CLIs), in-browser Cloud Shells, [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules like Azure for PowerShell(Citation: A), or software developer kits (SDKs) available for languages such as [Python](https://attack.mitre.org/techniques/T1059/006). \n\nCloud API functionality may allow for administrative access across all major services in a tenant such as compute, storage, identity and access management (IAM), networking, and security policies.\n\nWith proper permissions (often via use of credentials such as [Application Access Token](https://attack.mitre.org/techniques/T1550/001) and [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004)), adversaries may abuse cloud APIs to invoke various functions that execute malicious actions. For example, CLI and PowerShell functionality may be accessed through binaries installed on cloud-hosted or on-premises hosts or accessed through a browser-based cloud shell offered by many cloud platforms (such as AWS, Azure, and GCP). These cloud shells are often a packaged unified environment to use CLI and/or scripting modules hosted as a container in the cloud environment. ", + "description": "Adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access to nearly all aspects of a tenant. These APIs may be utilized through various methods such as command line interpreters (CLIs), in-browser Cloud Shells, [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules like Azure for PowerShell(Citation: Microsoft - Azure PowerShell), or software developer kits (SDKs) available for languages such as [Python](https://attack.mitre.org/techniques/T1059/006). \n\nCloud API functionality may allow for administrative access across all major services in a tenant such as compute, storage, identity and access management (IAM), networking, and security policies.\n\nWith proper permissions (often via use of credentials such as [Application Access Token](https://attack.mitre.org/techniques/T1550/001) and [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004)), adversaries may abuse cloud APIs to invoke various functions that execute malicious actions. For example, CLI and PowerShell functionality may be accessed through binaries installed on cloud-hosted or on-premises hosts or accessed through a browser-based cloud shell offered by many cloud platforms (such as AWS, Azure, and GCP). These cloud shells are often a packaged unified environment to use CLI and/or scripting modules hosted as a container in the cloud environment. ", "meta": { "external_id": "T1059.009", "kill_chain": [ @@ -19413,7 +19970,7 @@ "value": "Fileless Storage - T1027.011" }, { - "description": "Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the net user /add command can be used to create a local account. On macOS systems the dscl -create command can be used to create a local account. Local accounts may also be added to network devices, often via common [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as username.(Citation: cisco_username_cmd)\n\nSuch accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.", + "description": "Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. \n\nFor example, with a sufficient level of access, the Windows net user /add command can be used to create a local account. On macOS systems the dscl -create command can be used to create a local account. Local accounts may also be added to network devices, often via common [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as username, or to Kubernetes clusters using the `kubectl` utility.(Citation: cisco_username_cmd)(Citation: Kubernetes Service Accounts Security)\n\nSuch accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.", "meta": { "external_id": "T1136.001", "kill_chain": [ @@ -19428,11 +19985,13 @@ "Linux", "macOS", "Windows", - "Network" + "Network", + "Containers" ], "refs": [ "https://attack.mitre.org/techniques/T1136/001", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720", + "https://kubernetes.io/docs/concepts/security/service-accounts/", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630" ] }, @@ -19788,6 +20347,7 @@ "mitre_data_sources": [ "Process: OS API Execution", "Process: Process Access", + "Process: Process Creation", "Process: Process Modification" ], "mitre_platforms": [ @@ -19811,7 +20371,7 @@ "value": "Process Hollowing - T1055.012" }, { - "description": "Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging. For example, [PowerShell](https://attack.mitre.org/techniques/T1059/001) versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to [Impair Defenses](https://attack.mitre.org/techniques/T1562) while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike BGH Ransomware 2021)(Citation: Mandiant BYOL 2018)(Citation: att_def_ps_logging)\n\nAdversaries may downgrade and use less-secure versions of various features of a system, such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s or even network protocols that can be abused to enable [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557).(Citation: Praetorian TLS Downgrade Attack 2014)", + "description": "Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls. Downgrade attacks typically take advantage of a system’s backward compatibility to force it into less secure modes of operation. \n\nAdversaries may downgrade and use various less-secure versions of features of a system, such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s or even network protocols that can be abused to enable [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) or [Network Sniffing](https://attack.mitre.org/techniques/T1040).(Citation: Praetorian TLS Downgrade Attack 2014) For example, [PowerShell](https://attack.mitre.org/techniques/T1059/001) versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to [Impair Defenses](https://attack.mitre.org/techniques/T1562) while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike BGH Ransomware 2021)(Citation: Mandiant BYOL 2018)(Citation: att_def_ps_logging)\n\nAdversaries may similarly target network traffic to downgrade from an encrypted HTTPS connection to an unsecured HTTP connection that exposes network data in clear text.(Citation: Targeted SSL Stripping Attacks Are Real)(Citation: Crowdstrike Downgrade)", "meta": { "external_id": "T1562.010", "kill_chain": [ @@ -19829,9 +20389,11 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1562/010", + "https://blog.checkpoint.com/research/targeted-ssl-stripping-attacks-are-real/amp/", "https://nsfocusglobal.com/attack-and-defense-around-powershell-event-logging/", "https://powershellmagazine.com/2014/07/16/investigating-powershell-attacks/", "https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-big-game-hunting-ransomware-attack/", + "https://www.crowdstrike.com/cybersecurity-101/attack-types/downgrade-attacks/", "https://www.mandiant.com/resources/bring-your-own-land-novel-red-teaming-technique", "https://www.praetorian.com/blog/man-in-the-middle-tls-ssl-protocol-downgrade-attack/" ] @@ -20641,7 +21203,7 @@ "value": "Device Lockout - T1629.002" }, { - "description": "Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014) Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible. \n\nSystemd utilizes unit configuration files with the `.service` file extension to encode information about a service's process. By default, system level unit files are stored in the `/systemd/system` directory of the root owned directories (`/`). User level unit files are stored in the `/systemd/user` directories of the user owned directories (`$HOME`). (Citation: lambert systemd 2022) \n\nService unit files use the following directives to execute system commands:(Citation: freedesktop systemd.service) \n\n* `ExecStart`, `ExecStartPre`, and `ExecStartPost` directives cover execution of commands when a service is started manually by `systemctl`, or on system start if the service is set to automatically start.\n* `ExecReload` directive covers when a service restarts. \n* `ExecStop`, `ExecStopPre`, and `ExecStopPost` directives cover when a service is stopped. \n\nAdversaries may abuse systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files systemd uses upon reboot or starting a service.(Citation: Anomali Rocke March 2019) Adversaries may also place symbolic links in these directories, enabling systemd to find these payloads regardless of where they reside on the filesystem.\n\nThe `.service` file’s `User` directive can be used to run service as a specific user, which could result in privilege escalation based on specific user/group permissions.(Citation: Rapid7 Service Persistence 22JUNE2016) ", + "description": "Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014) Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible. \n\nSystemd utilizes unit configuration files with the `.service` file extension to encode information about a service's process. By default, system level unit files are stored in the `/systemd/system` directory of the root owned directories (`/`). User level unit files are stored in the `/systemd/user` directories of the user owned directories (`$HOME`).(Citation: lambert systemd 2022) \n\nInside the `.service` unit files, the following directives are used to execute commands:(Citation: freedesktop systemd.service) \n\n* `ExecStart`, `ExecStartPre`, and `ExecStartPost` directives execute when a service is started manually by `systemctl` or on system start if the service is set to automatically start.\n* `ExecReload` directive executes when a service restarts. \n* `ExecStop`, `ExecStopPre`, and `ExecStopPost` directives execute when a service is stopped. \n\nAdversaries have created new service files, altered the commands a `.service` file’s directive executes, and modified the user directive a `.service` file executes as, which could result in privilege escalation. Adversaries may also place symbolic links in these directories, enabling systemd to find these payloads regardless of where they reside on the filesystem.(Citation: Anomali Rocke March 2019)(Citation: airwalk backdoor unix systems)(Citation: Rapid7 Service Persistence 22JUNE2016) ", "meta": { "external_id": "T1543.002", "kill_chain": [ @@ -20661,6 +21223,7 @@ ], "refs": [ "http://man7.org/linux/man-pages/man1/systemd.1.html", + "http://www.ouah.org/backdoors.html", "https://attack.mitre.org/techniques/T1543/002", "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/", "https://redcanary.com/blog/attck-t1501-understanding-systemd-service-persistence/", @@ -21326,7 +21889,7 @@ "value": "Indicator Blocking - T1562.006" }, { - "description": "Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly. Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an \"IDN homograph attack\").(Citation: CISA IDN ST05-016)\n\nAdversaries may also utilize links to perform consent phishing, typically with OAuth 2.0 request URLs that when accepted by the user provide permissions/access for malicious applications, allowing adversaries to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: Trend Micro Pawn Storm OAuth 2017) These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls. (Citation: Microsoft OAuth 2.0 Consent Phishing 2021)", + "description": "Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place.\n\nAdversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly. Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an \"IDN homograph attack\").(Citation: CISA IDN ST05-016) URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an “@” symbol: for example, `hxxp://google.com@1157586937`.(Citation: Mandiant URL Obfuscation 2023)\n\nAdversaries may also utilize links to perform consent phishing, typically with OAuth 2.0 request URLs that when accepted by the user provide permissions/access for malicious applications, allowing adversaries to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: Trend Micro Pawn Storm OAuth 2017) These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls. (Citation: Microsoft OAuth 2.0 Consent Phishing 2021)", "meta": { "external_id": "T1566.002", "kill_chain": [ @@ -21351,6 +21914,7 @@ "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide", "https://us-cert.cisa.gov/ncas/tips/ST05-016", "https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf", + "https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse", "https://www.microsoft.com/security/blog/2021/07/14/microsoft-delivers-comprehensive-solution-to-battle-rise-in-consent-phishing-emails/" ] }, @@ -21397,6 +21961,7 @@ ], "mitre_data_sources": [ "Command: Command Execution", + "Network Traffic: Network Traffic Flow", "Process: Process Creation", "Service: Service Creation", "Windows Registry: Windows Registry Key Modification" @@ -21493,6 +22058,8 @@ "mitre_data_sources": [ "Command: Command Execution", "Driver: Driver Load", + "File: File Metadata", + "Network Traffic: Network Traffic Flow", "Process: OS API Execution", "Process: Process Creation", "Service: Service Creation", @@ -21985,7 +22552,7 @@ "value": "Employee Names - T1589.003" }, { - "description": "Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may be a clone of a legitimate site (such as an online or corporate login portal) or may closely resemble a legitimate site in appearance and have a URL containing elements from the real site.\n\nAdversaries may also link to \"web bugs\" or \"web beacons\" within phishing messages to verify the receipt of an email, while also potentially profiling and tracking victim information such as IP address.(Citation: NIST Web Bug)\n\nAdversaries may also be able to spoof a complete website using what is known as a \"browser-in-the-browser\" (BitB) attack. By generating a fake browser popup window with an HTML-based address bar that appears to contain a legitimate URL (such as an authentication portal), they may be able to prompt users to enter their credentials while bypassing typical URL verification methods.(Citation: ZScaler BitB 2020)(Citation: Mr. D0x BitB 2022)\n\nFrom the fake website, information is gathered in web forms and sent to the adversary. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.", + "description": "Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may be a clone of a legitimate site (such as an online or corporate login portal) or may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an “@” symbol: for example, `hxxp://google.com@1157586937`.(Citation: Mandiant URL Obfuscation 2023)\n\nAdversaries may also link to \"web bugs\" or \"web beacons\" within phishing messages to verify the receipt of an email, while also potentially profiling and tracking victim information such as IP address.(Citation: NIST Web Bug)\n\nAdversaries may also be able to spoof a complete website using what is known as a \"browser-in-the-browser\" (BitB) attack. By generating a fake browser popup window with an HTML-based address bar that appears to contain a legitimate URL (such as an authentication portal), they may be able to prompt users to enter their credentials while bypassing typical URL verification methods.(Citation: ZScaler BitB 2020)(Citation: Mr. D0x BitB 2022)\n\nAdversaries can use phishing kits such as `EvilProxy` and `Evilginx2` to proxy the connection between the victim and the legitimate website. On a successful login, the victim is redirected to the legitimate website, while the adversary captures their session cookie (i.e., [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)) in addition to their username and password. This may enable the adversary to then bypass MFA via [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004).(Citation: Proofpoint Human Factor)\n\nFrom the fake website, information is gathered in web forms and sent to the adversary. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.", "meta": { "external_id": "T1598.003", "kill_chain": [ @@ -22005,7 +22572,9 @@ "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide", "https://mrd0x.com/browser-in-the-browser-phishing-attack/", "https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf", + "https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse", "https://www.pcmag.com/news/hackers-try-to-phish-united-nations-staffers-with-fake-login-pages", + "https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-human-factor-report.pdf", "https://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html", "https://www.zscaler.com/blogs/security-research/fake-sites-stealing-steam-credentials" ] @@ -22090,6 +22659,41 @@ "uuid": "10ff21b9-5a01-4268-a1b5-3b55015f1847", "value": "LC_LOAD_DYLIB Addition - T1546.006" }, + { + "description": "Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that is employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: [Impersonation](https://attack.mitre.org/techniques/T1656)) and/or creating a sense of urgency or alarm for the recipient.\n\nAll forms of phishing are electronically delivered social engineering. In this scenario, adversaries are not directly sending malware to a victim vice relying on [User Execution](https://attack.mitre.org/techniques/T1204) for delivery and execution. For example, victims may receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools ([Remote Access Software](https://attack.mitre.org/techniques/T1219)) onto their computer.(Citation: Unit42 Luna Moth)\n\nAdversaries may also combine voice phishing with [Multi-Factor Authentication Request Generation](https://attack.mitre.org/techniques/T1621) in order to trick users into divulging MFA credentials or accepting authentication prompts.(Citation: Proofpoint Vishing)", + "meta": { + "external_id": "T1566.004", + "kill_chain": [ + "mitre-attack:initial-access" + ], + "mitre_data_sources": [ + "Application Log: Application Log Content" + ], + "mitre_platforms": [ + "Linux", + "macOS", + "Windows", + "Office 365", + "SaaS", + "Google Workspace" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1566/004", + "https://blog.sygnia.co/luna-moth-false-subscription-scams", + "https://unit42.paloaltonetworks.com/luna-moth-callback-phishing/", + "https://www.cisa.gov/uscert/ncas/alerts/aa23-025a", + "https://www.proofpoint.com/us/threat-reference/vishing" + ] + }, + "related": [ + { + "dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", + "type": "subtechnique-of" + } + ], + "uuid": "bb5e59c4-abe7-40c7-8196-e373cb1e5974", + "value": "Spearphishing Voice - T1566.004" + }, { "description": "Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.(Citation: FireEye VBA stomp Feb 2020)\n\nMS Office documents with embedded VBA content store source code inside of module streams. Each module stream has a PerformanceCache that stores a separate compiled version of the VBA source code known as p-code. The p-code is executed when the MS Office version specified in the _VBA_PROJECT stream (which contains the version-dependent description of the VBA project) matches the version of the host MS Office application.(Citation: Evil Clippy May 2019)(Citation: Microsoft _VBA_PROJECT Stream)\n\nAn adversary may hide malicious VBA code by overwriting the VBA source code location with zero’s, benign code, or random bytes while leaving the previously compiled malicious p-code. Tools that scan for malicious VBA source code may be bypassed as the unwanted code is hidden in the compiled p-code. If the VBA source code is removed, some tools might even think that there are no macros present. If there is a version match between the _VBA_PROJECT stream and host MS Office application, the p-code will be executed, otherwise the benign VBA source code will be decompressed and recompiled to p-code, thus removing malicious p-code and potentially bypassing dynamic analysis.(Citation: Walmart Roberts Oct 2018)(Citation: FireEye VBA stomp Feb 2020)(Citation: pcodedmp Bontchev)", "meta": { @@ -22352,6 +22956,34 @@ "uuid": "19401639-28d0-4c3c-adcc-bc2ba22f6421", "value": "Digital Certificates - T1588.004" }, + { + "description": "Adversaries may use voice communications to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Impersonation](https://attack.mitre.org/techniques/T1656)) and/or creating a sense of urgency or alarm for the recipient.\n\nAll forms of phishing are electronically delivered social engineering. In this scenario, adversaries use phone calls to elicit sensitive information from victims. Known as voice phishing (or \"vishing\"), these communications can be manually executed by adversaries, hired call centers, or even automated via robocalls. Voice phishers may spoof their phone number while also posing as a trusted entity, such as a business partner or technical support staff.(Citation: BOA Telephone Scams)\n\nVictims may also receive phishing messages that direct them to call a phone number (\"callback phishing\") where the adversary attempts to collect confidential information.(Citation: Avertium callback phishing)\n\nAdversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to tailor pretexts to be even more persuasive and believable for the victim.", + "meta": { + "external_id": "T1598.004", + "kill_chain": [ + "mitre-attack:reconnaissance" + ], + "mitre_data_sources": [ + "Application Log: Application Log Content" + ], + "mitre_platforms": [ + "PRE" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1598/004", + "https://business.bofa.com/en-us/content/what-is-vishing.html", + "https://www.avertium.com/resources/threat-reports/everything-you-need-to-know-about-callback-phishing" + ] + }, + "related": [ + { + "dest-uuid": "cca0ccb6-a068-4574-a722-b1556f86833a", + "type": "subtechnique-of" + } + ], + "uuid": "6a5d222a-a7e0-4656-b110-782c33098289", + "value": "Spearphishing Voice - T1598.004" + }, { "description": "Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)\n\nAdversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212).(Citation: NVD CVE-2019-3610)\n Adversaries may also try brute forcing via [Password Guessing](https://attack.mitre.org/techniques/T1110/001) to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019)", "meta": { @@ -22552,7 +23184,7 @@ "value": "Plist Modification - T1547.011" }, { - "description": "Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe, during boot. \n\nAdversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the AddPrintProcessor API call with an account that has SeLoadDriverPrivilege enabled. Alternatively, a print processor can be registered to the print spooler service by adding the HKLM\\SYSTEM\\\\[CurrentControlSet or ControlSet001]\\Control\\Print\\Environments\\\\[Windows architecture: e.g., Windows x64]\\Print Processors\\\\[user defined]\\Driver Registry key that points to the DLL. For the print processor to be correctly installed, it must be located in the system print-processor directory that can be found with the GetPrintProcessorDirectory API call.(Citation: Microsoft AddPrintProcessor May 2018) After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.(Citation: ESET PipeMon May 2020) The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.", + "description": "Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, `spoolsv.exe`, during boot.(Citation: Microsoft Intro Print Processors)\n\nAdversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the AddPrintProcessor API call with an account that has SeLoadDriverPrivilege enabled. Alternatively, a print processor can be registered to the print spooler service by adding the HKLM\\SYSTEM\\\\[CurrentControlSet or ControlSet001]\\Control\\Print\\Environments\\\\[Windows architecture: e.g., Windows x64]\\Print Processors\\\\[user defined]\\Driver Registry key that points to the DLL.\n\nFor the malicious print processor to be correctly installed, the payload must be located in the dedicated system print-processor directory, that can be found with the GetPrintProcessorDirectory API call, or referenced via a relative path from this directory.(Citation: Microsoft AddPrintProcessor May 2018) After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.(Citation: ESET PipeMon May 2020)\n\nThe print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.", "meta": { "external_id": "T1547.012", "kill_chain": [ @@ -22572,6 +23204,7 @@ "refs": [ "https://attack.mitre.org/techniques/T1547/012", "https://docs.microsoft.com/en-us/windows/win32/printdocs/addprintprocessor", + "https://learn.microsoft.com/windows-hardware/drivers/print/introduction-to-print-processors", "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/" ] }, @@ -23296,12 +23929,14 @@ "Network Share: Network Share Access", "Network Traffic: Network Connection Creation", "Network Traffic: Network Traffic Flow", - "Process: Process Creation" + "Process: Process Creation", + "WMI: WMI Creation" ], "mitre_platforms": [ "Linux", "macOS", - "Windows" + "Windows", + "IaaS" ], "refs": [ "http://lockboxx.blogspot.com/2019/07/macos-red-teaming-206-ard-apple-remote.html", @@ -23484,7 +24119,15 @@ "https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/" ] }, - "related": [], + "related": [ + { + "dest-uuid": "6747daa2-3533-4e78-8fb8-446ebb86448a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "06780952-177c-4247-b978-79c357fb311f", "value": "Plist Modification - T1150" }, @@ -23542,7 +24185,7 @@ "value": "Shared Webroot - T1051" }, { - "description": "Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.\n\nNative API functions (such as NtCreateProcess) may be directed invoked via system calls / syscalls, but these features are also often exposed to user-mode applications via interfaces and libraries.(Citation: OutFlank System Calls)(Citation: CyberBit System Calls)(Citation: MDSec System Calls) For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC)\n\nHigher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation)\n\nAdversaries may abuse these OS API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system. While invoking API functions, adversaries may also attempt to bypass defensive tools (ex: unhooking monitored functions via [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001)).", + "description": "Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.\n\nAdversaries may abuse these OS API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system.\n\nNative API functions (such as NtCreateProcess) may be directed invoked via system calls / syscalls, but these features are also often exposed to user-mode applications via interfaces and libraries.(Citation: OutFlank System Calls)(Citation: CyberBit System Calls)(Citation: MDSec System Calls) For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC)\n\nHigher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation)\n\nAdversaries may use assembly to directly or in-directly invoke syscalls in an attempt to subvert defensive sensors and detection signatures such as user mode API-hooks.(Citation: Redops Syscalls) Adversaries may also attempt to tamper with sensors and defensive tools associated with API monitoring, such as unhooking monitored functions via [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001).", "meta": { "external_id": "T1106", "kill_chain": [ @@ -23567,6 +24210,7 @@ "https://dotnet.microsoft.com/learn/dotnet/what-is-dotnet-framework", "https://man7.org/linux/man-pages//man7/libc.7.html", "https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/", + "https://redops.at/en/blog/direct-syscalls-vs-indirect-syscalls", "https://undocumented.ntinternals.net/", "https://www.cyberbit.com/blog/endpoint-security/malware-mitigation-when-direct-system-calls-are-used/", "https://www.gnu.org/software/libc/", @@ -24641,11 +25285,12 @@ "value": "Multilayer Encryption - T1079" }, { - "description": "Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078).", + "description": "Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078).", "meta": { "external_id": "T1098", "kill_chain": [ - "mitre-attack:persistence" + "mitre-attack:persistence", + "mitre-attack:privilege-escalation" ], "mitre_data_sources": [ "Active Directory: Active Directory Object Modification", @@ -24664,7 +25309,8 @@ "macOS", "Google Workspace", "SaaS", - "Network" + "Network", + "Containers" ], "refs": [ "https://attack.mitre.org/techniques/T1098", @@ -24686,6 +25332,7 @@ ], "mitre_data_sources": [ "Command: Command Execution", + "Network Traffic: Network Traffic Flow", "Process: OS API Execution", "Process: Process Creation", "Windows Registry: Windows Registry Key Creation", @@ -25158,7 +25805,15 @@ "https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf" ] }, - "related": [], + "related": [ + { + "dest-uuid": "6747daa2-3533-4e78-8fb8-446ebb86448a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "36675cd3-fe00-454c-8516-aebecacbe9d9", "value": "Login Item - T1162" }, @@ -25254,7 +25909,7 @@ "value": "Spearphishing Link - T1192" }, { - "description": "Adversaries may execute malicious payloads via loading shared modules. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows [Native API](https://attack.mitre.org/techniques/T1106) which is called from functions like CreateProcess, LoadLibrary, etc. of the Win32 API.(Citation: Wikipedia Windows Library Files)\n\nThe module loader can load DLLs:\n\n* via specification of the (fully-qualified or relative) DLL pathname in the IMPORT directory;\n \n* via EXPORT forwarded to another DLL, specified with (fully-qualified or relative) pathname (but without extension);\n \n* via an NTFS junction or symlink program.exe.local with the fully-qualified or relative pathname of a directory containing the DLLs specified in the IMPORT directory or forwarded EXPORTs;\n \n* via <file name=\"filename.extension\" loadFrom=\"fully-qualified or relative pathname\"> in an embedded or external \"application manifest\". The file name refers to an entry in the IMPORT directory or a forwarded EXPORT.\n\nAdversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, malware may execute share modules to load additional components or features.", + "description": "Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., [Native API](https://attack.mitre.org/techniques/T1106)).\n\nAdversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, adversaries can modularize functionality of their malware into shared objects that perform various functions such as managing C2 network communications or execution of specific actions on objective.\n\nThe Linux & macOS module loader can load and execute shared objects from arbitrary local paths. This functionality resides in `dlfcn.h` in functions such as `dlopen` and `dlsym`. Although macOS can execute `.so` files, common practice uses `.dylib` files.(Citation: Apple Dev Dynamic Libraries)(Citation: Linux Shared Libraries)(Citation: RotaJakiro 2021 netlab360 analysis)(Citation: Unit42 OceanLotus 2017)\n\nThe Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in `NTDLL.dll` and is part of the Windows [Native API](https://attack.mitre.org/techniques/T1106) which is called from functions like `LoadLibrary` at run time.(Citation: Microsoft DLL)", "meta": { "external_id": "T1129", "kill_chain": [ @@ -25265,11 +25920,17 @@ "Process: OS API Execution" ], "mitre_platforms": [ - "Windows" + "Windows", + "macOS", + "Linux" ], "refs": [ "https://attack.mitre.org/techniques/T1129", - "https://en.wikipedia.org/wiki/Microsoft_Windows_library_files" + "https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/", + "https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/OverviewOfDynamicLibraries.html", + "https://learn.microsoft.com/troubleshoot/windows-client/deployment/dynamic-link-library", + "https://tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html", + "https://unit42.paloaltonetworks.com/unit42-new-improved-macos-backdoor-oceanlotus/" ] }, "uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65", @@ -25370,7 +26031,9 @@ "Linux", "macOS", "Google Workspace", - "Network" + "Network", + "Containers", + "SaaS" ], "refs": [ "https://attack.mitre.org/techniques/T1136", @@ -25608,7 +26271,7 @@ "value": "Private Keys - T1145" }, { - "description": "An adversary with physical access to a mobile device may seek to bypass the device’s lockscreen. Several methods exist to accomplish this, including:\n\n* Biometric spoofing: If biometric authentication is used, an adversary could attempt to spoof a mobile device’s biometric authentication mechanism. Both iOS and Android partly mitigate this attack by requiring the device’s passcode rather than biometrics to unlock the device after every device restart, and after a set or random amount of time.(Citation: SRLabs-Fingerprint)(Citation: TheSun-FaceID)\n* Unlock code bypass: An adversaries could attempt to brute-force or otherwise guess the lockscreen passcode (typically a PIN or password), including physically observing (“shoulder surfing”) the device owner’s use of the lockscreen passcode. Mobile OS vendors partly mitigate this by implementing incremental backoff timers after a set number of failed unlock attempts, as well as a configurable full device wipe after several failed unlock attempts.\n* Vulnerability exploit: Techniques have been periodically demonstrated that exploit mobile devices to bypass the lockscreen. The vulnerabilities are generally patched by the device or OS vendor once disclosed.(Citation: Wired-AndroidBypass)(Citation: Kaspersky-iOSBypass)\n", + "description": "An adversary with physical access to a mobile device may seek to bypass the device’s lockscreen. Several methods exist to accomplish this, including:\n\n* Biometric spoofing: If biometric authentication is used, an adversary could attempt to spoof a mobile device’s biometric authentication mechanism. Both iOS and Android partly mitigate this attack by requiring the device’s passcode rather than biometrics to unlock the device after every device restart, and after a set or random amount of time.(Citation: SRLabs-Fingerprint)(Citation: TheSun-FaceID)\n* Unlock code bypass: An adversary could attempt to brute-force or otherwise guess the lockscreen passcode (typically a PIN or password), including physically observing (“shoulder surfing”) the device owner’s use of the lockscreen passcode. Mobile OS vendors partly mitigate this by implementing incremental backoff timers after a set number of failed unlock attempts, as well as a configurable full device wipe after several failed unlock attempts.\n* Vulnerability exploit: Techniques have been periodically demonstrated that exploit mobile devices to bypass the lockscreen. The vulnerabilities are generally patched by the device or OS vendor once disclosed.(Citation: Wired-AndroidBypass)(Citation: Kaspersky-iOSBypass)\n", "meta": { "external_id": "T1461", "kill_chain": [ @@ -26004,6 +26667,27 @@ "uuid": "dd901512-6e37-4155-943b-453e3777b125", "value": "Launch Agent - T1159" }, + { + "description": "An adversary may push an update to a previously benign application to add malicious code. This can be accomplished by pushing an initially benign, functional application to a trusted application store, such as the Google Play Store or the Apple App Store. This allows the adversary to establish a trusted userbase that may grant permissions to the application prior to the introduction of malicious code. Then, an application update could be pushed to introduce malicious code.(Citation: android_app_breaking_bad)\n\nThis technique could also be accomplished by compromising a developer’s account. This would allow an adversary to take advantage of an existing userbase without having to establish the userbase themselves. ", + "meta": { + "external_id": "T1661", + "kill_chain": [ + "mitre-mobile-attack:initial-access", + "mitre-mobile-attack:defense-evasion" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1661", + "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-20.html", + "https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/" + ] + }, + "uuid": "28fdd23d-aee3-4afe-bc3f-5f1f52929258", + "value": "Application Versioning - T1661" + }, { "description": "Adversaries may make, forward, or block phone calls without user authorization. This could be used for adversary goals such as audio surveillance, blocking or forwarding calls from the device owner, or C2 communication.\n\nSeveral permissions may be used to programmatically control phone calls, including:\n\n* `ANSWER_PHONE_CALLS` - Allows the application to answer incoming phone calls(Citation: Android Permissions)\n* `CALL_PHONE` - Allows the application to initiate a phone call without going through the Dialer interface(Citation: Android Permissions)\n* `PROCESS_OUTGOING_CALLS` - Allows the application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether(Citation: Android Permissions)\n* `MANAGE_OWN_CALLS` - Allows a calling application which manages its own calls through the self-managed `ConnectionService` APIs(Citation: Android Permissions)\n* `BIND_TELECOM_CONNECTION_SERVICE` - Required permission when using a `ConnectionService`(Citation: Android Permissions)\n* `WRITE_CALL_LOG` - Allows an application to write to the device call log, potentially to hide malicious phone calls(Citation: Android Permissions)\n\nWhen granted some of these permissions, an application can make a phone call without opening the dialer first. However, if an application desires to simply redirect the user to the dialer with a phone number filled in, it can launch an Intent using `Intent.ACTION_DIAL`, which requires no specific permissions. This then requires the user to explicitly initiate the call or use some form of [Input Injection](https://attack.mitre.org/techniques/T1516) to programmatically initiate it.", "meta": { @@ -26425,9 +27109,13 @@ "Cloud Service: Cloud Service Modification", "Command: Command Execution", "Driver: Driver Load", + "File: File Deletion", + "File: File Modification", "Firewall: Firewall Disable", "Firewall: Firewall Rule Modification", + "Process: OS API Execution", "Process: Process Creation", + "Process: Process Modification", "Process: Process Termination", "Script: Script Execution", "Sensor Health: Host Status", @@ -26447,7 +27135,7 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1562", - "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/#:~:text=Don’t%20Sleep%20has%20the%20capability%20to%20keep%20the%20computer%20from%20being%20shutdown%20and%20the%20user%20from%20being%20signed%20off.%20This%20was%20likely%20done%20to%20ensure%20nothing%20will%20interfere%20with%20the%20propagation%20of%20the%20ransomware%20payload" + "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/" ] }, "uuid": "3d333250-30e4-4a82-9edc-756c68afc529", @@ -26501,6 +27189,25 @@ "uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b", "value": "SMS Control - T1582" }, + { + "description": "Adversaries may destroy data and files on specific devices or in large numbers to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives. \n\nTo achieve data destruction, adversaries may use the `pm uninstall` command to uninstall packages or the `rm` command to remove specific files. For example, adversaries may first use `pm uninstall` to uninstall non-system apps, and then use `rm (-f) ` to delete specific files, further hiding malicious activity.(Citation: rootnik_rooting_tool)(Citation: abuse_native_linux_tools)", + "meta": { + "external_id": "T1662", + "kill_chain": [ + "mitre-mobile-attack:impact" + ], + "mitre_platforms": [ + "Android" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1662", + "https://unit42.paloaltonetworks.com/rootnik-android-trojan-abuses-commercial-rooting-tool-and-steals-private-information/", + "https://www.trendmicro.com/en_za/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html" + ] + }, + "uuid": "9ef14445-6f35-4ed0-a042-5024f13a9242", + "value": "Data Destruction - T1662" + }, { "description": "Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign. Values an adversary can provide about a target system or environment to use as guardrails may include environment information such as location.(Citation: SWB Exodus March 2019)\n\nGuardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [System Checks](https://attack.mitre.org/techniques/T1633/001). While use of [System Checks](https://attack.mitre.org/techniques/T1633/001) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.", "meta": { @@ -26650,6 +27357,37 @@ "uuid": "38a6d2f5-d948-4235-bb91-bb01604448b4", "value": "Credential pharming - T1374" }, + { + "description": "Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machines. When a computer enters a dormant state, some or all software and hardware may cease to operate which can disrupt malicious activity.(Citation: Sleep, shut down, hibernate)\n\nAdversaries may abuse system utilities and configuration settings to maintain access by preventing machines from entering a state, such as standby, that can terminate malicious activity.(Citation: Microsoft: Powercfg command-line options)(Citation: systemdsleep Linux)\n\nFor example, `powercfg` controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.(Citation: Two New Monero Malware Attacks Target Windows and Android Users) Adversaries may also extend system lock screen timeout settings.(Citation: BATLOADER: The Evasive Downloader Malware) Other relevant settings, such as disk and hibernate timeout, can be similarly abused to keep the infected machine running even if no user is active.(Citation: CoinLoader: A Sophisticated Malware Loader Campaign)\n\nAware that some malware cannot survive system reboots, adversaries may entirely delete files used to invoke system shut down or reboot.(Citation: Condi-Botnet-binaries)", + "meta": { + "external_id": "T1653", + "kill_chain": [ + "mitre-attack:persistence" + ], + "mitre_data_sources": [ + "Command: Command Execution", + "File: File Modification" + ], + "mitre_platforms": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1653", + "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", + "https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options?adlt=strict", + "https://man7.org/linux/man-pages/man5/systemd-sleep.conf.5.html", + "https://securityintelligence.com/news/two-new-monero-malware-attacks-target-windows-and-android-users/", + "https://www.avg.com/en/signal/should-you-shut-down-sleep-or-hibernate-your-pc-or-mac-laptop", + "https://www.avira.com/en/blog/coinloader-a-sophisticated-malware-loader-campaign", + "https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389" + ] + }, + "uuid": "ea071aa0-8f17-416f-ab0d-2bab7e79003d", + "value": "Power Settings - T1653" + }, { "description": "Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.", "meta": { @@ -26676,7 +27414,7 @@ "value": "Encrypted Channel - T1573" }, { - "description": "Adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Additionally, botnets are available for rent or purchase.\n\nUse of these infrastructure solutions allows adversaries to stage, launch, and execute operations. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contacting third-party web services or acquiring infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090).(Citation: amnesty_nso_pegasus) Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.", + "description": "Adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Additionally, botnets are available for rent or purchase.\n\nUse of these infrastructure solutions allows adversaries to stage, launch, and execute operations. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contacting third-party web services or acquiring infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090), including from residential proxy services.(Citation: amnesty_nso_pegasus)(Citation: FBI Proxies Credential Stuffing)(Citation: Mandiant APT29 Microsoft 365 2022) Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.", "meta": { "external_id": "T1583", "kill_chain": [ @@ -26698,6 +27436,8 @@ "https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2", "https://threatconnect.com/blog/infrastructure-research-hunting/", "https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/", + "https://www.ic3.gov/Media/News/2022/220818.pdf", + "https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft", "https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation" ] }, @@ -26794,7 +27534,35 @@ "value": "Hide Artifacts - T1564" }, { - "description": "Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.\n\nUse of compromised infrastructure allows adversaries to stage, launch, and execute operations. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. For example, adversaries may leverage compromised infrastructure (potentially also in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004)) to further blend in and support staged information gathering and/or [Phishing](https://attack.mitre.org/techniques/T1566) campaigns.(Citation: FireEye DNS Hijack 2019) Additionally, adversaries may also compromise infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090).(Citation: amnesty_nso_pegasus)\n\nBy using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig)", + "description": "Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for an adversary, such as user authentication records ([Account Discovery](https://attack.mitre.org/techniques/T1087)), security or vulnerable software ([Software Discovery](https://attack.mitre.org/techniques/T1518)), or hosts within a compromised network ([Remote System Discovery](https://attack.mitre.org/techniques/T1018)).\n\nHost binaries may be leveraged to collect system logs. Examples include using `wevtutil.exe` or [PowerShell](https://attack.mitre.org/techniques/T1059/001) on Windows to access and/or export security event information.(Citation: WithSecure Lazarus-NoPineapple Threat Intel Report 2023)(Citation: Cadet Blizzard emerges as novel threat actor) In cloud environments, adversaries may leverage utilities such as the Azure VM Agent’s `CollectGuestLogs.exe` to collect security logs from cloud hosted infrastructure.(Citation: SIM Swapping and Abuse of the Microsoft Azure Serial Console)\n\nAdversaries may also target centralized logging infrastructure such as SIEMs. Logs may also be bulk exported and sent to adversary-controlled infrastructure for offline analysis.", + "meta": { + "external_id": "T1654", + "kill_chain": [ + "mitre-attack:discovery" + ], + "mitre_data_sources": [ + "Command: Command Execution", + "File: File Access", + "Process: Process Creation" + ], + "mitre_platforms": [ + "Linux", + "macOS", + "Windows", + "IaaS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1654", + "https://labs.withsecure.com/content/dam/labs/docs/WithSecure-Lazarus-No-Pineapple-Threat-Intelligence-Report-2023.pdf", + "https://www.mandiant.com/resources/blog/sim-swapping-abuse-azure-serial", + "https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/" + ] + }, + "uuid": "866d0d6d-02c6-42bd-aa2f-02907fdc0969", + "value": "Log Enumeration - T1654" + }, + { + "description": "Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.\n\nUse of compromised infrastructure allows adversaries to stage, launch, and execute operations. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. For example, adversaries may leverage compromised infrastructure (potentially also in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004)) to further blend in and support staged information gathering and/or [Phishing](https://attack.mitre.org/techniques/T1566) campaigns.(Citation: FireEye DNS Hijack 2019) Additionally, adversaries may also compromise infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090) and/or proxyware services.(Citation: amnesty_nso_pegasus)(Citation: Sysdig Proxyjacking)\n\nBy using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig)", "meta": { "external_id": "T1584", "kill_chain": [ @@ -26815,6 +27583,7 @@ "https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html", "https://media.defense.gov/2019/Oct/18/2002197242/-1/-1/0/NSA_CSA_Turla_20191021%20ver%204%20-%20nsa.gov.pdf", "https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2", + "https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/", "https://threatconnect.com/blog/infrastructure-research-hunting/", "https://web.archive.org/web/20151226205946/https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html", "https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/", @@ -26849,7 +27618,8 @@ "Windows", "IaaS", "Linux", - "macOS" + "macOS", + "Containers" ], "refs": [ "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/", @@ -26923,7 +27693,7 @@ "value": "Serverless Execution - T1648" }, { - "description": "Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems, which may impact system and/or hosted service availability. \n\nOne common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017) Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.(Citation: CloudSploit - Unused AWS Regions) Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro Exposed Docker APIs)\n\nAdditionally, some cryptocurrency mining malware identify then kill off processes for competing malware to ensure it’s not competing for resources.(Citation: Trend Micro War of Crypto Miners)\n\nAdversaries may also use malware that leverages a system's network bandwidth as part of a botnet in order to facilitate [Network Denial of Service](https://attack.mitre.org/techniques/T1498) campaigns and/or to seed malicious torrents.(Citation: GoBotKR)", + "description": "Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. \n\nOne common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017) Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.(Citation: CloudSploit - Unused AWS Regions) Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro Exposed Docker APIs)\n\nAdditionally, some cryptocurrency mining malware identify then kill off processes for competing malware to ensure it’s not competing for resources.(Citation: Trend Micro War of Crypto Miners)\n\nAdversaries may also use malware that leverages a system's network bandwidth as part of a botnet in order to facilitate [Network Denial of Service](https://attack.mitre.org/techniques/T1498) campaigns and/or to seed malicious torrents.(Citation: GoBotKR) Alternatively, they may engage in proxyjacking by selling use of the victims' network bandwidth and IP address to proxyware services.(Citation: Sysdig Proxyjacking)", "meta": { "external_id": "T1496", "kill_chain": [ @@ -26948,6 +27718,7 @@ "https://attack.mitre.org/techniques/T1496", "https://blog.cloudsploit.com/the-danger-of-unused-aws-regions-af0bf1b878fc", "https://securelist.com/lazarus-under-the-hood/77908/", + "https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/", "https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/", "https://www.trendmicro.com/en_us/research/19/e/infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims.html", "https://www.trendmicro.com/en_us/research/20/i/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html", @@ -27083,6 +27854,41 @@ "uuid": "67073dde-d720-45ae-83da-b12d5e73ca3b", "value": "Active Scanning - T1595" }, + { + "description": "Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims. Financial theft is the ultimate objective of several popular campaign types including extortion by ransomware,(Citation: FBI-ransomware) business email compromise (BEC) and fraud,(Citation: FBI-BEC) \"pig butchering,\"(Citation: wired-pig butchering) bank hacking,(Citation: DOJ-DPRK Heist) and exploiting cryptocurrency networks.(Citation: BBC-Ronin) \n\nAdversaries may [Compromise Accounts](https://attack.mitre.org/techniques/T1586) to conduct unauthorized transfers of funds.(Citation: Internet crime report 2022) In the case of business email compromise or email fraud, an adversary may utilize [Impersonation](https://attack.mitre.org/techniques/T1656) of a trusted entity. Once the social engineering is successful, victims can be deceived into sending money to financial accounts controlled by an adversary.(Citation: FBI-BEC) This creates the potential for multiple victims (i.e., compromised accounts as well as the ultimate monetary loss) in incidents involving financial theft.(Citation: VEC)\n\nExtortion by ransomware may occur, for example, when an adversary demands payment from a victim after [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) (Citation: NYT-Colonial) and [Exfiltration](https://attack.mitre.org/tactics/TA0010) of data, followed by threatening public exposure unless payment is made to the adversary.(Citation: Mandiant-leaks)\n\nDue to the potentially immense business impact of financial theft, an adversary may abuse the possibility of financial theft and seeking monetary gain to divert attention from their true goals such as [Data Destruction](https://attack.mitre.org/techniques/T1485) and business disruption.(Citation: AP-NotPetya)", + "meta": { + "external_id": "T1657", + "kill_chain": [ + "mitre-attack:impact" + ], + "mitre_data_sources": [ + "Application Log: Application Log Content" + ], + "mitre_platforms": [ + "Linux", + "macOS", + "Windows", + "Office 365", + "SaaS", + "Google Workspace" + ], + "refs": [ + "https://apnews.com/article/russia-ukraine-technology-business-europe-hacking-ce7a8aca506742ab8e8873e7f9f229c2", + "https://attack.mitre.org/techniques/T1657", + "https://www.bbc.com/news/technology-60933174", + "https://www.cisa.gov/sites/default/files/Ransomware_Trifold_e-version.pdf", + "https://www.cloudflare.com/learning/email-security/what-is-vendor-email-compromise/#:~:text=Vendor%20email%20compromise%2C%20also%20referred,steal%20from%20that%20vendor%27s%20customers.", + "https://www.fbi.gov/file-repository/fy-2022-fbi-congressional-report-business-email-compromise-and-real-estate-wire-fraud-111422.pdf/view", + "https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf", + "https://www.justice.gov/usao-cdca/pr/3-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyber-attacks-and", + "https://www.mandiant.com/resources/blog/ransomware-extortion-ot-docs", + "https://www.nytimes.com/2021/05/13/technology/colonial-pipeline-ransom.html", + "https://www.wired.com/story/pig-butchering-fbi-ic3-2022-report/" + ] + }, + "uuid": "851e071f-208d-4c79-adc6-5974c85c78f3", + "value": "Financial Theft - T1657" + }, { "description": "Adversaries may compromise accounts with services that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating accounts (i.e. [Establish Accounts](https://attack.mitre.org/techniques/T1585)), adversaries may compromise existing accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. \n\nA variety of methods exist for compromising accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, brute forcing credentials (ex: password reuse from breach credential dumps), or paying employees, suppliers or business partners for access to credentials.(Citation: AnonHBGary)(Citation: Microsoft DEV-0537) Prior to compromising accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.\n\nPersonas may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, etc.). Compromised accounts may require additional development, this could include filling out or modifying profile information, further developing social networks, or incorporating photos.\n\nAdversaries may directly leverage compromised email accounts for [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).", "meta": { @@ -27134,6 +27940,35 @@ "uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", "value": "Dynamic Resolution - T1568" }, + { + "description": "Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic. Rather than luring victims to malicious payloads hosted on a compromised website (i.e., [Drive-by Target](https://attack.mitre.org/techniques/T1608/004) followed by [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)), adversaries may initially access victims through compromised data-transfer channels where they can manipulate traffic and/or inject their own content. These compromised online network channels may also be used to deliver additional payloads (i.e., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) and other data to already compromised systems.(Citation: ESET MoustachedBouncer)\n\nAdversaries may inject content to victim systems in various ways, including:\n\n* From the middle, where the adversary is in-between legitimate online client-server communications (**Note:** this is similar but distinct from [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557), which describes AiTM activity solely within an enterprise environment) (Citation: Kaspersky Encyclopedia MiTM)\n* From the side, where malicious content is injected and races to the client as a fake response to requests of a legitimate online server (Citation: Kaspersky ManOnTheSide)\n\nContent injection is often the result of compromised upstream communication channels, for example at the level of an internet service provider (ISP) as is the case with \"lawful interception.\"(Citation: Kaspersky ManOnTheSide)(Citation: ESET MoustachedBouncer)(Citation: EFF China GitHub Attack)", + "meta": { + "external_id": "T1659", + "kill_chain": [ + "mitre-attack:initial-access", + "mitre-attack:command-and-control" + ], + "mitre_data_sources": [ + "File: File Creation", + "Network Traffic: Network Traffic Content", + "Process: Process Creation" + ], + "mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1659", + "https://encyclopedia.kaspersky.com/glossary/man-in-the-middle-attack/", + "https://usa.kaspersky.com/blog/man-on-the-side/27854/", + "https://www.eff.org/deeplinks/2015/04/china-uses-unencrypted-websites-to-hijack-browsers-in-github-attack", + "https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/" + ] + }, + "uuid": "43c9bc06-715b-42db-972f-52d25c09a20c", + "value": "Content Injection - T1659" + }, { "description": "Adversaries may abuse system services or daemons to execute commands or programs. Adversaries can execute malicious content by interacting with or creating services either locally or remotely. Many services are set to run at boot, which can aid in achieving persistence ([Create or Modify System Process](https://attack.mitre.org/techniques/T1543)), but adversaries can also abuse services for one-time or temporary execution.", "meta": { @@ -27241,7 +28076,7 @@ "value": "Adversary-in-the-Middle - T1638" }, { - "description": "Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)\n\nFor example, adversaries may manipulate victim DNS settings to enable other malicious activities such as preventing/redirecting users from accessing legitimate sites and/or pushing additional malware.(Citation: ttint_rat)(Citation: dns_changer_trojans)(Citation: ad_blocker_with_miner) Adversaries may also manipulate DNS and leverage their position in order to intercept user credentials and session cookies.(Citation: volexity_0day_sophos_FW) [Downgrade Attack](https://attack.mitre.org/techniques/T1562/010)s can also be used to establish an AiTM position, such as by negotiating a less secure, deprecated, or weaker version of communication protocol (SSL/TLS) or encryption algorithm.(Citation: mitm_tls_downgrade_att)(Citation: taxonomy_downgrade_att_tls)(Citation: tlseminar_downgrade_att)\n\nAdversaries may also leverage the AiTM position to attempt to monitor and/or modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can setup a position similar to AiTM to prevent traffic from flowing to the appropriate destination, potentially to [Impair Defenses](https://attack.mitre.org/techniques/T1562) and/or in support of a [Network Denial of Service](https://attack.mitre.org/techniques/T1498).", + "description": "Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002), or replay attacks ([Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212)). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)\n\nFor example, adversaries may manipulate victim DNS settings to enable other malicious activities such as preventing/redirecting users from accessing legitimate sites and/or pushing additional malware.(Citation: ttint_rat)(Citation: dns_changer_trojans)(Citation: ad_blocker_with_miner) Adversaries may also manipulate DNS and leverage their position in order to intercept user credentials and session cookies.(Citation: volexity_0day_sophos_FW) [Downgrade Attack](https://attack.mitre.org/techniques/T1562/010)s can also be used to establish an AiTM position, such as by negotiating a less secure, deprecated, or weaker version of communication protocol (SSL/TLS) or encryption algorithm.(Citation: mitm_tls_downgrade_att)(Citation: taxonomy_downgrade_att_tls)(Citation: tlseminar_downgrade_att)\n\nAdversaries may also leverage the AiTM position to attempt to monitor and/or modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can setup a position similar to AiTM to prevent traffic from flowing to the appropriate destination, potentially to [Impair Defenses](https://attack.mitre.org/techniques/T1562) and/or in support of a [Network Denial of Service](https://attack.mitre.org/techniques/T1498).", "meta": { "external_id": "T1557", "kill_chain": [ @@ -27597,7 +28432,7 @@ "value": "DNS - T1071.004" }, { - "description": "Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.\n\nKeylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:\n\n* Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data.\n* Reading raw keystroke data from the hardware buffer.\n* Windows Registry modifications.\n* Custom drivers.\n* [Modify System Image](https://attack.mitre.org/techniques/T1601) may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device Attacks) ", + "description": "Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, an adversary may also perform actions such as clearing browser cookies to force users to reauthenticate to systems.(Citation: Talos Kimsuky Nov 2021)\n\nKeylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:\n\n* Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data.\n* Reading raw keystroke data from the hardware buffer.\n* Windows Registry modifications.\n* Custom drivers.\n* [Modify System Image](https://attack.mitre.org/techniques/T1601) may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device Attacks) ", "meta": { "external_id": "T1056.001", "kill_chain": [ @@ -27618,6 +28453,7 @@ "refs": [ "http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf", "https://attack.mitre.org/techniques/T1056/001", + "https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html", "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954" ] }, @@ -27680,6 +28516,7 @@ "mitre_data_sources": [ "Command: Command Execution", "File: File Modification", + "Network Traffic: Network Traffic Flow", "Process: Process Creation", "Scheduled Job: Scheduled Job Creation" ], @@ -27848,7 +28685,12 @@ "https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf" ] }, - "related": [], + "related": [ + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "type": "subtechnique-of" + } + ], "uuid": "8faedf87-dceb-4c35-b2a2-7286f59a3bc3", "value": "Launchd - T1053.004" }, @@ -29670,7 +30512,7 @@ "value": "Kerberoasting - T1208" }, { - "description": "Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.\n\nRenaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site)", + "description": "Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.\n\nRenaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site) Masquerading may also include the use of [Proxy](https://attack.mitre.org/techniques/T1090) or VPNs to disguise IP addresses, which can allow adversaries to blend in with normal network traffic and bypass conditional access policies or anti-abuse protections.", "meta": { "external_id": "T1036", "kill_chain": [ @@ -29681,6 +30523,8 @@ "File: File Metadata", "File: File Modification", "Image: Image Metadata", + "Process: OS API Execution", + "Process: Process Creation", "Process: Process Metadata", "Scheduled Job: Scheduled Job Metadata", "Scheduled Job: Scheduled Job Modification", @@ -29694,10 +30538,10 @@ "Containers" ], "refs": [ - "http://pages.endgame.com/rs/627-YBU-612/images/EndgameJournal_The%20Masquerade%20Ball_Pages_R2.pdf", "https://attack.mitre.org/techniques/T1036", "https://lolbas-project.github.io/", - "https://twitter.com/ItsReallyNick/status/1055321652777619457" + "https://twitter.com/ItsReallyNick/status/1055321652777619457", + "https://www.elastic.co/blog/how-hunt-masquerade-ball" ] }, "uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", @@ -29728,6 +30572,25 @@ "uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", "value": "Scripting - T1064" }, + { + "description": "Adversaries may send malicious content to users in order to gain access to their mobile devices. All forms of phishing are electronically delivered social engineering. Adversaries can conduct both non-targeted phishing, such as in mass malware spam campaigns, as well as more targeted phishing tailored for a specific individual, company, or industry, known as “spearphishing”. Phishing often involves social engineering techniques, such as posing as a trusted source, as well as evasion techniques, such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages.\n\nMobile phishing may take various forms. For example, adversaries may send emails containing malicious attachments or links, typically to deliver and then execute malicious code on victim devices. Phishing may also be conducted via third-party services, like social media platforms. \n\nMobile devices are a particularly attractive target for adversaries executing phishing campaigns. Due to their smaller form factor than traditional desktop endpoints, users may not be able to notice minor differences between genuine and phishing websites. Further, mobile devices have additional sensors and radios that allow adversaries to execute phishing attempts over several different vectors, such as: \n\n- SMS messages: Adversaries may send SMS messages (known as “smishing”) from compromised devices to potential targets to convince the target to, for example, install malware, navigate to a specific website, or enable certain insecure configurations on their device.\n- Quick Response (QR) Codes: Adversaries may use QR codes (known as “quishing”) to redirect users to a phishing website. For example, an adversary could replace a legitimate public QR Code with one that leads to a different destination, such as a phishing website. A malicious QR code could also be delivered via other means, such as SMS or email. In the latter case, an adversary could utilize a malicious QR code in an email to pivot from the user’s desktop computer to their mobile device.\n- Phone Calls: Adversaries may call victims (known as “vishing”) to persuade them to perform an action, such as providing login credentials or navigating to a malicious website. This could also be used as a technique to perform the initial access on a mobile device, but then pivot to a computer/other network by having the victim perform an action on a desktop computer.\n", + "meta": { + "external_id": "T1660", + "kill_chain": [ + "mitre-mobile-attack:initial-access" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1660", + "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-9.html" + ] + }, + "uuid": "defc1257-4db1-4fb3-8ef5-bb77f63146df", + "value": "Phishing - T1660" + }, { "description": "A bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR). (Citation: MTrends 2016)\n\nAdversaries may use bootkits to persist on systems at a layer below the operating system, which may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.\n\n### Master Boot Record\nThe MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code. (Citation: Lau 2011)\n\n### Volume Boot Record\nThe MBR passes control of the boot process to the VBR. Similar to the case of MBR, an adversary who has raw access to the boot drive may overwrite the VBR to divert execution during startup to adversary code.", "meta": { @@ -30263,6 +31126,53 @@ "uuid": "7823039f-e2d5-4997-853c-ec983631206b", "value": "DNSCalc - T1324" }, + { + "description": "Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name, location, or appearance of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.\n\nRenaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1655)\n", + "meta": { + "external_id": "T1655", + "kill_chain": [ + "mitre-mobile-attack:defense-evasion" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1655", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-14.html", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html" + ] + }, + "uuid": "f856eaab-e84a-4265-a8a2-7bf37e5dc2fc", + "value": "Masquerading - T1655" + }, + { + "description": "Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf. For example, adversaries may communicate with victims (via [Phishing for Information](https://attack.mitre.org/techniques/T1598), [Phishing](https://attack.mitre.org/techniques/T1566), or [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)) while impersonating a known sender such as an executive, colleague, or third-party vendor. Established trust can then be leveraged to accomplish an adversary’s ultimate goals, possibly against multiple victims. \n \nIn many cases of business email compromise or email fraud campaigns, adversaries use impersonation to defraud victims -- deceiving them into sending money or divulging information that ultimately enables [Financial Theft](https://attack.mitre.org/techniques/T1657).\n\nAdversaries will often also use social engineering techniques such as manipulative and persuasive language in email subject lines and body text such as `payment`, `request`, or `urgent` to push the victim to act quickly before malicious activity is detected. These campaigns are often specifically targeted against people who, due to job roles and/or accesses, can carry out the adversary’s goal.   \n \nImpersonation is typically preceded by reconnaissance techniques such as [Gather Victim Identity Information](https://attack.mitre.org/techniques/T1589) and [Gather Victim Org Information](https://attack.mitre.org/techniques/T1591) as well as acquiring infrastructure such as email domains (i.e. [Domains](https://attack.mitre.org/techniques/T1583/001)) to substantiate their false identity.(Citation: CrowdStrike-BEC)\n \nThere is the potential for multiple victims in campaigns involving impersonation. For example, an adversary may [Compromise Accounts](https://attack.mitre.org/techniques/T1586) targeting one organization which can then be used to support impersonation against other entities.(Citation: VEC)", + "meta": { + "external_id": "T1656", + "kill_chain": [ + "mitre-attack:defense-evasion" + ], + "mitre_data_sources": [ + "Application Log: Application Log Content" + ], + "mitre_platforms": [ + "Linux", + "macOS", + "Windows", + "Office 365", + "SaaS", + "Google Workspace" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1656", + "https://www.cloudflare.com/learning/email-security/what-is-vendor-email-compromise/#:~:text=Vendor%20email%20compromise%2C%20also%20referred,steal%20from%20that%20vendor%27s%20customers.", + "https://www.crowdstrike.com/cybersecurity-101/business-email-compromise-bec/" + ] + }, + "uuid": "c9e0c59e-162e-40a4-b8b1-78fab4329ada", + "value": "Impersonation - T1656" + }, { "description": "Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.\n\nAdversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof) the identity of the sender which can be used to fool both the human recipient as well as automated security tools.(Citation: cyberproof-double-bounce) \n\nVictims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools onto their computer (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: Unit42 Luna Moth)", "meta": { @@ -30330,5 +31240,5 @@ "value": "Keychain - T1579" } ], - "version": 25 + "version": 26 } diff --git a/clusters/mitre-course-of-action.json b/clusters/mitre-course-of-action.json index 9434f17..d5db3aa 100644 --- a/clusters/mitre-course-of-action.json +++ b/clusters/mitre-course-of-action.json @@ -153,6 +153,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "45241b9e-9bbc-4826-a2cc-78855e51ca09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ @@ -181,6 +188,20 @@ ], "type": "mitigates" }, + { + "dest-uuid": "51ea26b1-ff1e-4faa-b1a0-1114cd298c87", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5", "tags": [ @@ -1853,6 +1874,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "0c8ab3eb-df48-4b9c-ace7-beacaac81cc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "tags": [ @@ -1993,6 +2021,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "887274fc-2d63-4bdc-82f3-fae56d1d5fdc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "tags": [ @@ -2227,6 +2262,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "28fdd23d-aee3-4afe-bc3f-5f1f52929258", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", "tags": [ @@ -2805,6 +2847,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "d4dc46e3-5ba5-45b9-8204-010867cacfcb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "tags": [ @@ -3350,6 +3399,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "43c9bc06-715b-42db-972f-52d25c09a20c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ @@ -3941,6 +3997,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "a0e6614a-7740-4b24-bd65-f1bde09fc365", "tags": [ @@ -4513,6 +4576,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "43c9bc06-715b-42db-972f-52d25c09a20c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "52759bf1-fe12-4052-ace6-c5b0cf7dd7fd", "tags": [ @@ -4863,6 +4933,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "0c8ab3eb-df48-4b9c-ace7-beacaac81cc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", "tags": [ @@ -4954,6 +5031,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "35d30338-5bfa-41b0-a170-ec06dfd75f64", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "tags": [ @@ -4968,6 +5052,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "45241b9e-9bbc-4826-a2cc-78855e51ca09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", "tags": [ @@ -5010,6 +5101,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "562e9b64-7239-493d-80f4-2bff900d9054", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "56e0d8b8-3e25-49dd-9050-3aa252f5aa92", "tags": [ @@ -5052,6 +5150,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", "tags": [ @@ -5073,6 +5178,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "6fa224c7-5091-4595-bf15-3fc9fe2f2c7c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "70857657-bd0b-4695-ad3e-b13f92cac1b4", "tags": [ @@ -5143,6 +5255,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "851e071f-208d-4c79-adc6-5974c85c78f3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "8565825b-21c8-4518-b75e-cbc4c717a156", "tags": [ @@ -5150,6 +5269,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "866d0d6d-02c6-42bd-aa2f-02907fdc0969", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", "tags": [ @@ -5297,6 +5423,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "ca00366b-83a1-4c7b-a0ce-8ff950a7c87f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "cacc40da-4c9e-462c-80d5-fd70a178b12d", "tags": [ @@ -5535,6 +5668,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "c9e0c59e-162e-40a4-b8b1-78fab4329ada", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", "tags": [ @@ -6073,6 +6213,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", "tags": [ @@ -6416,6 +6563,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "cfb525cc-5494-401d-a82b-2539ca46a561", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4", "tags": [ @@ -7090,6 +7244,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "tags": [ @@ -7841,6 +8002,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "43f2776f-b4bd-4118-94b8-fee47e69676d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5", "tags": [ @@ -8586,6 +8754,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "35d30338-5bfa-41b0-a170-ec06dfd75f64", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "4ffc1794-ec3b-45be-9e52-42dbcb2af2de", "tags": [ @@ -8937,6 +9112,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "5abfc5e6-3c56-49e7-ad72-502d01acf28b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "667e5707-3843-4da8-bd34-88b922526f0d", "tags": [ @@ -9075,6 +9257,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490", "tags": [ @@ -9400,6 +9589,13 @@ ] }, "related": [ + { + "dest-uuid": "0b761f2b-197a-40f2-b100-8152cb957c0c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "0cdd66ad-26ac-4338-a764-4972a1e17ee3", "tags": [ @@ -9414,6 +9610,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e", "tags": [ @@ -9484,6 +9687,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "5abfc5e6-3c56-49e7-ad72-502d01acf28b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e", "tags": [ @@ -9547,6 +9757,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "9ef14445-6f35-4ed0-a042-5024f13a9242", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "a8c31121-852b-46bd-9ba4-674ae5afe7ad", "tags": [ @@ -9610,6 +9827,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "defc1257-4db1-4fb3-8ef5-bb77f63146df", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "tags": [ @@ -9652,6 +9876,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "f856eaab-e84a-4265-a8a2-7bf37e5dc2fc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "fcb11f06-ce0e-490b-bcc1-04a1623579f0", "tags": [ @@ -9672,6 +9903,13 @@ ] }, "related": [ + { + "dest-uuid": "0b761f2b-197a-40f2-b100-8152cb957c0c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "20b0931a-8952-42ca-975f-775bad295f1a", "tags": [ @@ -9686,6 +9924,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "28fdd23d-aee3-4afe-bc3f-5f1f52929258", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "tags": [ @@ -9787,7 +10032,7 @@ "external_id": "M1014", "refs": [ "https://attack.mitre.org/mitigations/M1014", - "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf" + "https://web.archive.org/web/20200330012714/https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf" ] }, "related": [ @@ -10216,6 +10461,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", "tags": [ @@ -10237,6 +10489,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "6a5d222a-a7e0-4656-b110-782c33098289", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", "tags": [ @@ -10258,6 +10517,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "851e071f-208d-4c79-adc6-5974c85c78f3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", "tags": [ @@ -10328,6 +10594,20 @@ ], "type": "mitigates" }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "bb5e59c4-abe7-40c7-8196-e373cb1e5974", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", "tags": [ @@ -10335,6 +10615,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "c9e0c59e-162e-40a4-b8b1-78fab4329ada", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "cabe189c-a0e3-4965-a473-dcff00f17213", "tags": [ @@ -11454,6 +11741,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "52759bf1-fe12-4052-ace6-c5b0cf7dd7fd", "tags": [ @@ -11475,6 +11769,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "824add00-99a1-4b15-9a2d-6c5683b7b497", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "861b8fd2-57f3-4ee1-ab5d-c19c3b8c7a4a", "tags": [ @@ -12616,6 +12917,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "tags": [ @@ -12637,6 +12945,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "887274fc-2d63-4bdc-82f3-fae56d1d5fdc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -12711,6 +13026,26 @@ "uuid": "a6a47a06-08fc-4ec4-bdc3-20373375ebb9", "value": "Antivirus/Antimalware - M1049" }, + { + "description": "Mobile security products, such as Mobile Threat Defense (MTD), offer various device-based mitigations against certain behaviors.", + "meta": { + "external_id": "M1058", + "refs": [ + "https://attack.mitre.org/mitigations/M1058" + ] + }, + "related": [ + { + "dest-uuid": "defc1257-4db1-4fb3-8ef5-bb77f63146df", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "78671282-26aa-486c-a7a5-5921e1616b58", + "value": "Antivirus/Antimalware - M1058" + }, { "description": "Enable remote attestation capabilities when available (such as Android SafetyNet or Samsung Knox TIMA Attestation) and prohibit devices that fail the attestation from accessing enterprise resources.", "meta": { @@ -13055,6 +13390,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "562e9b64-7239-493d-80f4-2bff900d9054", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "56e0d8b8-3e25-49dd-9050-3aa252f5aa92", "tags": [ @@ -13279,6 +13621,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "ca00366b-83a1-4c7b-a0ce-8ff950a7c87f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "tags": [ @@ -13321,6 +13670,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "ea071aa0-8f17-416f-ab0d-2bab7e79003d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "tags": [ @@ -13375,5 +13731,5 @@ "value": "Audit - M1047" } ], - "version": 26 + "version": 27 } diff --git a/clusters/mitre-intrusion-set.json b/clusters/mitre-intrusion-set.json index da49cea..89f61b4 100644 --- a/clusters/mitre-intrusion-set.json +++ b/clusters/mitre-intrusion-set.json @@ -19,7 +19,7 @@ "https://documents.trendmicro.com/assets/wp/wp-operation-woolen-goldfish.pdf", "https://iranthreats.github.io/resources/attribution-flying-rocket-kitten/", "https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/", - "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-operation-saffron-rose.pdf" + "https://www.mandiant.com/sites/default/files/2021-09/rpt-operation-saffron-rose.pdf" ], "synonyms": [ "Ajax Security Team", @@ -1924,23 +1924,30 @@ "value": "Deep Panda - G0009" }, { - "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse aresenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)", "meta": { "external_id": "G0102", "refs": [ "https://attack.mitre.org/groups/G0102", + "https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/", "https://us-cert.cisa.gov/ncas/alerts/aa20-302a", "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/", "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/", "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html", - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf", + "https://www.secureworks.com/research/threat-profiles/gold-blackburn" ], "synonyms": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", - "Grim Spider" + "Grim Spider", + "FIN12", + "GOLD BLACKBURN", + "ITG23", + "Periwinkle Tempest" ] }, "related": [ @@ -1958,6 +1965,13 @@ ], "type": "uses" }, + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ @@ -1979,6 +1993,13 @@ ], "type": "uses" }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "066b057c-944e-4cfc-b654-e3dfba04b926", "tags": [ @@ -2000,6 +2021,13 @@ ], "type": "uses" }, + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "tags": [ @@ -2084,6 +2112,20 @@ ], "type": "uses" }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "4dea7d8e-af94-4bfb-afe4-7ff54f59308b", "tags": [ @@ -2098,6 +2140,13 @@ ], "type": "uses" }, + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ @@ -2112,6 +2161,13 @@ ], "type": "uses" }, + { + "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "63c2a130-8a5b-452f-ad96-07cf0af12ffe", "tags": [ @@ -2119,6 +2175,20 @@ ], "type": "uses" }, + { + "dest-uuid": "64764dc6-a032-495f-8250-1e4c06bdc163", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "65013dd2-bc61-43e3-afb5-a14c4fa7437a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", "tags": [ @@ -2126,6 +2196,13 @@ ], "type": "uses" }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "6836813e-8ec8-4375-b459-abb388cb1a35", "tags": [ @@ -2140,6 +2217,13 @@ ], "type": "uses" }, + { + "dest-uuid": "7610cada-1499-41a4-b3dd-46467b68d177", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "tags": [ @@ -2154,6 +2238,13 @@ ], "type": "uses" }, + { + "dest-uuid": "8d7bd4f5-3a89-4453-9c82-2c8894d5655e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "tags": [ @@ -2238,6 +2329,13 @@ ], "type": "uses" }, + { + "dest-uuid": "b76b2d94-60e4-4107-a903-4a3a7622fb3b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47", "tags": [ @@ -2245,6 +2343,13 @@ ], "type": "uses" }, + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", "tags": [ @@ -2259,6 +2364,13 @@ ], "type": "uses" }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "c9b99d03-ff11-4a48-95f0-82660d582c25", "tags": [ @@ -2280,6 +2392,13 @@ ], "type": "uses" }, + { + "dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "tags": [ @@ -2301,6 +2420,13 @@ ], "type": "uses" }, + { + "dest-uuid": "e33267fe-099f-4af2-8730-63d49f8813b2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "tags": [ @@ -2308,6 +2434,27 @@ ], "type": "uses" }, + { + "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e7cbc1de-1f79-48ee-abfd-da1241c65a15", "tags": [ @@ -2364,6 +2511,13 @@ ], "type": "uses" }, + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "tags": [ @@ -5188,13 +5342,6 @@ ], "type": "uses" }, - { - "dest-uuid": "7610cada-1499-41a4-b3dd-46467b68d177", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "76551c52-b111-4884-bc47-ff3e728f0156", "tags": [ @@ -6108,6 +6255,30 @@ "uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", "value": "Gamaredon Group - G0047" }, + { + "description": "[Charming Kitten](https://attack.mitre.org/groups/G0058) is an Iranian cyber espionage group that has been active since approximately 2014. They appear to focus on targeting individuals of interest to Iran who work in academic research, human rights, and media, with most victims having been located in Iran, the US, Israel, and the UK. [[Charming Kitten](https://attack.mitre.org/groups/G0058) often tries to access private email and Facebook accounts, and sometimes establishes a foothold on victim computers as a secondary objective. The group's TTPs overlap extensively with another group, [Magic Hound](https://attack.mitre.org/groups/G0059), resulting in reporting that may not distinguish between the two groups' activities.(Citation: ClearSky Charming Kitten Dec 2017)", + "meta": { + "external_id": "G0058", + "refs": [ + "http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf", + "https://attack.mitre.org/groups/G0058" + ], + "synonyms": [ + "Charming Kitten" + ] + }, + "related": [ + { + "dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], + "uuid": "92d5b3fd-3b39-438e-af68-770e447beada", + "value": "Charming Kitten - G0058" + }, { "description": "[Magic Hound](https://attack.mitre.org/groups/G0059) is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.(Citation: FireEye APT35 2018)(Citation: ClearSky Kittens Back 3 August 2020)(Citation: Certfa Charming Kitten January 2021)(Citation: Secureworks COBALT ILLUSION Threat Profile)(Citation: Proofpoint TA453 July2021)", "meta": { @@ -6345,6 +6516,13 @@ ], "type": "similar" }, + { + "dest-uuid": "494ab9f0-36e0-4b06-b10d-57285b040a06", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "4bc31b94-045b-4752-8920-aebaebdb6470", "tags": [ @@ -7012,6 +7190,13 @@ ] }, "related": [ + { + "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "tags": [ @@ -7433,6 +7618,61 @@ "uuid": "c77c5576-ca19-42ed-a36f-4b4486a84133", "value": "GOLD SOUTHFIELD - G0115" }, + { + "description": "[Scattered Spider](https://attack.mitre.org/groups/G1015) is a cybercriminal group that has been active since at least 2022 targeting customer relationship management and business-process outsourcing (BPO) firms as well as telecommunications and technology companies. During campaigns [Scattered Spider](https://attack.mitre.org/groups/G1015) has leveraged targeted social-engineering techniques and attempted to bypass popular endpoint security tools.(Citation: CrowdStrike Scattered Spider Profile)(Citation: CrowdStrike Scattered Spider BYOVD January 2023)(Citation: Crowdstrike TELCO BPO Campaign December 2022)", + "meta": { + "external_id": "G1015", + "refs": [ + "https://attack.mitre.org/groups/G1015", + "https://www.crowdstrike.com/adversaries/scattered-spider/", + "https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/", + "https://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic/" + ], + "synonyms": [ + "Scattered Spider", + "Roasted 0ktapus" + ] + }, + "related": [ + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "954a1639-f2d6-407d-aef3-4917622ca493", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cca0ccb6-a068-4574-a722-b1556f86833a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "44d37b89-a739-4810-9111-0d2617a8939b", + "value": "Scattered Spider - G1015" + }, { "description": "[Operation Wocao](https://attack.mitre.org/groups/G0116) described activities carried out by a China-based cyber espionage adversary. [Operation Wocao](https://attack.mitre.org/groups/G0116) targeted entities within the government, managed service providers, energy, health care, and technology sectors across several countries, including China, France, Germany, the United Kingdom, and the United States. [Operation Wocao](https://attack.mitre.org/groups/G0116) used similar TTPs and tools to APT20, suggesting a possible overlap.(Citation: FoxIT Wocao December 2019)", "meta": { @@ -7518,6 +7758,13 @@ ], "type": "uses" }, + { + "dest-uuid": "2f7f03bb-f367-4a5a-ad9b-310a12a48906", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "315f51f0-6b03-4c1e-bfb2-84740afb8e21", "tags": [ @@ -7651,13 +7898,6 @@ ], "type": "uses" }, - { - "dest-uuid": "911fe4c3-444d-4e92-83b8-cc761ac5fd3b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -7789,7 +8029,370 @@ "value": "Fox Kitten - G0117" }, { - "description": "[Indrik Spider](https://attack.mitre.org/groups/G0119) is a Russia-based cybercriminal group that has been active since at least 2014. [Indrik Spider](https://attack.mitre.org/groups/G0119) initially started with the [Dridex](https://attack.mitre.org/software/S0384) banking Trojan, and then by 2017 they began running ransomware operations using [BitPaymer](https://attack.mitre.org/software/S0570), [WastedLocker](https://attack.mitre.org/software/S0612), and Hades ransomware.(Citation: Crowdstrike Indrik November 2018)(Citation: Crowdstrike EvilCorp March 2021)(Citation: Treasury EvilCorp Dec 2019)", + "description": "[Volt Typhoon](https://attack.mitre.org/groups/G1017) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021. [Volt Typhoon](https://attack.mitre.org/groups/G1017) typically focuses on espionage and information gathering and has targeted critical infrastructure organizations in the US including Guam. [Volt Typhoon](https://attack.mitre.org/groups/G1017) has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.(Citation: Microsoft Volt Typhoon May 2023)(Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023)(Citation: Secureworks BRONZE SILHOUETTE May 2023)", + "meta": { + "external_id": "G1017", + "refs": [ + "https://attack.mitre.org/groups/G1017", + "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF", + "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/", + "https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations" + ], + "synonyms": [ + "Volt Typhoon", + "BRONZE SILHOUETTE" + ] + }, + "related": [ + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "208884f1-7b83-4473-ac22-4e1cf6c41471", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "26c87906-d750-42c5-946c-d4162c73fc7b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3975dbb5-0e1e-4f5b-bae1-cf2ab84b46dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4664b683-f578-434f-919b-1c1aad2a1111", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "810d8072-afb6-4a56-9ee7-86379ac4a6f3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "866d0d6d-02c6-42bd-aa2f-02907fdc0969", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "981acc4c-2ede-4b56-be6e-fa1a75f37acf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e196b5c5-8118-4a1c-ab8a-936586ce3db5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f91162cc-1686-4ff8-8115-bf3f61a4cc7a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "174279b4-399f-4ddb-966e-5efedd1dd5f2", + "value": "Volt Typhoon - G1017" + }, + { + "description": "[Indrik Spider](https://attack.mitre.org/groups/G0119) is a Russia-based cybercriminal group that has been active since at least 2014. [Indrik Spider](https://attack.mitre.org/groups/G0119) initially started with the [Dridex](https://attack.mitre.org/software/S0384) banking Trojan, and then by 2017 they began running ransomware operations using [BitPaymer](https://attack.mitre.org/software/S0570), [WastedLocker](https://attack.mitre.org/software/S0612), and Hades ransomware. Following U.S. sanctions and an indictment in 2019, [Indrik Spider](https://attack.mitre.org/groups/G0119) changed their tactics and diversified their toolset.(Citation: Crowdstrike Indrik November 2018)(Citation: Crowdstrike EvilCorp March 2021)(Citation: Treasury EvilCorp Dec 2019)", "meta": { "external_id": "G0119", "refs": [ @@ -7839,6 +8442,13 @@ ], "type": "uses" }, + { + "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "tags": [ @@ -7881,6 +8491,13 @@ ], "type": "uses" }, + { + "dest-uuid": "65013dd2-bc61-43e3-afb5-a14c4fa7437a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ @@ -9037,6 +9654,13 @@ ], "type": "uses" }, + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "tags": [ @@ -9058,6 +9682,13 @@ ], "type": "uses" }, + { + "dest-uuid": "315f51f0-6b03-4c1e-bfb2-84740afb8e21", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "tags": [ @@ -9093,6 +9724,13 @@ ], "type": "uses" }, + { + "dest-uuid": "6a5d222a-a7e0-4656-b110-782c33098289", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "6ee2dc99-91ad-4534-a7d8-a649358c331f", "tags": [ @@ -9226,6 +9864,20 @@ ], "type": "uses" }, + { + "dest-uuid": "c2f59d25-87fe-44aa-8f83-e8e59d077bf5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c9e0c59e-162e-40a4-b8b1-78fab4329ada", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "cc723aff-ec88-40e3-a224-5af9fd983cc4", "tags": [ @@ -10547,7 +11199,7 @@ "value": "Inception - G0100" }, { - "description": "[Turla](https://attack.mitre.org/groups/G0010) is a Russian-based threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies since 2004. Heightened activity was seen in mid-2015. [Turla](https://attack.mitre.org/groups/G0010) is known for conducting watering hole and spearphishing campaigns and leveraging in-house tools and malware. [Turla](https://attack.mitre.org/groups/G0010)’s espionage platform is mainly used against Windows machines, but has also been seen used against macOS and Linux machines.(Citation: Kaspersky Turla)(Citation: ESET Gazer Aug 2017)(Citation: CrowdStrike VENOMOUS BEAR)(Citation: ESET Turla Mosquito Jan 2018)", + "description": "[Turla](https://attack.mitre.org/groups/G0010) is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. [Turla](https://attack.mitre.org/groups/G0010) is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as [Uroburos](https://attack.mitre.org/software/S0022).(Citation: Kaspersky Turla)(Citation: ESET Gazer Aug 2017)(Citation: CrowdStrike VENOMOUS BEAR)(Citation: ESET Turla Mosquito Jan 2018)(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)", "meta": { "external_id": "G0010", "refs": [ @@ -10557,6 +11209,7 @@ "https://securelist.com/introducing-whitebear/81638/", "https://securelist.com/the-epic-turla-operation/65545/", "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", + "https://www.cisa.gov/sites/default/files/2023-05/aa23-129a_snake_malware_2.pdf", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-march-venomous-bear/", "https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf", "https://www.threatminer.org/report.php?q=waterbug-attack-group.pdf&y=2015#gsc.tab=0&gsc.q=waterbug-attack-group.pdf&gsc.page=1", @@ -10598,6 +11251,13 @@ ], "type": "uses" }, + { + "dest-uuid": "09fcc02f-f9d4-43fa-8609-5e5e186b7103", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", "tags": [ @@ -11302,6 +11962,13 @@ ], "type": "uses" }, + { + "dest-uuid": "08e844a8-371f-4fe3-9d1f-e056e64a7fde", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "tags": [ @@ -15198,6 +15865,7 @@ "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://www.gov.uk/government/news/russia-uk-and-us-expose-global-campaigns-of-malign-activity-by-russian-intelligence-services", "https://www.gov.uk/government/news/russia-uk-exposes-russian-involvement-in-solarwinds-cyber-compromise", + "https://www.mandiant.com/resources/blog/unc3524-eye-spy-email", "https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/", "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", @@ -15227,7 +15895,8 @@ "Cozy Bear", "CozyDuke", "SolarStorm", - "Blue Kitsune" + "Blue Kitsune", + "UNC3524" ] }, "related": [ @@ -15252,6 +15921,13 @@ ], "type": "uses" }, + { + "dest-uuid": "03259939-0b57-482f-8eb5-87c0e0d54334", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "tags": [ @@ -15294,6 +15970,20 @@ ], "type": "uses" }, + { + "dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "199463de-d9be-46d6-bb41-07234c1dd5a6", "tags": [ @@ -15315,6 +16005,13 @@ ], "type": "uses" }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", "tags": [ @@ -15329,6 +16026,13 @@ ], "type": "uses" }, + { + "dest-uuid": "26c87906-d750-42c5-946c-d4162c73fc7b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", "tags": [ @@ -15399,6 +16103,13 @@ ], "type": "uses" }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "3d52e51e-f6db-4719-813c-48002a99f43a", "tags": [ @@ -15434,6 +16145,20 @@ ], "type": "uses" }, + { + "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4816d361-f82b-4a18-aa05-b215e7cf9200", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "4efc3e00-72f2-466a-ab7c-8a7dc6603b19", "tags": [ @@ -15553,6 +16278,13 @@ ], "type": "uses" }, + { + "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "7de1f7ac-5d0c-4c9c-8873-627202205331", "tags": [ @@ -15861,6 +16593,13 @@ ], "type": "uses" }, + { + "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "tags": [ @@ -17663,6 +18402,13 @@ ], "type": "uses" }, + { + "dest-uuid": "2f7f03bb-f367-4a5a-ad9b-310a12a48906", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "3433a9e8-1c47-4320-b9bf-ed449061d1c3", "tags": [ @@ -17726,13 +18472,6 @@ ], "type": "uses" }, - { - "dest-uuid": "911fe4c3-444d-4e92-83b8-cc761ac5fd3b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -18089,16 +18828,19 @@ "value": "Taidoor - G0015" }, { - "description": "[FIN8](https://attack.mitre.org/groups/G0061) is a financially motivated threat group known to launch tailored spearphishing campaigns targeting the retail, restaurant, and hospitality industries. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Fin8 May 2016)", + "description": "[FIN8](https://attack.mitre.org/groups/G0061) is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology, chemical, and financial sectors. In June 2021, security researchers detected [FIN8](https://attack.mitre.org/groups/G0061) switching from targeting point-of-sale (POS) devices to distributing a number of ransomware variants.(Citation: FireEye Obfuscation June 2017)(Citation: FireEye Fin8 May 2016)(Citation: Bitdefender Sardonic Aug 2021)(Citation: Symantec FIN8 Jul 2023)", "meta": { "external_id": "G0061", "refs": [ "https://attack.mitre.org/groups/G0061", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor", "https://web.archive.org/web/20170923102302/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", + "https://www.bitdefender.com/files/News/CaseStudies/study/401/Bitdefender-PR-Whitepaper-FIN8-creat5619-en-EN.pdf", "https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html" ], "synonyms": [ - "FIN8" + "FIN8", + "Syssphinx" ] }, "related": [ @@ -18130,6 +18872,27 @@ ], "type": "uses" }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0c52f5bc-557d-4083-bd27-66d7cdb794bb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "tags": [ @@ -18158,6 +18921,20 @@ ], "type": "uses" }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3553b49d-d4ae-4fb6-ab17-0adbc520c888", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "359b00ad-9425-420b-bba5-6de8d600cbc0", "tags": [ @@ -18179,6 +18956,13 @@ ], "type": "uses" }, + { + "dest-uuid": "54895630-efd2-4608-9c24-319de972a9eb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ @@ -18256,6 +19040,13 @@ ], "type": "uses" }, + { + "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "a78ae9fe-71cd-4563-9213-7b6260bd9a73", "tags": [ @@ -18277,6 +19068,20 @@ ], "type": "uses" }, + { + "dest-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "tags": [ @@ -18340,6 +19145,13 @@ ], "type": "uses" }, + { + "dest-uuid": "e7cbc1de-1f79-48ee-abfd-da1241c65a15", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "tags": [ @@ -18360,6 +19172,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "fd19bd82-1b14-49a1-a176-6cdc46b8a826", @@ -21176,13 +21995,6 @@ ], "type": "uses" }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "tags": [ @@ -21344,6 +22156,13 @@ ], "type": "uses" }, + { + "dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", "tags": [ @@ -21528,22 +22347,22 @@ "meta": { "external_id": "G0067", "refs": [ - "https://adversary.crowdstrike.com/en-US/adversary/ricochet-chollima/", "https://attack.mitre.org/groups/G0067", "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", "https://securelist.com/operation-daybreak/75100/", "https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/", + "https://www.crowdstrike.com/adversaries/ricochet-chollima/", "https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/", "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" ], "synonyms": [ "APT37", - "Richochet Chollima", "InkySquid", "ScarCruft", "Reaper", "Group123", - "TEMP.Reaper" + "TEMP.Reaper", + "Ricochet Chollima" ] }, "related": [ @@ -22820,6 +23639,13 @@ ], "type": "uses" }, + { + "dest-uuid": "851e071f-208d-4c79-adc6-5974c85c78f3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", "tags": [ @@ -24017,7 +24843,7 @@ "value": "Sowbug - G0054" }, { - "description": "[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013 primarily targeting the U.S. retail, restaurant, and hospitality sectors, often using point-of-sale malware. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was run out of a front company called Combi Security. Since 2020 [FIN7](https://attack.mitre.org/groups/G0046) shifted operations to a big game hunting (BGH) approach including use of [REvil](https://attack.mitre.org/software/S0496) ransomware and their own Ransomware as a Service (RaaS), Darkside. [FIN7](https://attack.mitre.org/groups/G0046) may be linked to the [Carbanak](https://attack.mitre.org/groups/G0008) Group, but there appears to be several groups using [Carbanak](https://attack.mitre.org/software/S0030) malware and are therefore tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)", + "description": "[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has primarily targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, and utilities industries in the U.S. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was run out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, [FIN7](https://attack.mitre.org/groups/G0046) shifted operations to a big game hunting (BGH) approach including use of [REvil](https://attack.mitre.org/software/S0496) ransomware and their own Ransomware as a Service (RaaS), Darkside. FIN7 may be linked to the [Carbanak](https://attack.mitre.org/groups/G0008) Group, but there appears to be several groups using [Carbanak](https://attack.mitre.org/software/S0030) malware and are therefore tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)(Citation: Mandiant FIN7 Apr 2022)", "meta": { "external_id": "G0046", "refs": [ @@ -24030,6 +24856,7 @@ "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html", "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", + "https://www.mandiant.com/resources/evolution-of-fin7", "https://www.secureworks.com/research/threat-profiles/gold-niagara" ], "synonyms": [ @@ -24075,6 +24902,20 @@ ], "type": "uses" }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "04fc1842-f9e4-47cf-8cb8-5c61becad142", "tags": [ @@ -24159,6 +25000,13 @@ ], "type": "uses" }, + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "tags": [ @@ -24180,6 +25028,13 @@ ], "type": "uses" }, + { + "dest-uuid": "31fe0ba2-62fd-4fd9-9293-4043d84f7fe9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "tags": [ @@ -24201,6 +25056,20 @@ ], "type": "uses" }, + { + "dest-uuid": "3ee16395-03f0-4690-a32e-69ce9ada0f9e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "40f5caa0-4cb7-4117-89fc-d421bb493df3", "tags": [ @@ -24229,6 +25098,13 @@ ], "type": "uses" }, + { + "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", "tags": [ @@ -24264,6 +25140,13 @@ ], "type": "uses" }, + { + "dest-uuid": "88d31120-5bc7-4ce3-a9c0-7cf147be8e54", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "8fc6c9e7-a162-4ca4-a488-f1819e9a7b06", "tags": [ @@ -24299,6 +25182,13 @@ ], "type": "uses" }, + { + "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "a7881f21-e978-4fe4-af56-92c9416a2616", "tags": [ @@ -24341,6 +25231,13 @@ ], "type": "uses" }, + { + "dest-uuid": "bd369cd9-abb8-41ce-b5bb-fff23ee86c00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "bd7a9e13-69fa-4243-a5e5-04326a63f9f2", "tags": [ @@ -28058,6 +28955,694 @@ "uuid": "6fe8a2a1-a1b0-4af8-953d-4babd329f8f8", "value": "BlackTech - G0098" }, + { + "description": "[TA2541](https://attack.mitre.org/groups/G1018) is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. [TA2541](https://attack.mitre.org/groups/G1018) campaigns are typically high volume and involve the use of commodity remote access tools obfuscated by crypters and themes related to aviation, transportation, and travel.(Citation: Proofpoint TA2541 February 2022)(Citation: Cisco Operation Layover September 2021)", + "meta": { + "external_id": "G1018", + "refs": [ + "https://attack.mitre.org/groups/G1018", + "https://blog.talosintelligence.com/operation-layover-how-we-tracked-attack/", + "https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight" + ], + "synonyms": [ + "TA2541" + ] + }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2a70812b-f1ef-44db-8578-a496a227aef2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ee16395-03f0-4690-a32e-69ce9ada0f9e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "40f5caa0-4cb7-4117-89fc-d421bb493df3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4327aff5-f194-440c-b499-4d9730cc1eab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6a5947f3-1a36-4653-8734-526df3e1d28d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7807d3a4-a885-4639-a786-c1ed41484970", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "88d31120-5bc7-4ce3-a9c0-7cf147be8e54", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f8cd191-902c-4e83-bf20-b57c8c4640e9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bdb27a1d-1844-42f1-a0c0-826027ae0326", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d906e6f7-434c-44c0-b51a-ed50af8f7945", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e7a5229f-05eb-440e-b982-9a6d2b2b87c8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "efece7e8-e40b-49c2-9f84-c55c5c93d05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "fde19a18-e502-467f-be14-58c71b4e7f4b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "467271fd-47c0-4e90-a3f9-d84f5cf790d0", + "value": "TA2541 - G1018" + }, + { + "description": "[FIN13](https://attack.mitre.org/groups/G1016) is a financially motivated cyber threat group that has targeted the financial, retail, and hospitality industries in Mexico and Latin America, as early as 2016. [FIN13](https://attack.mitre.org/groups/G1016) achieves its objectives by stealing intellectual property, financial data, mergers and acquisition information, or PII.(Citation: Mandiant FIN13 Aug 2022)(Citation: Sygnia Elephant Beetle Jan 2022)", + "meta": { + "external_id": "G1016", + "refs": [ + "https://attack.mitre.org/groups/G1016", + "https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia-%20Elephant%20Beetle_Jan2022.pdf?__hstc=147695848.3e8f1a482c8f8d4531507747318e660b.1680005306711.1680005306711.1680005306711.1&__hssc=147695848.1.1680005306711&__hsfp=3000179024&hsCtaTracking=189ec409-ae2d-4909-8bf1-62dcdd694372%7Cca91d317-8f10-4a38-9f80-367f551ad64d", + "https://www.mandiant.com/resources/blog/fin13-cybercriminal-mexico" + ], + "synonyms": [ + "FIN13", + "Elephant Beetle" + ] + }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "26c87906-d750-42c5-946c-d4162c73fc7b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2db31dcd-54da-405d-acef-b9129b816ed6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3433a9e8-1c47-4320-b9bf-ed449061d1c3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "34ab90a3-05f6-4259-8f21-621081fdaba5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "5282dd9a-d26d-4e16-88b7-7c0f4553daf4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "851e071f-208d-4c79-adc6-5974c85c78f3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ac9e6b22-11bf-45d7-9181-c1cb08360931", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "fd66436e-4d33-450e-ac4c-f7810f1c85f4", + "value": "FIN13 - G1016" + }, { "description": "[UNC2452](https://attack.mitre.org/groups/G0118) is a suspected Russian state-sponsored threat group responsible for the 2020 SolarWinds software supply chain intrusion.(Citation: FireEye SUNBURST Backdoor December 2020) Victims of this campaign include government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East.(Citation: FireEye SUNBURST Backdoor December 2020) The group also compromised at least one think tank by late 2019.(Citation: Volexity SolarWinds)", "meta": { @@ -29600,6 +31185,107 @@ "uuid": "b7f627e2-0817-4cd5-8d50-e75f8aa85cc6", "value": "LuminousMoth - G1014" }, + { + "description": "[MoustachedBouncer](https://attack.mitre.org/groups/G1019) is a cyberespionage group that has been active since at least 2014 targeting foreign embassies in Belarus.(Citation: MoustachedBouncer ESET August 2023)", + "meta": { + "external_id": "G1019", + "refs": [ + "https://attack.mitre.org/groups/G1019", + "https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/" + ], + "synonyms": [ + "MoustachedBouncer" + ] + }, + "related": [ + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1fefb062-feda-484a-8f10-0cebf65e20e3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "359b00ad-9425-420b-bba5-6de8d600cbc0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43c9bc06-715b-42db-972f-52d25c09a20c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "91c57ed3-7c32-4c68-b388-7db00cb8dac6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e1445afd-c359-45ed-8f27-626dc4d5e157", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "7251b44b-6072-476c-b8d9-a6e32c355b28", + "value": "MoustachedBouncer - G1019" + }, { "description": "[CostaRicto](https://attack.mitre.org/groups/G0132) is a suspected hacker-for-hire cyber espionage campaign that has targeted multiple industries worldwide since at least 2019. [CostaRicto](https://attack.mitre.org/groups/G0132)'s targets, a large portion of which are financial institutions, are scattered across Europe, the Americas, Asia, Australia, and Africa, with a large concentration in South Asia.(Citation: BlackBerry CostaRicto November 2020)", "meta": { @@ -29639,6 +31325,13 @@ ], "type": "uses" }, + { + "dest-uuid": "15d78a95-af6a-4b06-8dae-76bedb0ec5a1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "tags": [ @@ -29771,6 +31464,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "feae299d-e34f-4fc9-8545-486d0905bd41", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "6eded342-33e5-4451-b6b2-e1c62863129f", @@ -31343,5 +33043,5 @@ "value": "TeamTNT - G0139" } ], - "version": 31 + "version": 32 } diff --git a/clusters/mitre-malware.json b/clusters/mitre-malware.json index 523ed4a..4deb4ee 100644 --- a/clusters/mitre-malware.json +++ b/clusters/mitre-malware.json @@ -64,6 +64,13 @@ ], "type": "similar" }, + { + "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "3e2c99f9-66cd-48be-86e9-d7c1c164d87c", "tags": [ @@ -98,6 +105,13 @@ ] }, "related": [ + { + "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "tags": [ @@ -736,6 +750,13 @@ ] }, "related": [ + { + "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "tags": [ @@ -834,6 +855,13 @@ ], "type": "similar" }, + { + "dest-uuid": "5abfc5e6-3c56-49e7-ad72-502d01acf28b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "tags": [ @@ -2081,6 +2109,13 @@ ] }, "related": [ + { + "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "tags": [ @@ -3439,6 +3474,13 @@ ], "type": "uses" }, + { + "dest-uuid": "494ab9f0-36e0-4b06-b10d-57285b040a06", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "tags": [ @@ -3855,13 +3897,6 @@ ], "type": "uses" }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "tags": [ @@ -4023,6 +4058,13 @@ ], "type": "uses" }, + { + "dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", "tags": [ @@ -5943,6 +5985,13 @@ ], "type": "uses" }, + { + "dest-uuid": "6836813e-8ec8-4375-b459-abb388cb1a35", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", "tags": [ @@ -5971,13 +6020,6 @@ ], "type": "uses" }, - { - "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "tags": [ @@ -6311,6 +6353,13 @@ ], "type": "uses" }, + { + "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "tags": [ @@ -7551,6 +7600,13 @@ ] }, "related": [ + { + "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", "tags": [ @@ -7592,6 +7648,13 @@ ] }, "related": [ + { + "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "tags": [ @@ -8194,7 +8257,7 @@ "value": "macOS.OSAMiner - S1048" }, { - "description": "[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) is a MacOS backdoor with several variants that has been used by [APT32](https://attack.mitre.org/groups/G0050).(Citation: TrendMicro MacOS April 2018)(Citation: Trend Micro MacOS Backdoor November 2020)", + "description": "[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) is a macOS backdoor used by [APT32](https://attack.mitre.org/groups/G0050). First discovered in 2015, [APT32](https://attack.mitre.org/groups/G0050) has continued to make improvements using a plugin architecture to extend capabilities, specifically using `.dylib` files. [OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) can also determine it's permission level and execute according to access type (`root` or `user`).(Citation: Unit42 OceanLotus 2017)(Citation: TrendMicro MacOS April 2018)(Citation: Trend Micro MacOS Backdoor November 2020)", "meta": { "external_id": "S0352", "mitre_platforms": [ @@ -8203,6 +8266,7 @@ "refs": [ "https://attack.mitre.org/software/S0352", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/", + "https://unit42.paloaltonetworks.com/unit42-new-improved-macos-backdoor-oceanlotus/", "https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html" ], "synonyms": [ @@ -8211,6 +8275,13 @@ ] }, "related": [ + { + "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "09b130a2-a77e-4af0-a361-f46f9aad1345", "tags": [ @@ -8218,6 +8289,13 @@ ], "type": "uses" }, + { + "dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", "tags": [ @@ -8225,6 +8303,20 @@ ], "type": "uses" }, + { + "dest-uuid": "208884f1-7b83-4473-ac22-4e1cf6c41471", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "tags": [ @@ -8253,6 +8345,20 @@ ], "type": "uses" }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "41868330-6ee2-4d0f-b743-9f2294c3c9b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "tags": [ @@ -8295,6 +8401,13 @@ ], "type": "uses" }, + { + "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ @@ -8302,6 +8415,13 @@ ], "type": "uses" }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", "tags": [ @@ -8433,6 +8553,13 @@ ], "type": "uses" }, + { + "dest-uuid": "4a2975db-414e-4c0c-bd92-775987514b4b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ @@ -9341,7 +9468,7 @@ "value": "CosmicDuke - S0050" }, { - "description": "[Doki](https://attack.mitre.org/software/S0600) is a backdoor that uses a unique Dogecoin-based Domain Generation Algorithm and was first observed in July 2020. [Doki](https://attack.mitre.org/software/S0600) was used in conjunction with the [Ngrok](https://attack.mitre.org/software/S0508) Mining Botnet in a campaign that targeted Docker servers in cloud platforms. (Citation: Intezer Doki July 20)", + "description": "[Doki](https://attack.mitre.org/software/S0600) is a backdoor that uses a unique Dogecoin-based Domain Generation Algorithm and was first observed in July 2020. [Doki](https://attack.mitre.org/software/S0600) was used in conjunction with the [ngrok](https://attack.mitre.org/software/S0508) Mining Botnet in a campaign that targeted Docker servers in cloud platforms. (Citation: Intezer Doki July 20)", "meta": { "external_id": "S0600", "mitre_platforms": [ @@ -9728,6 +9855,32 @@ "uuid": "95047f03-4811-4300-922e-1ba937d53a61", "value": "Hikit - S0009" }, + { + "description": "", + "meta": { + "external_id": "S9000", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S9000" + ], + "synonyms": [ + "Ngrok" + ] + }, + "related": [ + { + "dest-uuid": "2f7f03bb-f367-4a5a-ad9b-310a12a48906", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], + "uuid": "911fe4c3-444d-4e92-83b8-cc761ac5fd3b", + "value": "Ngrok - S9000" + }, { "description": "[Rover](https://attack.mitre.org/software/S0090) is malware suspected of being used for espionage purposes. It was used in 2015 in a targeted email sent to an Indian Ambassador to Afghanistan. (Citation: Palo Alto Rover)", "meta": { @@ -10871,6 +11024,13 @@ ] }, "related": [ + { + "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "tags": [ @@ -13248,6 +13408,103 @@ "uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", "value": "Elise - S0081" }, + { + "description": "[Fakecalls](https://attack.mitre.org/software/S1080) is an Android trojan, first detected in January 2021, that masquerades as South Korean banking apps. It has capabilities to intercept calls to banking institutions and even maintain realistic dialogues with the victim using pre-recorded audio snippets.(Citation: kaspersky_fakecalls_0422) ", + "meta": { + "external_id": "S1080", + "mitre_platforms": [ + "Android" + ], + "refs": [ + "https://attack.mitre.org/software/S1080", + "https://www.kaspersky.com/blog/fakecalls-banking-trojan/44072/" + ], + "synonyms": [ + "Fakecalls" + ] + }, + "related": [ + { + "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "429e1526-6293-495b-8808-af7f9a66c4be", + "value": "Fakecalls - S1080" + }, { "description": "[Sykipot](https://attack.mitre.org/software/S0018) is malware that has been used in spearphishing campaigns since approximately 2007 against victims primarily in the US. One variant of [Sykipot](https://attack.mitre.org/software/S0018) hijacks smart cards on victims. (Citation: Alienvault Sykipot DOD Smart Cards) The group using this malware has also been referred to as Sykipot. (Citation: Blasco 2013)", "meta": { @@ -13515,6 +13772,173 @@ "uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", "value": "Volgmer - S0180" }, + { + "description": "[NightClub](https://attack.mitre.org/software/S1090) is a modular implant written in C++ that has been used by [MoustachedBouncer](https://attack.mitre.org/groups/G1019) since at least 2014.(Citation: MoustachedBouncer ESET August 2023)", + "meta": { + "external_id": "S1090", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1090", + "https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/" + ], + "synonyms": [ + "NightClub" + ] + }, + "related": [ + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d467bc38-284b-4a00-96ac-125f447799fc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "91c57ed3-7c32-4c68-b388-7db00cb8dac6", + "value": "NightClub - S1090" + }, { "description": "[Epic](https://attack.mitre.org/software/S0091) is a backdoor that has been used by [Turla](https://attack.mitre.org/groups/G0010). (Citation: Kaspersky Turla)", "meta": { @@ -13737,13 +14161,6 @@ ], "type": "uses" }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "4cbe9373-6b5e-42d0-9750-e0b7fc0d58bb", "tags": [ @@ -13772,6 +14189,13 @@ ], "type": "uses" }, + { + "dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "b4b7458f-81f2-4d38-84be-1c5ba0167a52", "tags": [ @@ -13867,15 +14291,39 @@ "value": "Chaos - S0220" }, { - "description": "[Uroburos](https://attack.mitre.org/software/S0022) is a rootkit used by [Turla](https://attack.mitre.org/groups/G0010). (Citation: Kaspersky Turla)", + "description": "[Uroburos](https://attack.mitre.org/software/S0022) is a sophisticated cyber espionage tool written in C that has been used by units within Russia's Federal Security Service (FSB) associated with the [Turla](https://attack.mitre.org/groups/G0010) toolset to collect intelligence on sensitive targets worldwide. [Uroburos](https://attack.mitre.org/software/S0022) has several variants and has undergone nearly constant upgrade since its initial development in 2003 to keep it viable after public disclosures. [Uroburos](https://attack.mitre.org/software/S0022) is typically deployed to external-facing nodes on a targeted network and has the ability to leverage additional tools and TTPs to further exploit an internal network. [Uroburos](https://attack.mitre.org/software/S0022) has interoperable implants for Windows, Linux, and macOS, employs a high level of stealth in communications and architecture, and can easily incorporate new or replacement components.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)(Citation: Kaspersky Turla)", "meta": { "external_id": "S0022", + "mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], "refs": [ "https://attack.mitre.org/software/S0022", - "https://securelist.com/the-epic-turla-operation/65545/" + "https://securelist.com/the-epic-turla-operation/65545/", + "https://www.cisa.gov/sites/default/files/2023-05/aa23-129a_snake_malware_2.pdf" + ], + "synonyms": [ + "Uroburos", + "Snake" ] }, "related": [ + { + "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", "tags": [ @@ -13883,6 +14331,13 @@ ], "type": "uses" }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "22332d52-c0c2-443c-9ffb-f08c0d23722c", "tags": [ @@ -13890,6 +14345,181 @@ ], "type": "similar" }, + { + "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "acd0ba37-7ba9-4cc5-ac61-796586cd856d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d467bc38-284b-4a00-96ac-125f447799fc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "d674ffd2-1f27-403b-8fe9-b4af6e303e5c", "tags": [ @@ -13903,6 +14533,48 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dfebc3b7-d19d-450b-81c7-6dafe4184c04", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f7c0689c-4dbd-489b-81be-7cb7c7079ade", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "80a014ba-3fef-4768-990b-37d8bd10d7f4", @@ -14150,6 +14822,13 @@ ] }, "related": [ + { + "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "tags": [ @@ -19799,6 +20478,13 @@ ] }, "related": [ + { + "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "tags": [ @@ -20610,6 +21296,13 @@ ], "type": "uses" }, + { + "dest-uuid": "dc01774a-d1c1-45fb-b506-0a5d1d6593d9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "tags": [ @@ -21192,6 +21885,13 @@ ], "type": "uses" }, + { + "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "tags": [ @@ -21772,6 +22472,13 @@ ] }, "related": [ + { + "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "tags": [ @@ -22115,6 +22822,13 @@ ] }, "related": [ + { + "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "tags": [ @@ -23041,64 +23755,6 @@ "uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421", "value": "SslMM - S0058" }, - { - "description": "[Ngrok](https://attack.mitre.org/software/S0508) is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. [Ngrok](https://attack.mitre.org/software/S0508) has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.(Citation: Zdnet Ngrok September 2018)(Citation: FireEye Maze May 2020)(Citation: Cyware Ngrok May 2019)(Citation: MalwareBytes LazyScripter Feb 2021)", - "meta": { - "external_id": "S0508", - "mitre_platforms": [ - "Windows" - ], - "refs": [ - "https://attack.mitre.org/software/S0508", - "https://cyware.com/news/cyber-attackers-leverage-tunneling-service-to-drop-lokibot-onto-victims-systems-6f610e44", - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", - "https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf", - "https://www.zdnet.com/article/sly-malware-author-hides-cryptomining-botnet-behind-ever-shifting-proxy-service/" - ], - "synonyms": [ - "Ngrok" - ] - }, - "related": [ - { - "dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - } - ], - "uuid": "911fe4c3-444d-4e92-83b8-cc761ac5fd3b", - "value": "Ngrok - S0508" - }, { "description": "[FakeSpy](https://attack.mitre.org/software/S0509) is Android spyware that has been operated by the Chinese threat actor behind the Roaming Mantis campaigns.(Citation: Cybereason FakeSpy)", "meta": { @@ -23115,6 +23771,13 @@ ] }, "related": [ + { + "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "tags": [ @@ -24425,7 +25088,7 @@ "https://www.dragos.com/wp-content/uploads/TRISIS-01.pdf", "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html", "https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-TRITON-and-tristation.html", - "https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html " + "https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html" ], "synonyms": [ "TRITON", @@ -27864,6 +28527,272 @@ "uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab", "value": "XTunnel - S0117" }, + { + "description": "[BADHATCH](https://attack.mitre.org/software/S1081) is a backdoor that has been utilized by [FIN8](https://attack.mitre.org/groups/G0061) since at least 2019. [BADHATCH](https://attack.mitre.org/software/S1081) has been used to target the insurance, retail, technology, and chemical industries in the United States, Canada, South Africa, Panama, and Italy.(Citation: Gigamon BADHATCH Jul 2019)(Citation: BitDefender BADHATCH Mar 2021)", + "meta": { + "external_id": "S1081", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1081", + "https://blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/", + "https://www.bitdefender.com/files/News/CaseStudies/study/394/Bitdefender-PR-Whitepaper-BADHATCH-creat5237-en-EN.pdf" + ], + "synonyms": [ + "BADHATCH" + ] + }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "3553b49d-d4ae-4fb6-ab17-0adbc520c888", + "value": "BADHATCH - S1081" + }, { "description": "[FALLCHILL](https://attack.mitre.org/software/S0181) is a RAT that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032) since at least 2016 to target the aerospace, telecommunications, and finance industries. It is usually dropped by other [Lazarus Group](https://attack.mitre.org/groups/G0032) malware or delivered when a victim unknowingly visits a compromised website. (Citation: US-CERT FALLCHILL Nov 2017)", "meta": { @@ -32488,6 +33417,145 @@ "uuid": "a5528622-3a8a-4633-86ce-8cdaf8423858", "value": "FinFisher - S0182" }, + { + "description": "[Sunbird](https://attack.mitre.org/software/S1082) is one of two mobile malware families known to be used by the APT [Confucius](https://attack.mitre.org/groups/G0142). Analysis suggests that [Sunbird](https://attack.mitre.org/software/S1082) was first active in early 2017. While [Sunbird](https://attack.mitre.org/software/S1082) and [Hornbill](https://attack.mitre.org/software/S1077) overlap in core capabilities, [Sunbird](https://attack.mitre.org/software/S1082) has a more extensive set of malicious features.(Citation: lookout_hornbill_sunbird_0221)", + "meta": { + "external_id": "S1082", + "mitre_platforms": [ + "Android" + ], + "refs": [ + "https://attack.mitre.org/software/S1082", + "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" + ], + "synonyms": [ + "Sunbird" + ] + }, + "related": [ + { + "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "693cdbff-ea73-49c6-ac3f-91e7285c31d1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9c049d7b-c92a-4733-9381-27e2bd2ccadc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a9fa0d30-a8ff-45bf-922e-7720da0b7922", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e3b936a4-6321-4172-9114-038a866362ec", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "feae299d-e34f-4fc9-8545-486d0905bd41", + "value": "Sunbird - S1082" + }, { "description": "[WINERACK](https://attack.mitre.org/software/S0219) is a backdoor used by [APT37](https://attack.mitre.org/groups/G0067). (Citation: FireEye APT37 Feb 2018)", "meta": { @@ -32593,6 +33661,138 @@ "uuid": "c709da93-20c3-4d17-ab68-48cba76b2137", "value": "PJApps - S0291" }, + { + "description": "[Escobar](https://attack.mitre.org/software/S1092) is an Android banking trojan, first detected in March 2021, believed to be a new variant of AbereBot.(Citation: Bleeipng Computer Escobar)", + "meta": { + "external_id": "S1092", + "mitre_platforms": [ + "Android" + ], + "refs": [ + "https://attack.mitre.org/software/S1092", + "https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/" + ], + "synonyms": [ + "Escobar" + ] + }, + "related": [ + { + "dest-uuid": "0b761f2b-197a-40f2-b100-8152cb957c0c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0cdd66ad-26ac-4338-a764-4972a1e17ee3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cf28ca46-1fd3-46b4-b1f6-ec0b72361848", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dfe29258-ce59-421c-9dee-e85cb9fa90cd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "ec13d292-6d8d-4c7a-b07c-a2bd2402569a", + "value": "Escobar - S1092" + }, { "description": "[DCSrv](https://attack.mitre.org/software/S1033) is destructive malware that has been used by [Moses Staff](https://attack.mitre.org/groups/G1009) since at least September 2021. Though [DCSrv](https://attack.mitre.org/software/S1033) has ransomware-like capabilities, [Moses Staff](https://attack.mitre.org/groups/G1009) does not demand ransom or offer a decryption key.(Citation: Checkpoint MosesStaff Nov 2021)", "meta": { @@ -34234,6 +35434,167 @@ "uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", "value": "RedLeaves - S0153" }, + { + "description": "[Snip3](https://attack.mitre.org/software/S1086) is a sophisticated crypter-as-a-service that has been used since at least 2021 to obfuscate and load numerous strains of malware including [AsyncRAT](https://attack.mitre.org/software/S1087), [Revenge RAT](https://attack.mitre.org/software/S0379), [Agent Tesla](https://attack.mitre.org/software/S0331), and [NETWIRE](https://attack.mitre.org/software/S0198).(Citation: Morphisec Snip3 May 2021)(Citation: Telefonica Snip3 December 2021)", + "meta": { + "external_id": "S1086", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1086", + "https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader", + "https://telefonicatech.com/blog/snip3-investigacion-malware" + ], + "synonyms": [ + "Snip3" + ] + }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "4327aff5-f194-440c-b499-4d9730cc1eab", + "value": "Snip3 - S1086" + }, { "description": "[USBStealer](https://attack.mitre.org/software/S0136) is malware that has been used by [APT28](https://attack.mitre.org/groups/G0007) since at least 2005 to extract information from air-gapped networks. It does not have the capability to communicate over the Internet and has been used in conjunction with [ADVSTORESHELL](https://attack.mitre.org/software/S0045). (Citation: ESET Sednit USBStealer 2014) (Citation: Kaspersky Sofacy)", "meta": { @@ -35338,6 +36699,152 @@ "uuid": "432555de-63bf-4f2a-a3fa-f720a4561078", "value": "FlawedAmmyy - S0381" }, + { + "description": "[Chameleon](https://attack.mitre.org/software/S1083) is an Android banking trojan that can leverage Android’s Accessibility Services to perform malicious activities. Believed to have been first active in January 2023, [Chameleon](https://attack.mitre.org/software/S1083) has been observed targeting users in Australia and Poland by masquerading as official apps.(Citation: cyble_chameleon_0423)", + "meta": { + "external_id": "S1083", + "mitre_platforms": [ + "Android" + ], + "refs": [ + "https://attack.mitre.org/software/S1083", + "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/" + ], + "synonyms": [ + "Chameleon" + ] + }, + "related": [ + { + "dest-uuid": "0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2aa78dfd-cb6f-4c70-9408-137cfd96be49", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "948a447c-d783-4ba0-8516-a64140fcacd5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dc01774a-d1c1-45fb-b506-0a5d1d6593d9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", + "value": "Chameleon - S1083" + }, { "description": "[HAWKBALL](https://attack.mitre.org/software/S0391) is a backdoor that was observed in targeting of the government sector in Central Asia.(Citation: FireEye HAWKBALL Jun 2019)", "meta": { @@ -35883,6 +37390,68 @@ "uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", "value": "PowerDuke - S0139" }, + { + "description": "[FlyTrap](https://attack.mitre.org/software/S1093) is an Android trojan, first detected in March 2021, that uses social engineering tactics to compromise Facebook accounts. [FlyTrap](https://attack.mitre.org/software/S1093) was initially detected through infected apps on the Google Play store, and is believed to have impacted over 10,000 victims across at least 140 countries.(Citation: Trend Micro FlyTrap) ", + "meta": { + "external_id": "S1093", + "mitre_platforms": [ + "Android" + ], + "refs": [ + "https://attack.mitre.org/software/S1093", + "https://news.trendmicro.com/2021/08/17/flytrap-android-malware-is-taking-over-facebook-accounts-protect-yourself-with-a-malware-scanner/" + ], + "synonyms": [ + "FlyTrap" + ] + }, + "related": [ + { + "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "8338393c-cb2e-4ee6-b944-34672499c785", + "value": "FlyTrap - S1093" + }, { "description": "[BabyShark](https://attack.mitre.org/software/S0414) is a Microsoft Visual Basic (VB) script-based malware family that is believed to be associated with several North Korean campaigns. (Citation: Unit42 BabyShark Feb 2019)", "meta": { @@ -37851,6 +39420,75 @@ "uuid": "9abdda30-08e0-4ab1-9cf0-d447654c6de9", "value": "Kobalos - S0641" }, + { + "description": "[ANDROMEDA](https://attack.mitre.org/software/S1074) is commodity malware that was widespread in the early 2010's and continues to be observed in infections across a wide variety of industries. During the 2022 [C0026](https://attack.mitre.org/campaigns/C0026) campaign, threat actors re-registered expired [ANDROMEDA](https://attack.mitre.org/software/S1074) C2 domains to spread malware to select targets in Ukraine.(Citation: Mandiant Suspected Turla Campaign February 2023)", + "meta": { + "external_id": "S1074", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1074", + "https://www.mandiant.com/resources/blog/turla-galaxy-opportunity" + ], + "synonyms": [ + "ANDROMEDA" + ] + }, + "related": [ + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "208884f1-7b83-4473-ac22-4e1cf6c41471", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "dcd9548e-df9e-47c2-81f3-bc084289959d", + "value": "ANDROMEDA - S1074" + }, { "description": "[GRIFFON](https://attack.mitre.org/software/S0417) is a JavaScript backdoor used by [FIN7](https://attack.mitre.org/groups/G0046). (Citation: SecureList Griffon May 2019)", "meta": { @@ -38236,6 +39874,61 @@ "uuid": "d2c7f8ad-3b50-4cfa-bbb1-799eff06fb40", "value": "build_downer - S0471" }, + { + "description": "[QUIETEXIT](https://attack.mitre.org/software/S1084) is a novel backdoor, based on the open-source Dropbear SSH client-server software, that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2021. [APT29](https://attack.mitre.org/groups/G0016) has deployed [QUIETEXIT](https://attack.mitre.org/software/S1084) on opaque network appliances that typically don't support antivirus or endpoint detection and response tools within a victim environment.(Citation: Mandiant APT29 Eye Spy Email Nov 22)", + "meta": { + "external_id": "S1084", + "mitre_platforms": [ + "Network" + ], + "refs": [ + "https://attack.mitre.org/software/S1084", + "https://www.mandiant.com/resources/blog/unc3524-eye-spy-email" + ], + "synonyms": [ + "QUIETEXIT" + ] + }, + "related": [ + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "4816d361-f82b-4a18-aa05-b215e7cf9200", + "value": "QUIETEXIT - S1084" + }, { "description": "[POWRUNER](https://attack.mitre.org/software/S0184) is a PowerShell script that sends and receives commands to and from the C2 server. (Citation: FireEye APT34 Dec 2017)", "meta": { @@ -38421,6 +40114,13 @@ ] }, "related": [ + { + "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "tags": [ @@ -38875,6 +40575,13 @@ ] }, "related": [ + { + "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", "tags": [ @@ -39293,6 +41000,13 @@ ], "type": "uses" }, + { + "dest-uuid": "28fdd23d-aee3-4afe-bc3f-5f1f52929258", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "tags": [ @@ -39450,6 +41164,13 @@ ] }, "related": [ + { + "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "tags": [ @@ -40370,6 +42091,117 @@ "uuid": "fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6", "value": "TianySpy - S1056" }, + { + "description": "[KOPILUWAK](https://attack.mitre.org/software/S1075) is a JavaScript-based reconnaissance tool that has been used for victim profiling and C2 since at least 2017.(Citation: Mandiant Suspected Turla Campaign February 2023)", + "meta": { + "external_id": "S1075", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1075", + "https://www.mandiant.com/resources/blog/turla-galaxy-opportunity" + ], + "synonyms": [ + "KOPILUWAK" + ] + }, + "related": [ + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "09fcc02f-f9d4-43fa-8609-5e5e186b7103", + "value": "KOPILUWAK - S1075" + }, { "description": "[SOUNDBITE](https://attack.mitre.org/software/S0157) is a signature backdoor used by [APT32](https://attack.mitre.org/groups/G0050). (Citation: FireEye APT32 May 2017)", "meta": { @@ -40812,6 +42644,195 @@ "uuid": "1da748a5-875d-4212-9222-b4c23ab861be", "value": "Prestige - S1058" }, + { + "description": "[Sardonic](https://attack.mitre.org/software/S1085) is a backdoor written in C and C++ that is known to be used by [FIN8](https://attack.mitre.org/groups/G0061), as early as August 2021 to target a financial institution in the United States. [Sardonic](https://attack.mitre.org/software/S1085) has a plugin system that can load specially made DLLs and execute their functions.(Citation: Bitdefender Sardonic Aug 2021)(Citation: Symantec FIN8 Jul 2023)", + "meta": { + "external_id": "S1085", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1085", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor", + "https://www.bitdefender.com/files/News/CaseStudies/study/401/Bitdefender-PR-Whitepaper-FIN8-creat5619-en-EN.pdf" + ], + "synonyms": [ + "Sardonic" + ] + }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "0c52f5bc-557d-4083-bd27-66d7cdb794bb", + "value": "Sardonic - S1085" + }, { "description": "[SNUGRIDE](https://attack.mitre.org/software/S0159) is a backdoor that has been used by [menuPass](https://attack.mitre.org/groups/G0045) as first stage malware. (Citation: FireEye APT10 April 2017)", "meta": { @@ -41591,6 +43612,90 @@ "uuid": "72911fe3-f085-40f7-b4f2-f25a4221fe44", "value": "FoggyWeb - S0661" }, + { + "description": "[QUIETCANARY](https://attack.mitre.org/software/S1076) is a backdoor tool written in .NET that has been used since at least 2022 to gather and exfiltrate data from victim networks.(Citation: Mandiant Suspected Turla Campaign February 2023)", + "meta": { + "external_id": "S1076", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1076", + "https://www.mandiant.com/resources/blog/turla-galaxy-opportunity" + ], + "synonyms": [ + "QUIETCANARY", + "Tunnus" + ] + }, + "related": [ + { + "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "93289ecf-4d15-4d6b-a9c3-4ab27e145ef4", + "value": "QUIETCANARY - S1076" + }, { "description": "[FluBot](https://attack.mitre.org/software/S1067) is a multi-purpose mobile banking malware that was first observed in Spain in late 2020. It primarily spread through European countries using a variety of SMS phishing messages in multiple languages.(Citation: proofpoint_flubot_0421)(Citation: bitdefender_flubot_0524)", "meta": { @@ -42109,7 +44214,7 @@ "refs": [ "https://attack.mitre.org/software/S1068", "https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/", - "https://www.cyber.gov.au/acsc/view-all-content/advisories/2022-004-acsc-ransomware-profile-alphv-aka-blackcat", + "https://www.cyber.gov.au/about-us/advisories/2022-004-acsc-ransomware-profile-alphv-aka-blackcat", "https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/" ], "synonyms": [ @@ -43078,6 +45183,159 @@ "uuid": "9752aef4-a1f3-4328-929f-b64eb0536090", "value": "RawPOS - S0169" }, + { + "description": "[Hornbill](https://attack.mitre.org/software/S1077) is one of two mobile malware families known to be used by the APT [Confucius](https://attack.mitre.org/groups/G0142). Analysis suggests that [Hornbill](https://attack.mitre.org/software/S1077) was first active in early 2018. While [Hornbill](https://attack.mitre.org/software/S1077) and [Sunbird](https://attack.mitre.org/software/S1082) overlap in core capabilities, [Hornbill](https://attack.mitre.org/software/S1077) has tools and behaviors suggesting more passive reconnaissance.(Citation: lookout_hornbill_sunbird_0221)", + "meta": { + "external_id": "S1077", + "mitre_platforms": [ + "Android" + ], + "refs": [ + "https://attack.mitre.org/software/S1077", + "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" + ], + "synonyms": [ + "Hornbill" + ] + }, + "related": [ + { + "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "24a77e53-0751-46fc-b207-99378fb35c08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9c049d7b-c92a-4733-9381-27e2bd2ccadc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cf28ca46-1fd3-46b4-b1f6-ec0b72361848", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "15d78a95-af6a-4b06-8dae-76bedb0ec5a1", + "value": "Hornbill - S1077" + }, { "description": "[Daserf](https://attack.mitre.org/software/S0187) is a backdoor that has been used to spy on and steal from Japanese, South Korean, Russian, Singaporean, and Chinese victims. Researchers have identified versions written in both Visual C and Delphi. (Citation: Trend Micro Daserf Nov 2017) (Citation: Secureworks BRONZE BUTLER Oct 2017)", "meta": { @@ -43220,6 +45478,146 @@ "uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a", "value": "Daserf - S0187" }, + { + "description": "[RotaJakiro](https://attack.mitre.org/software/S1078) is a 64-bit Linux backdoor used by [APT32](https://attack.mitre.org/groups/G0050). First seen in 2018, it uses a plugin architecture to extend capabilities. [RotaJakiro](https://attack.mitre.org/software/S1078) can determine it's permission level and execute according to access type (`root` or `user`).(Citation: RotaJakiro 2021 netlab360 analysis)(Citation: netlab360 rotajakiro vs oceanlotus)", + "meta": { + "external_id": "S1078", + "mitre_platforms": [ + "Linux" + ], + "refs": [ + "https://attack.mitre.org/software/S1078", + "https://blog.netlab.360.com/rotajakiro_linux_version_of_oceanlotus/", + "https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/" + ], + "synonyms": [ + "RotaJakiro" + ] + }, + "related": [ + { + "dest-uuid": "03259939-0b57-482f-8eb5-87c0e0d54334", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "acd0ba37-7ba9-4cc5-ac61-796586cd856d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b63a34e8-0a61-4c97-a23b-bf8a2ed812e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e0232cb0-ded5-4c2e-9dc7-2893142a5c11", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "08e844a8-371f-4fe3-9d1f-e056e64a7fde", + "value": "RotaJakiro - S1078" + }, { "description": "[Truvasys](https://attack.mitre.org/software/S0178) is first-stage malware that has been used by [PROMETHIUM](https://attack.mitre.org/groups/G0056). It is a collection of modules written in the Delphi programming language. (Citation: Microsoft Win Defender Truvasys Sep 2017) (Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol 21)", "meta": { @@ -43299,6 +45697,242 @@ "uuid": "c4de7d83-e875-4c88-8b5d-06c41e5b7e79", "value": "PUNCHTRACK - S0197" }, + { + "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) is an Android malware, detected in early 2023, with surveillance and remote-control capabilities. Analysis of exfiltrated C2 data suggests that [BOULDSPY](https://attack.mitre.org/software/S1079) primarily targeted minority groups in Iran.(Citation: lookout_bouldspy_0423)", + "meta": { + "external_id": "S1079", + "mitre_platforms": [ + "Android" + ], + "refs": [ + "https://attack.mitre.org/software/S1079", + "https://www.lookout.com/blog/iranian-spyware-bouldspy" + ], + "synonyms": [ + "BOULDSPY" + ] + }, + "related": [ + { + "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "46d818a5-67fa-4585-a7fc-ecf15376c8d5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c4b96c0b-cb58-497a-a1c2-bb447d79d692", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d3bc5020-f6a2-41c0-8ccb-5e563101b60c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d446b9f0-06a9-4a8d-97ee-298cfee84f14", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e3b936a4-6321-4172-9114-038a866362ec", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "a2ee7d2d-fb45-44f3-8f67-9921c7810db1", + "value": "BOULDSPY - S1079" + }, + { + "description": "[Disco](https://attack.mitre.org/software/S1088) is a custom implant that has been used by [MoustachedBouncer](https://attack.mitre.org/groups/G1019) since at least 2020 including in campaigns using targeted malicious content injection for initial access and command and control.(Citation: MoustachedBouncer ESET August 2023)", + "meta": { + "external_id": "S1088", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1088", + "https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/" + ], + "synonyms": [ + "Disco" + ] + }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43c9bc06-715b-42db-972f-52d25c09a20c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "e1445afd-c359-45ed-8f27-626dc4d5e157", + "value": "Disco - S1088" + }, { "description": "[Starloader](https://attack.mitre.org/software/S0188) is a loader component that has been observed loading [Felismus](https://attack.mitre.org/software/S0171) and associated tools. (Citation: Symantec Sowbug Nov 2017)", "meta": { @@ -43333,6 +45967,103 @@ "uuid": "96566860-9f11-4b6f-964d-1c924e4f24a4", "value": "Starloader - S0188" }, + { + "description": "[SharpDisco](https://attack.mitre.org/software/S1089) is a dropper developed in C# that has been used by [MoustachedBouncer](https://attack.mitre.org/groups/G1019) since at least 2020 to load malicious plugins.(Citation: MoustachedBouncer ESET August 2023)", + "meta": { + "external_id": "S1089", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1089", + "https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/" + ], + "synonyms": [ + "SharpDisco" + ] + }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "1fefb062-feda-484a-8f10-0cebf65e20e3", + "value": "SharpDisco - S1089" + }, { "description": "[NETWIRE](https://attack.mitre.org/software/S0198) is a publicly available, multiplatform remote administration tool (RAT) that has been used by criminal and APT groups since at least 2012.(Citation: FireEye APT33 Sept 2017)(Citation: McAfee Netwire Mar 2015)(Citation: FireEye APT33 Webinar Sept 2017)", "meta": { @@ -44251,6 +46982,13 @@ ] }, "related": [ + { + "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "tags": [ @@ -44349,6 +47087,13 @@ ], "type": "uses" }, + { + "dest-uuid": "dc01774a-d1c1-45fb-b506-0a5d1d6593d9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "tags": [ @@ -44399,6 +47144,13 @@ ] }, "related": [ + { + "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "1d44f529-6fe6-489f-8a01-6261ac43f05e", "tags": [ @@ -45905,6 +48657,13 @@ ] }, "related": [ + { + "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "tags": [ @@ -46031,6 +48790,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "e0232cb0-ded5-4c2e-9dc7-2893142a5c11", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "a5e91d50-24fa-44ec-9894-39a88f658cea", @@ -49192,7 +51958,7 @@ "refs": [ "https://attack.mitre.org/software/S0274", "https://securelist.com/calisto-trojan-for-macos/86543/", - "https://www.symantec.com/security-center/writeup/2018-073014-2512-99?om_rssid=sr-latestthreats30days" + "https://web.archive.org/web/20190111082249/https://www.symantec.com/security-center/writeup/2018-073014-2512-99?om_rssid=sr-latestthreats30days" ], "synonyms": [ "Calisto" @@ -52223,6 +54989,13 @@ ] }, "related": [ + { + "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "16d73b64-5681-4ea0-9af4-4ad86f7c96e8", "tags": [ @@ -58455,6 +61228,13 @@ ] }, "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "tags": [ @@ -58518,6 +61298,13 @@ ], "type": "uses" }, + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "tags": [ @@ -58538,6 +61325,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "f01e2711-4b48-4192-a2e8-5f56c945ca19", @@ -59331,6 +62125,13 @@ ], "type": "uses" }, + { + "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "tags": [ @@ -61400,6 +64201,27 @@ ], "type": "uses" }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", "tags": [ @@ -61407,6 +64229,13 @@ ], "type": "uses" }, + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004", "tags": [ @@ -61449,6 +64278,41 @@ ], "type": "uses" }, + { + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "494ab9f0-36e0-4b06-b10d-57285b040a06", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "4bc31b94-045b-4752-8920-aebaebdb6470", "tags": [ @@ -61484,6 +64348,13 @@ ], "type": "uses" }, + { + "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", "tags": [ @@ -61491,6 +64362,13 @@ ], "type": "uses" }, + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ @@ -61540,6 +64418,13 @@ ], "type": "uses" }, + { + "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "tags": [ @@ -61561,6 +64446,13 @@ ], "type": "uses" }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "tags": [ @@ -63501,6 +66393,13 @@ ] }, "related": [ + { + "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "tags": [ @@ -66241,6 +69140,13 @@ ] }, "related": [ + { + "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "tags": [ @@ -66883,6 +69789,13 @@ ] }, "related": [ + { + "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "16d73b64-5681-4ea0-9af4-4ad86f7c96e8", "tags": [ @@ -69160,6 +72073,13 @@ ] }, "related": [ + { + "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "tags": [ @@ -69468,6 +72388,13 @@ ] }, "related": [ + { + "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "tags": [ @@ -69782,6 +72709,13 @@ ] }, "related": [ + { + "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "16d73b64-5681-4ea0-9af4-4ad86f7c96e8", "tags": [ @@ -72256,6 +75190,13 @@ ] }, "related": [ + { + "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "tags": [ @@ -72745,6 +75686,13 @@ ], "type": "uses" }, + { + "dest-uuid": "4a2975db-414e-4c0c-bd92-775987514b4b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", "tags": [ @@ -74943,5 +77891,5 @@ "value": "HermeticWizard - S0698" } ], - "version": 29 + "version": 30 } diff --git a/clusters/mitre-tool.json b/clusters/mitre-tool.json index 964aa97..28edd5f 100644 --- a/clusters/mitre-tool.json +++ b/clusters/mitre-tool.json @@ -2021,6 +2021,13 @@ ] }, "related": [ + { + "dest-uuid": "0c8ab3eb-df48-4b9c-ace7-beacaac81cc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "tags": [ @@ -2289,6 +2296,64 @@ "uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", "value": "Tasklist - S0057" }, + { + "description": "[ngrok](https://attack.mitre.org/software/S0508) is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. [ngrok](https://attack.mitre.org/software/S0508) has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.(Citation: Zdnet Ngrok September 2018)(Citation: FireEye Maze May 2020)(Citation: Cyware Ngrok May 2019)(Citation: MalwareBytes LazyScripter Feb 2021)", + "meta": { + "external_id": "S0508", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0508", + "https://cyware.com/news/cyber-attackers-leverage-tunneling-service-to-drop-lokibot-onto-victims-systems-6f610e44", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf", + "https://www.zdnet.com/article/sly-malware-author-hides-cryptomining-botnet-behind-ever-shifting-proxy-service/" + ], + "synonyms": [ + "ngrok" + ] + }, + "related": [ + { + "dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "2f7f03bb-f367-4a5a-ad9b-310a12a48906", + "value": "ngrok - S0508" + }, { "description": "[NBTscan](https://attack.mitre.org/software/S0590) is an open source tool that has been used by state groups to conduct internal reconnaissance within a compromised network.(Citation: Debian nbtscan Nov 2019)(Citation: SecTools nbtscan June 2003)(Citation: Symantec Waterbug Jun 2019)(Citation: FireEye APT39 Jan 2019)", "meta": { @@ -2647,6 +2712,173 @@ "uuid": "c9cd7ec9-40b7-49db-80be-1399eddd9c52", "value": "Cachedump - S0119" }, + { + "description": "Pacu is an open-source AWS exploitation framework. The tool is written in Python and publicly available on GitHub.(Citation: GitHub Pacu)", + "meta": { + "external_id": "S1091", + "mitre_platforms": [ + "IaaS" + ], + "refs": [ + "https://attack.mitre.org/software/S1091", + "https://github.com/RhinoSecurityLabs/pacu" + ], + "synonyms": [ + "Pacu" + ] + }, + "related": [ + { + "dest-uuid": "16e94db9-b5b1-4cd0-b851-f38fbd0a70f2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3298ce88-1628-43b1-87d9-0b5336b193d7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "55bb4471-ff1f-43b4-88c1-c9384ec47abf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57a3d31a-d04f-4663-b2da-7df8ec3f8c9d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "77532a55-c283-4cd2-bc5d-2d0b65e9d88c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8565825b-21c8-4518-b75e-cbc4c717a156", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "866d0d6d-02c6-42bd-aa2f-02907fdc0969", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cacc40da-4c9e-462c-80d5-fd70a178b12d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cfb525cc-5494-401d-a82b-2539ca46a561", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d94b3ae9-8059-4989-8e9f-ea0f601f80a7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e24fcba8-2557-4442-a139-1ee2f2e784db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e848506b-8484-4410-8017-3d235a52f5b3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "1b3b8f96-43b1-4460-8e02-1f53d7802fb9", + "value": "Pacu - S1091" + }, { "description": "[Winexe](https://attack.mitre.org/software/S0191) is a lightweight, open source tool similar to [PsExec](https://attack.mitre.org/software/S0029) designed to allow system administrators to execute commands on remote servers. (Citation: Winexe Github Sept 2013) [Winexe](https://attack.mitre.org/software/S0191) is unique in that it is a GNU/Linux based client. (Citation: Überwachung APT28 Forfiles June 2015)", "meta": { @@ -3074,6 +3306,13 @@ ], "type": "uses" }, + { + "dest-uuid": "e0232cb0-ded5-4c2e-9dc7-2893142a5c11", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "tags": [ @@ -3754,6 +3993,119 @@ "uuid": "d8d19e33-94fd-4aa3-b94a-08ee801a2153", "value": "SDelete - S0195" }, + { + "description": "[AsyncRAT](https://attack.mitre.org/software/S1087) is an open-source remote access tool originally available through the NYANxCAT Github repository that has been used in malicious campaigns.(Citation: Morphisec Snip3 May 2021)(Citation: Cisco Operation Layover September 2021)(Citation: Telefonica Snip3 December 2021)", + "meta": { + "external_id": "S1087", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1087", + "https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader", + "https://blog.talosintelligence.com/operation-layover-how-we-tracked-attack/", + "https://telefonicatech.com/blog/snip3-investigacion-malware" + ], + "synonyms": [ + "AsyncRAT" + ] + }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e4dc8c01-417f-458d-9ee0-bb0617c1b391", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "6a5947f3-1a36-4653-8734-526df3e1d28d", + "value": "AsyncRAT - S1087" + }, { "description": "[MimiPenguin](https://attack.mitre.org/software/S0179) is a credential dumper, similar to [Mimikatz](https://attack.mitre.org/software/S0002), designed specifically for Linux platforms. (Citation: MimiPenguin GitHub May 2017)", "meta": { @@ -6640,6 +6992,13 @@ ], "type": "uses" }, + { + "dest-uuid": "3298ce88-1628-43b1-87d9-0b5336b193d7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "54ca26f3-c172-4231-93e5-ccebcac2161f", "tags": [ @@ -6880,5 +7239,5 @@ "value": "Mythic - S0699" } ], - "version": 28 + "version": 29 }