MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

chg: [att&ck] bump to latest ATT&CK version from MITRE

pull/648/head
Christophe Vandeplas 2021-04-29 18:12:36 +02:00
parent 211a4b5145
commit 86ee7008b2
5 changed files with 19520 additions and 3241 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5470
clusters/mitre-attack-pattern.json
View File

File diff suppressed because it is too large Load Diff

567
clusters/mitre-course-of-action.json
View File

@ -498,6 +498,27 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "eb88d97c-32f1-40be-80f0-d61a4b0b4b31",
@ -595,6 +616,41 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "7b50a1d3-4ca7-45d1-989d-a6503f04bfe1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "56e0d8b8-3e25-49dd-9050-3aa252f5aa92",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "800f9819-7007-4540-a520-40e655876800",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "f8ef3a62-3f44-40a4-abca-761ab235c436",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "0470e792-32f8-46b0-a351-652bc35e9336",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "1dcaeb21-9348-42ea-950a-f842aaf1ae1f",
@ -780,6 +836,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "e083305c-49e7-4c87-aae8-9689213bffbe",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "cf2cccb1-cab8-431a-8ecf-f7874d05f433",
@ -878,13 +941,6 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "82f04b1e-5371-4a6f-be06-411f0f43b483",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "e944670c-d03a-4e93-a21c-b3d4c53ec4c9",
@ -1204,6 +1260,13 @@
],
"type": "mitigates"
},
{
"dest-uuid": "e0232cb0-ded5-4c2e-9dc7-2893142a5c11",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "3298ce88-1628-43b1-87d9-0b5336b193d7",
"tags": [
@ -1463,13 +1526,6 @@
],
"type": "mitigates"
},
{
"dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5",
"tags": [
@ -1532,6 +1588,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "987988f0-cf86-4680-a875-2f6456ab2448",
@ -3340,6 +3403,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "4a5b7ade-8bb5-4853-84ed-23f262002665",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "b9f0c069-abbe-4a07-a245-2481219a1463",
@ -4064,30 +4134,6 @@
"uuid": "245075bc-f992-4d89-af8c-834c53d403f4",
"value": "Transmitted Data Manipulation Mitigation - T1493"
},
{
"description": "Identify and correct GPO permissions abuse opportunities (ex: GPO modification privileges) using auditing tools such as Bloodhound (version 1.5.1 and later)(Citation: GitHub Bloodhound).\n\nConsider implementing WMI and security filtering to further tailor which users and computers a GPO will apply to.(Citation: Wald0 Guide to GPOs)(Citation: Microsoft WMI Filters)(Citation: Microsoft GPO Security Filtering)",
"meta": {
"external_id": "T1484",
"refs": [
"https://attack.mitre.org/mitigations/T1484",
"https://github.com/BloodHoundAD/BloodHound",
"https://wald0.com/?p=179",
"https://blogs.technet.microsoft.com/askds/2008/09/11/fun-with-wmi-filters-in-group-policy/",
"https://docs.microsoft.com/en-us/previous-versions/windows/desktop/Policy/filtering-the-scope-of-a-gpo"
]
},
"related": [
{
"dest-uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "2108b914-eee1-45cc-8840-36272b19596a",
"value": "Group Policy Modification Mitigation - T1484"
},
{
"description": "Identify critical business and system processes that may be targeted by adversaries and work to secure those systems against tampering. Prevent critical business and system processes from being replaced, overwritten, or reconfigured to load potentially malicious code. Identify potentially malicious software and audit and/or block it by using whitelisting(Citation: Beechey 2010) tools, like AppLocker,(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker) or Software Restriction Policies(Citation: Corio 2008) where appropriate.(Citation: TechNet Applocker vs SRP)",
"meta": {
@ -4904,6 +4950,20 @@
],
"type": "mitigates"
},
{
"dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "29e07491-8947-43a3-8d4e-9a787c45f3d3",
"tags": [
@ -5415,6 +5475,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "b0c74ef9-c61e-4986-88cb-78da98a355ec",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "12241367-a8b7-49b4-b86e-2236901ba50c",
@ -5784,6 +5851,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "1f9c2bae-b441-4f66-a8af-b65946ee72f2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "e3388c78-2a8d-47c2-8422-c1398b324462",
@ -6170,6 +6244,13 @@
],
"type": "mitigates"
},
{
"dest-uuid": "e0232cb0-ded5-4c2e-9dc7-2893142a5c11",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "3298ce88-1628-43b1-87d9-0b5336b193d7",
"tags": [
@ -6547,6 +6628,48 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "1f9c2bae-b441-4f66-a8af-b65946ee72f2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "94cb00a4-b295-4d06-aa2b-5653b9c1be9c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "5d2be8b9-d24c-4e98-83bf-2f5f79477163",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "56e0d8b8-3e25-49dd-9050-3aa252f5aa92",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "1126cab1-c700-412f-a510-61f4937bb096",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "0470e792-32f8-46b0-a351-652bc35e9336",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "93e7968a-9074-4eac-8ae9-9f5200ec3317",
@ -6872,6 +6995,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "565275d5-fcc3-4b66-b4e7-928e4cac6b8c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "a2c36a5d-4058-475e-8e77-fff75e50d3b9",
@ -7855,6 +7985,76 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "1f9c2bae-b441-4f66-a8af-b65946ee72f2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "94cb00a4-b295-4d06-aa2b-5653b9c1be9c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "24769ab5-14bd-4f4e-a752-cfb185da53ee",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "7b50a1d3-4ca7-45d1-989d-a6503f04bfe1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "1126cab1-c700-412f-a510-61f4937bb096",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "4a5b7ade-8bb5-4853-84ed-23f262002665",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "800f9819-7007-4540-a520-40e655876800",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "f8ef3a62-3f44-40a4-abca-761ab235c436",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "565275d5-fcc3-4b66-b4e7-928e4cac6b8c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "9bb9e696-bff8-4ae1-9454-961fc7d91d5f",
@ -8210,6 +8410,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "2f316f6c-ae42-44fe-adf8-150989e0f6d3",
@ -8352,6 +8559,13 @@
],
"type": "mitigates"
},
{
"dest-uuid": "e0232cb0-ded5-4c2e-9dc7-2893142a5c11",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b",
"tags": [
@ -11014,13 +11228,41 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "56e0d8b8-3e25-49dd-9050-3aa252f5aa92",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "800f9819-7007-4540-a520-40e655876800",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "f8ef3a62-3f44-40a4-abca-761ab235c436",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "0470e792-32f8-46b0-a351-652bc35e9336",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "86598de0-b347-4928-9eb0-0acbfc21908c",
"value": "Network Segmentation - M1030"
},
{
"description": "Enterprises can vet applications for exploitable vulnerabilities or unwanted (privacy-invasive or malicious) behaviors. Enterprises can inspect applications themselves or use a third-party service.\n\nEnterprises may impose policies to only allow pre-approved applications to be installed on their devices or may impose policies to block use of specific applications known to have issues. In Bring Your Own Device (BYOD) environments, enterprises may only be able to impose these policies over an enterprise-managed portion of the device.\n\nApplication Vetting is not a complete mitigation. Techniques such as [Detect App Analysis Environment](https://attack.mitre.org/techniques/T1440) exist that can enable adversaries to bypass vetting.",
"description": "Enterprises can vet applications for exploitable vulnerabilities or unwanted (privacy-invasive or malicious) behaviors. Enterprises can inspect applications themselves or use a third-party service.\n\nEnterprises may impose policies to only allow pre-approved applications to be installed on their devices or may impose policies to block use of specific applications known to have issues. In Bring Your Own Device (BYOD) environments, enterprises may only be able to impose these policies over an enterprise-managed portion of the device.\n\nApplication Vetting is not a complete mitigation. Techniques such as [Evade Analysis Environment](https://attack.mitre.org/techniques/T1523) exist that can enable adversaries to bypass vetting.",
"meta": {
"external_id": "M1005",
"refs": [
@ -11356,6 +11598,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "e083305c-49e7-4c87-aae8-9689213bffbe",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "1553b156-6767-47f7-9eb4-2a692505666d",
@ -11592,6 +11841,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "82f04b1e-5371-4a6f-be06-411f0f43b483",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "653492e3-27be-4a0e-b08c-938dd2b7e0e1",
@ -11986,6 +12242,20 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "315f51f0-6b03-4c1e-bfb2-84740afb8e21",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "e5d930e9-775a-40ad-9bdb-b941d8dfe86b",
@ -12354,6 +12624,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "b0c74ef9-c61e-4986-88cb-78da98a355ec",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a",
@ -12806,6 +13083,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "315f51f0-6b03-4c1e-bfb2-84740afb8e21",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "90c218c3-fbf8-4830-98a7-e8cfb7eaa485",
@ -13452,6 +13736,34 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "7e7c2fba-7cca-486c-9582-4c1bb2851961",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "7b50a1d3-4ca7-45d1-989d-a6503f04bfe1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "4a5b7ade-8bb5-4853-84ed-23f262002665",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "47e0e9fe-96ce-4f65-8bb1-8be1feacb5db",
@ -13598,6 +13910,69 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "94cb00a4-b295-4d06-aa2b-5653b9c1be9c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "861b8fd2-57f3-4ee1-ab5d-c19c3b8c7a4a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "cca0ccb6-a068-4574-a722-b1556f86833a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "8982a661-d84c-48c0-b4ec-1db29c6cf3bc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "2d3f5b3c-54ca-4f4d-bb1f-849346d31230",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "315f51f0-6b03-4c1e-bfb2-84740afb8e21",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067",
@ -13772,6 +14147,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "b0c74ef9-c61e-4986-88cb-78da98a355ec",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "590777b3-b475-4c7c-aaf8-f4a73b140312",
@ -13869,6 +14251,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "565275d5-fcc3-4b66-b4e7-928e4cac6b8c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "7da0387c-ba92-4553-b291-b636ee42b2eb",
@ -14728,6 +15117,48 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "3ee16395-03f0-4690-a32e-69ce9ada0f9e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "506f6f49-7045-4156-9007-7474cb44ad6d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "31fe0ba2-62fd-4fd9-9293-4043d84f7fe9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "84771bc3-f6a0-403e-b144-01af70e5fda0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "c071d8c1-3b3a-4f22-9407-ca4e96921069",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "84ae8255-b4f4-4237-b5c5-e717405a9701",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "78bb71be-92b4-46de-acd6-5f998fedf1cc",
@ -14873,6 +15304,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "e083305c-49e7-4c87-aae8-9689213bffbe",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "ff4821f6-5afb-481b-8c0f-26c28c0d666c",
@ -15251,13 +15689,6 @@
],
"type": "mitigates"
},
{
"dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "0c4b4fda-9062-47da-98b9-ceae2dcf052a",
"tags": [
@ -15348,11 +15779,53 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "94cb00a4-b295-4d06-aa2b-5653b9c1be9c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "861b8fd2-57f3-4ee1-ab5d-c19c3b8c7a4a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "1f9c2bae-b441-4f66-a8af-b65946ee72f2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "5d2be8b9-d24c-4e98-83bf-2f5f79477163",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "800f9819-7007-4540-a520-40e655876800",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "b0c74ef9-c61e-4986-88cb-78da98a355ec",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8",
"value": "Audit - M1047"
}
],
"version": 18
"version": 19
}

6468
clusters/mitre-intrusion-set.json
View File

File diff suppressed because it is too large Load Diff

9671
clusters/mitre-malware.json
View File

File diff suppressed because it is too large Load Diff

585
clusters/mitre-tool.json
View File

@ -66,6 +66,110 @@
"uuid": "a52edc76-328d-4596-85e7-d56ef5a9eb69",
"value": "Pass-The-Hash Toolkit - S0122"
},
{
"description": "[CSPY Downloader](https://attack.mitre.org/software/S0527) is a tool designed to evade analysis and download additional payloads used by [Kimsuky](https://attack.mitre.org/groups/G0094).(Citation: Cybereason Kimsuky November 2020)",
"meta": {
"external_id": "S0527",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0527",
"https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite"
],
"synonyms": [
"CSPY Downloader"
]
},
"related": [
{
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "5256c0f8-9108-4c92-8b09-482dfacdcd94",
"value": "CSPY Downloader - S0527"
},
{
"description": "[Imminent Monitor](https://attack.mitre.org/software/S0434) was a commodity remote access tool (RAT) offered for sale from 2012 until 2019, when an operation was conducted to take down the Imminent Monitor infrastructure. Various cracked versions and variations of this RAT are still in circulation.(Citation: Imminent Unit42 Dec2019)",
"meta": {
@ -381,6 +485,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60",
@ -397,7 +508,7 @@
"refs": [
"https://attack.mitre.org/software/S0040",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf",
"https://s3.eu-west-1.amazonaws.com/ncsc-content/files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf"
"https://www.ncsc.gov.uk/report/joint-report-on-publicly-available-hacking-tools"
],
"synonyms": [
"HTRAN",
@ -1232,7 +1343,7 @@
"value": "PsExec - S0029"
},
{
"description": "The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft Net Utility)\n\n[Net](https://attack.mitre.org/software/S0039) has a great deal of functionality, (Citation: Savill 1999) much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through [Windows Admin Shares](https://attack.mitre.org/techniques/T1077) using <code>net use</code> commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as <code>net1 user</code>.",
"description": "The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft Net Utility)\n\n[Net](https://attack.mitre.org/software/S0039) has a great deal of functionality, (Citation: Savill 1999) much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) using <code>net use</code> commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as <code>net1 user</code>.",
"meta": {
"external_id": "S0039",
"mitre_platforms": [
@ -1639,6 +1750,66 @@
"uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f",
"value": "Tasklist - S0057"
},
{
"description": "[NBTscan](https://attack.mitre.org/software/S0590) is an open source tool that has been used by state groups to conduct internal reconnaissance within a compromised network.(Citation: Debian nbtscan Nov 2019)(Citation: SecTools nbtscan June 2003)(Citation: Symantec Waterbug Jun 2019)(Citation: FireEye APT39 Jan 2019)",
"meta": {
"external_id": "S0590",
"mitre_platforms": [
"Windows",
"Linux",
"macOS"
],
"refs": [
"https://attack.mitre.org/software/S0590",
"https://manpages.debian.org/testing/nbtscan/nbtscan.1.en.html",
"https://sectools.org/tool/nbtscan/",
"https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments",
"https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html"
],
"synonyms": [
"NBTscan"
]
},
"related": [
{
"dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "b63970b7-ddfb-4aee-97b1-80d335e033a8",
"value": "NBTscan - S0590"
},
{
"description": "[FTP](https://attack.mitre.org/software/S0095) is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a system or to exfiltrate data. (Citation: Wikipedia FTP)",
"meta": {
@ -1942,6 +2113,105 @@
"uuid": "4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b",
"value": "xCmd - S0123"
},
{
"description": "[BloodHound](https://attack.mitre.org/software/S0521) is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.(Citation: GitHub Bloodhound)(Citation: CrowdStrike BloodHound April 2018)(Citation: FoxIT Wocao December 2019)",
"meta": {
"external_id": "S0521",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0521",
"https://github.com/BloodHoundAD/BloodHound",
"https://www.crowdstrike.com/blog/hidden-administrative-accounts-bloodhound-to-the-rescue/",
"https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf"
],
"synonyms": [
"BloodHound"
]
},
"related": [
{
"dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "066b057c-944e-4cfc-b654-e3dfba04b926",
"value": "BloodHound - S0521"
},
{
"description": "[Pupy](https://attack.mitre.org/software/S0192) is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. (Citation: GitHub Pupy) It is written in Python and can be generated as a payload in several different ways (Windows exe, Python file, PowerShell oneliner/file, Linux elf, APK, Rubber Ducky, etc.). (Citation: GitHub Pupy) [Pupy](https://attack.mitre.org/software/S0192) is publicly available on GitHub. (Citation: GitHub Pupy)",
"meta": {
@ -2414,6 +2684,61 @@
"uuid": "90ec2b22-7061-4469-b539-0989ec4f96c2",
"value": "Forfiles - S0193"
},
{
"description": "[Out1](https://attack.mitre.org/software/S0594) is a remote access tool written in python and used by [MuddyWater](https://attack.mitre.org/groups/G0069) since at least 2021.(Citation: Trend Micro Muddy Water March 2021)",
"meta": {
"external_id": "S0594",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0594",
"https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html"
],
"synonyms": [
"Out1"
]
},
"related": [
{
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "80c815bb-b24a-4b9c-9d73-ff4c075a278d",
"value": "Out1 - S0594"
},
{
"description": "Responder is an open source tool used for LLMNR, NBT-NS and MDNS poisoning, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. (Citation: GitHub Responder)",
"meta": {
@ -2449,7 +2774,7 @@
"value": "Responder - S0174"
},
{
"description": "[PowerSploit](https://attack.mitre.org/software/S0194) is an open source, offensive security framework comprised of [PowerShell](https://attack.mitre.org/techniques/T1086) modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. (Citation: GitHub PowerSploit May 2012) (Citation: PowerShellMagazine PowerSploit July 2014) (Citation: PowerSploit Documentation)",
"description": "[PowerSploit](https://attack.mitre.org/software/S0194) is an open source, offensive security framework comprised of [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. (Citation: GitHub PowerSploit May 2012) (Citation: PowerShellMagazine PowerSploit July 2014) (Citation: PowerSploit Documentation)",
"meta": {
"external_id": "S0194",
"mitre_platforms": [
@ -2663,7 +2988,7 @@
"type": "uses"
},
{
"dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0",
"dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@ -2701,6 +3026,125 @@
"uuid": "65370d0b-3bd4-4653-8cf9-daf56f6be830",
"value": "meek - S0175"
},
{
"description": "[IronNetInjector](https://attack.mitre.org/software/S0581) is a [Turla](https://attack.mitre.org/groups/G0010) toolchain that utilizes scripts from the open-source IronPython implementation of Python with a .NET injector to drop one or more payloads including [ComRAT](https://attack.mitre.org/software/S0126).(Citation: Unit 42 IronNetInjector February 2021 )",
"meta": {
"external_id": "S0581",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0581",
" https://unit42.paloaltonetworks.com/ironnetinjector/"
],
"synonyms": [
"IronNetInjector"
]
},
"related": [
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "b1595ddd-a783-482a-90e1-8afc8d48467e",
"value": "IronNetInjector - S0581"
},
{
"description": "[ConnectWise](https://attack.mitre.org/software/S0591) is a legitimate remote administration tool that has been used since at least 2016 by threat actors including [MuddyWater](https://attack.mitre.org/groups/G0069) and [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) to connect to and conduct lateral movement in target environments.(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)",
"meta": {
"external_id": "S0591",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0591",
"https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies",
"https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html"
],
"synonyms": [
"ConnectWise",
"ScreenConnect"
]
},
"related": [
{
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "842976c7-f9c8-41b2-8371-41dc64fbe261",
"value": "ConnectWise - S0591"
},
{
"description": "[SDelete](https://attack.mitre.org/software/S0195) is an application that securely deletes data in a way that makes it unrecoverable. It is part of the Microsoft Sysinternals suite of tools. (Citation: Microsoft SDelete July 2016)",
"meta": {
@ -2950,7 +3394,7 @@
],
"refs": [
"https://attack.mitre.org/software/S0227",
"https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
"https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
],
"synonyms": [
"spwebmember"
@ -3103,7 +3547,7 @@
"value": "Remcos - S0332"
},
{
"description": "[PoshC2](https://attack.mitre.org/software/S0378) is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written in [PowerShell](https://attack.mitre.org/techniques/T1086). Although [PoshC2](https://attack.mitre.org/software/S0378) is primarily focused on Windows implantation, it does contain a basic Python dropper for Linux/macOS.(Citation: GitHub PoshC2)",
"description": "[PoshC2](https://attack.mitre.org/software/S0378) is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written in [PowerShell](https://attack.mitre.org/techniques/T1059/001). Although [PoshC2](https://attack.mitre.org/software/S0378) is primarily focused on Windows implantation, it does contain a basic Python dropper for Linux/macOS.(Citation: GitHub PoshC2)",
"meta": {
"external_id": "S0378",
"mitre_platforms": [
@ -3341,6 +3785,111 @@
"uuid": "4b57c098-f043-4da2-83ef-7588a6d426bc",
"value": "PoshC2 - S0378"
},
{
"description": "[AdFind](https://attack.mitre.org/software/S0552) is a free command-line query tool that can be used for gathering information from Active Directory.(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: FireEye FIN6 Apr 2019)(Citation: FireEye Ryuk and Trickbot January 2019)",
"meta": {
"external_id": "S0552",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0552",
"https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/ ",
"https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html",
"https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html"
],
"synonyms": [
"AdFind"
]
},
"related": [
{
"dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "f59508a6-3615-47c3-b493-6676e1a39a87",
"value": "AdFind - S0552"
},
{
"description": "[RemoteUtilities](https://attack.mitre.org/software/S0592) is a legitimate remote administration tool that has been used by [MuddyWater](https://attack.mitre.org/groups/G0069) since at least 2021 for execution on target machines.(Citation: Trend Micro Muddy Water March 2021)",
"meta": {
"external_id": "S0592",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0592",
"https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html"
],
"synonyms": [
"RemoteUtilities"
]
},
"related": [
{
"dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "03c6e0ea-96d3-4b23-9afb-05055663cf4b",
"value": "RemoteUtilities - S0592"
},
{
"description": "[Xbot](https://attack.mitre.org/software/S0298) is an Android malware family that was observed in 2016 primarily targeting Android users in Russia and Australia. (Citation: PaloAlto-Xbot)",
"meta": {
@ -3411,7 +3960,7 @@
"value": "Xbot - S0298"
},
{
"description": "[Empire](https://attack.mitre.org/software/S0363) is an open source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure [PowerShell](https://attack.mitre.org/techniques/T1086) for Windows and Python for Linux/macOS. [Empire](https://attack.mitre.org/software/S0363) was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.(Citation: NCSC Joint Report Public Tools)(Citation: Github PowerShell Empire)(Citation: GitHub ATTACK Empire)",
"description": "[Empire](https://attack.mitre.org/software/S0363) is an open source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure [PowerShell](https://attack.mitre.org/techniques/T1059/001) for Windows and Python for Linux/macOS. [Empire](https://attack.mitre.org/software/S0363) was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.(Citation: NCSC Joint Report Public Tools)(Citation: Github PowerShell Empire)(Citation: GitHub ATTACK Empire)",
"meta": {
"external_id": "S0363",
"mitre_platforms": [
@ -3421,8 +3970,8 @@
],
"refs": [
"https://attack.mitre.org/software/S0363",
"https://s3.eu-west-1.amazonaws.com/ncsc-content/files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf",
"https://github.com/PowerShellEmpire/Empire",
"https://www.ncsc.gov.uk/report/joint-report-on-publicly-available-hacking-tools",
"https://github.com/EmpireProject/Empire",
"https://github.com/dstepanic/attck_empire"
],
"synonyms": [
@ -3818,7 +4367,7 @@
"type": "uses"
},
{
"dest-uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d",
"dest-uuid": "5d2be8b9-d24c-4e98-83bf-2f5f79477163",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@ -3907,6 +4456,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "3433a9e8-1c47-4320-b9bf-ed449061d1c3",
@ -4034,6 +4590,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "b76b2d94-60e4-4107-a903-4a3a7622fb3b",
@ -4556,5 +5119,5 @@
"value": "CrackMapExec - S0488"
}
],
"version": 19
"version": 20
}