MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

chg: [att&ck] update to ATT&CK v10

pull/669/head v2.4.151
Christophe Vandeplas 2021-10-22 14:34:25 +02:00
parent ab41df7282
commit aeb5719448
6 changed files with 12690 additions and 531 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1283
clusters/mitre-attack-pattern.json
View File

File diff suppressed because it is too large Load Diff

620
clusters/mitre-course-of-action.json
View File

@ -519,6 +519,48 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "7d77a07d-02fe-4e88-8bd9-e9c008c01bf0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "d456de47-a16f-4e46-8980-e67478a12dcb",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "1bae753e-8e52-4055-a66d-2ead90303ca9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "ffbcfdb0-de22-4106-9ed3-fc23c8a01407",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "824add00-99a1-4b15-9a2d-6c5683b7b497",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "eb88d97c-32f1-40be-80f0-d61a4b0b4b31",
@ -843,6 +885,20 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "ccde43e4-78f9-4f32-b401-c081e7db71ea",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "2f0e8d80-4b8b-4f4a-b5cc-132afe7e057d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "cf2cccb1-cab8-431a-8ecf-f7874d05f433",
@ -876,7 +932,7 @@
"refs": [
"https://attack.mitre.org/mitigations/T1005",
"http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599",
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
"https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html",
"https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm",
"http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx",
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
@ -901,7 +957,7 @@
"refs": [
"https://attack.mitre.org/mitigations/T1006",
"http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599",
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
"https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html",
"https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm",
"http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx",
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
@ -1761,7 +1817,7 @@
"http://msdn.microsoft.com/en-US/library/ms682586",
"https://github.com/mattifestation/PowerSploit",
"http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599",
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
"https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html",
"https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm"
]
},
@ -1785,7 +1841,7 @@
"https://attack.mitre.org/mitigations/T1044",
"https://github.com/mattifestation/PowerSploit",
"http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599",
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
"https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html",
"https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm",
"http://seclists.org/fulldisclosure/2015/Dec/34"
]
@ -1809,7 +1865,7 @@
"refs": [
"https://attack.mitre.org/mitigations/T1049",
"http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599",
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
"https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html",
"https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm",
"http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx",
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
@ -1857,7 +1913,7 @@
"refs": [
"https://attack.mitre.org/mitigations/T1066",
"http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599",
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
"https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html",
"https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm",
"http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx",
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
@ -1949,7 +2005,7 @@
"refs": [
"https://attack.mitre.org/mitigations/T1181",
"http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599",
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
"https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html",
"https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm",
"http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx",
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
@ -2203,7 +2259,7 @@
"https://attack.mitre.org/mitigations/T1486",
"https://www.ready.gov/business/implementation/IT",
"http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599",
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
"https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html",
"https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm",
"http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx",
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
@ -2363,7 +2419,7 @@
"refs": [
"https://attack.mitre.org/mitigations/T1033",
"http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599",
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
"https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html",
"https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm",
"http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx",
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
@ -2519,6 +2575,167 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "d157f9d2-d09a-4efa-bb2a-64963f94e253",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "a9e2cea0-c805-4bf8-9e31-f5f0513a3634",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "bf147104-abf9-4221-95d1-e81585859441",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "3d1b9d7e-3921-4d25-845a-7d9f15c0da44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "34f1d81d-fe88-4f97-bd3b-a3164536255d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "09cd431f-eaf4-4d2a-acaf-2a7acfe7ed58",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "90f39ee1-d5a3-4aaa-9f28-3b42815b0d46",
@ -2554,7 +2771,7 @@
"refs": [
"https://attack.mitre.org/mitigations/T1500",
"http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599",
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
"https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html",
"https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm",
"http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx",
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
@ -2841,7 +3058,7 @@
"refs": [
"https://attack.mitre.org/mitigations/T1080",
"http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599",
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
"https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html",
"https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm",
"http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx",
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
@ -3001,7 +3218,7 @@
"refs": [
"https://attack.mitre.org/mitigations/T1061",
"http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599",
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
"https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html",
"https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm",
"http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx",
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
@ -3099,7 +3316,7 @@
"refs": [
"https://attack.mitre.org/mitigations/T1202",
"http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599",
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
"https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html",
"https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm",
"http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx",
"https://technet.microsoft.com/en-us/library/ee791851.aspx",
@ -3254,7 +3471,7 @@
"refs": [
"https://attack.mitre.org/mitigations/T1063",
"http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599",
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
"https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html",
"https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm",
"http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx",
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
@ -3279,7 +3496,7 @@
"refs": [
"https://attack.mitre.org/mitigations/T1046",
"http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599",
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
"https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html",
"https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm",
"http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx",
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
@ -3514,7 +3731,7 @@
"https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/",
"https://www.symantec.com/connect/articles/what-you-need-know-about-alternate-data-streams-windows-your-data-secure-can-you-restore",
"http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599",
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
"https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html",
"https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm",
"http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx",
"https://technet.microsoft.com/en-us/library/ee791851.aspx",
@ -3592,7 +3809,7 @@
"https://adsecurity.org/?p=556",
"https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf",
"http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599",
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
"https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html",
"https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm",
"http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx",
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
@ -4141,7 +4358,7 @@
"refs": [
"https://attack.mitre.org/mitigations/T1494",
"http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599",
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
"https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html",
"https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm",
"http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx",
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
@ -4591,7 +4808,7 @@
"refs": [
"https://attack.mitre.org/mitigations/T1020",
"http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599",
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
"https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html",
"https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm",
"http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx",
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
@ -4664,7 +4881,7 @@
"https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#a-nameesaebmaesae-administrative-forest-design-approach",
"https://technet.microsoft.com/en-us/library/dn408187.aspx",
"http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599",
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
"https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html",
"https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm",
"http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx",
"https://technet.microsoft.com/en-us/library/ee791851.aspx",
@ -4785,7 +5002,7 @@
"refs": [
"https://attack.mitre.org/mitigations/T1009",
"http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599",
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
"https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html",
"https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm",
"http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx",
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
@ -4964,6 +5181,20 @@
],
"type": "mitigates"
},
{
"dest-uuid": "6747daa2-3533-4e78-8fb8-446ebb86448a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "b22e5153-ac28-4cc6-865c-2054e36285cb",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "29e07491-8947-43a3-8d4e-9a787c45f3d3",
"tags": [
@ -5872,7 +6103,7 @@
"https://technet.microsoft.com/en-us/library/cc732713.aspx",
"https://technet.microsoft.com/en-us/library/cc731150.aspx",
"http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599",
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
"https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html",
"https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm",
"http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx",
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
@ -6670,6 +6901,34 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "cff94884-3b1c-4987-a70b-6d5643c621c3",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "d456de47-a16f-4e46-8980-e67478a12dcb",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "8565825b-21c8-4518-b75e-cbc4c717a156",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "93e7968a-9074-4eac-8ae9-9f5200ec3317",
@ -6682,7 +6941,7 @@
"refs": [
"https://attack.mitre.org/mitigations/T1108",
"http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599",
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
"https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html",
"https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm",
"http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx",
"https://technet.microsoft.com/en-us/library/ee791851.aspx",
@ -6804,7 +7063,7 @@
"refs": [
"https://attack.mitre.org/mitigations/T1022",
"http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599",
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
"https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html",
"https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm",
"http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx",
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
@ -8055,6 +8314,20 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "b46a801b-fd98-491c-a25a-bca25d6e3001",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "28170e17-8384-415c-8486-2e6b294cb803",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "9bb9e696-bff8-4ae1-9454-961fc7d91d5f",
@ -8417,6 +8690,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "11f29a39-0942-4d62-92b6-fe236cf3066e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "2f316f6c-ae42-44fe-adf8-150989e0f6d3",
@ -8725,7 +9005,7 @@
"https://msdn.microsoft.com/en-us/library/ff919712.aspx",
"https://skanthak.homepage.t-online.de/sentinel.html",
"http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599",
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
"https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html",
"https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm",
"http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"
]
@ -8777,7 +9057,7 @@
"https://technet.microsoft.com/library/jj852168.aspx",
"https://technet.microsoft.com/library/dn221960.aspx",
"http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599",
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
"https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html",
"https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm",
"http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx",
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
@ -9214,7 +9494,7 @@
"refs": [
"https://attack.mitre.org/mitigations/T1093",
"http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599",
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
"https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html",
"https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm",
"http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx",
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
@ -9393,6 +9673,83 @@
"uuid": "787fb64d-c87b-4ee5-a341-0ef17ec4c15c",
"value": "Do Not Mitigate - M1055"
},
{
"description": "Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)",
"meta": {
"external_id": "M1057",
"refs": [
"https://attack.mitre.org/mitigations/M1057",
"https://purplesec.us/data-loss-prevention/"
]
},
"related": [
{
"dest-uuid": "e6415f09-df0e-48de-9aba-928c902b7549",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "a3e1e6c5-9c74-4fc0-a16c-a9d228c17829",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "65401701-019d-44ff-b223-08d520bb0e7b",
"value": "Data Loss Prevention - M1057"
},
{
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about processes, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"meta": {
@ -9426,7 +9783,7 @@
"https://attack.mitre.org/mitigations/T1087",
"https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-CC-000077",
"http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599",
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
"https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html",
"https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm",
"http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx",
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
@ -9568,7 +9925,7 @@
"refs": [
"https://attack.mitre.org/mitigations/T1114",
"http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599",
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
"https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html",
"https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm",
"http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx",
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
@ -9613,7 +9970,7 @@
"refs": [
"https://attack.mitre.org/mitigations/T1115",
"http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599",
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
"https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html",
"https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm",
"http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx",
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
@ -9681,7 +10038,7 @@
"refs": [
"https://attack.mitre.org/mitigations/T1119",
"http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599",
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
"https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html",
"https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm",
"http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx",
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
@ -9774,7 +10131,7 @@
"refs": [
"https://attack.mitre.org/mitigations/T1125",
"http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599",
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
"https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html",
"https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm",
"http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx",
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
@ -10181,7 +10538,7 @@
"refs": [
"https://attack.mitre.org/mitigations/T1186",
"http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599",
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
"https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html",
"https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm",
"http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx",
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
@ -10341,7 +10698,7 @@
"https://attack.mitre.org/mitigations/T1488",
"https://www.ready.gov/business/implementation/IT",
"http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599",
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
"https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html",
"https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm",
"http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx",
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
@ -10437,13 +10794,6 @@
],
"type": "mitigates"
},
{
"dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529",
"tags": [
@ -10653,6 +11003,20 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "cff94884-3b1c-4987-a70b-6d5643c621c3",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "b045d015-6bed-4490-bd38-56b41ece59a0",
@ -11605,6 +11969,27 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "351ddf79-2d3a-41b4-9bef-82ea5d3ccd69",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "ccde43e4-78f9-4f32-b401-c081e7db71ea",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "2f0e8d80-4b8b-4f4a-b5cc-132afe7e057d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "1553b156-6767-47f7-9eb4-2a692505666d",
@ -11848,6 +12233,20 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "351ddf79-2d3a-41b4-9bef-82ea5d3ccd69",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "a64a820a-cb21-471f-920c-506a2ff04fa5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "653492e3-27be-4a0e-b08c-938dd2b7e0e1",
@ -11971,7 +12370,7 @@
"refs": [
"https://attack.mitre.org/mitigations/T1014",
"http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599",
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
"https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html",
"https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm",
"http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx",
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
@ -12631,6 +13030,41 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "cff94884-3b1c-4987-a70b-6d5643c621c3",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "11f29a39-0942-4d62-92b6-fe236cf3066e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a",
@ -13213,7 +13647,7 @@
"refs": [
"https://attack.mitre.org/mitigations/T1036",
"http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599",
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
"https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html",
"https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm",
"http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx",
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
@ -13764,6 +14198,48 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "b46a801b-fd98-491c-a25a-bca25d6e3001",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "c92e3d68-2349-49e4-a341-7edca2deff96",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "1bae753e-8e52-4055-a66d-2ead90303ca9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "ffbcfdb0-de22-4106-9ed3-fc23c8a01407",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "47e0e9fe-96ce-4f65-8bb1-8be1feacb5db",
@ -13973,6 +14449,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "28170e17-8384-415c-8486-2e6b294cb803",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067",
@ -14154,6 +14637,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "b46a801b-fd98-491c-a25a-bca25d6e3001",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "590777b3-b475-4c7c-aaf8-f4a73b140312",
@ -15311,6 +15801,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "ccde43e4-78f9-4f32-b401-c081e7db71ea",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "ff4821f6-5afb-481b-8c0f-26c28c0d666c",
@ -15821,11 +16318,46 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "cff94884-3b1c-4987-a70b-6d5643c621c3",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "0cf55441-b176-4332-89e7-2c4c7799d0ff",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "b46a801b-fd98-491c-a25a-bca25d6e3001",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8",
"value": "Audit - M1047"
}
],
"version": 19
"version": 20
}

3324
clusters/mitre-intrusion-set.json
View File

File diff suppressed because it is too large Load Diff

7771
clusters/mitre-malware.json
View File

File diff suppressed because it is too large Load Diff

212
clusters/mitre-tool.json
View File

@ -1337,6 +1337,20 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7610cada-1499-41a4-b3dd-46467b68d177",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db",
@ -1513,6 +1527,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "c256da91-6dd5-40b2-beeb-ee3b22ab3d27",
@ -1676,7 +1697,7 @@
"refs": [
"https://attack.mitre.org/software/S0075",
"https://technet.microsoft.com/en-us/library/cc732643.aspx",
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html"
"https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html"
],
"synonyms": [
"Reg",
@ -2207,6 +2228,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1b20efbf-8063-4fc3-a07d-b575318a301b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "066b057c-944e-4cfc-b654-e3dfba04b926",
@ -2799,7 +2827,7 @@
"type": "uses"
},
{
"dest-uuid": "806a49c4-970d-43f9-9acc-ac0ee11e6662",
"dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@ -3275,7 +3303,8 @@
"https://attack.mitre.org/software/S0262",
"https://github.com/quasar/QuasarRAT",
"https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/",
"https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf"
"https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf",
"https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/"
],
"synonyms": [
"QuasarRAT",
@ -4463,11 +4492,145 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1b20efbf-8063-4fc3-a07d-b575318a301b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "3433a9e8-1c47-4320-b9bf-ed449061d1c3",
"value": "Empire - S0363"
},
{
"description": "[Sliver](https://attack.mitre.org/software/S0633) is an open source, cross-platform, red team command and control framework written in Golang.(Citation: Bishop Fox Sliver Framework August 2019)",
"meta": {
"external_id": "S0633",
"mitre_platforms": [
"Windows",
"Linux",
"macOS"
],
"refs": [
"https://attack.mitre.org/software/S0633",
"https://labs.bishopfox.com/tech-blog/sliver"
],
"synonyms": [
"Sliver"
]
},
"related": [
{
"dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "eec23884-3fa1-4d8a-ac50-6f104d51e235",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "11f8d7eb-1927-4806-9267-3a11d4d4d6be",
"value": "Sliver - S0633"
},
{
"description": "[RawDisk](https://attack.mitre.org/software/S0364) is a legitimate commercial driver from the EldoS Corporation that is used for interacting with files, disks, and partitions. The driver allows for direct modification of data on a local computer's hard drive. In some cases, the tool can enact these raw disk modifications from user-mode processes, circumventing Windows operating system security features.(Citation: EldoS RawDisk ITpro)(Citation: Novetta Blockbuster Destructive Malware)",
"meta": {
@ -4958,6 +5121,47 @@
"uuid": "5fc81b43-62b5-41b1-9113-c79ae5f030c4",
"value": "CARROTBALL - S0465"
},
{
"description": "[Wevtutil](https://attack.mitre.org/software/S0645) is a Windows command-line utility that enables administrators to retrieve information about event logs and publishers.(Citation: Wevtutil Microsoft Documentation)",
"meta": {
"external_id": "S0645",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0645",
"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil"
],
"synonyms": [
"Wevtutil"
]
},
"related": [
{
"dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "f91162cc-1686-4ff8-8115-bf3f61a4cc7a",
"value": "Wevtutil - S0645"
},
{
"description": "[CrackMapExec](https://attack.mitre.org/software/S0488), or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. [CrackMapExec](https://attack.mitre.org/software/S0488) collects Active Directory information to conduct lateral movement through targeted networks.(Citation: CME Github September 2018)",
"meta": {
@ -5119,5 +5323,5 @@
"value": "CrackMapExec - S0488"
}
],
"version": 20
"version": 21
}

11
tools/mitre-cti/v2.0/create_mitre-galaxy.py
View File

@ -149,10 +149,13 @@ for domain in domains:
rel_source['tags'] = [
"estimative-language:likelihood-probability=\"almost-certain\""
]
if 'related' not in all_data_uuid[source_uuid]:
all_data_uuid[source_uuid]['related'] = []
if rel_source not in all_data_uuid[source_uuid]['related']:
all_data_uuid[source_uuid]['related'].append(rel_source)
try:
if 'related' not in all_data_uuid[source_uuid]:
all_data_uuid[source_uuid]['related'] = []
if rel_source not in all_data_uuid[source_uuid]['related']:
all_data_uuid[source_uuid]['related'].append(rel_source)
except KeyError:
pass # ignore relations from which we do not know the source
# LATER find the opposite word of "rel_type" and build the relation in the opposite direction