From bbbd006215aa680336e06b051308b03175a24447 Mon Sep 17 00:00:00 2001 From: Thomas Dupuy Date: Mon, 8 May 2023 14:04:50 +0000 Subject: [PATCH] chg: [mitre] bump to v13. --- clusters/mitre-attack-pattern.json | 981 +++++-- clusters/mitre-course-of-action.json | 4068 +++---------------------- clusters/mitre-intrusion-set.json | 2383 +++++++-------- clusters/mitre-malware.json | 4081 ++++++++++++++++++++++---- clusters/mitre-tool.json | 376 ++- 5 files changed, 5902 insertions(+), 5987 deletions(-) diff --git a/clusters/mitre-attack-pattern.json b/clusters/mitre-attack-pattern.json index d035b35..ca66d8d 100644 --- a/clusters/mitre-attack-pattern.json +++ b/clusters/mitre-attack-pattern.json @@ -639,7 +639,6 @@ "http://msdn.microsoft.com/en-us/library/aa376977", "https://attack.mitre.org/techniques/T1547/001", "https://blog.malwarebytes.com/cybercrime/2013/10/hiding-in-plain-sight/", - "https://capec.mitre.org/data/definitions/270.html", "https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry", "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", "https://technet.microsoft.com/en-us/sysinternals/bb963902" @@ -834,9 +833,7 @@ "Windows" ], "refs": [ - "https://attack.mitre.org/techniques/T1574/007", - "https://capec.mitre.org/data/definitions/13.html", - "https://capec.mitre.org/data/definitions/38.html" + "https://attack.mitre.org/techniques/T1574/007" ] }, "related": [ @@ -869,7 +866,6 @@ "http://msdn.microsoft.com/en-us/library/ms682425", "http://msdn.microsoft.com/en-us/library/ms687393", "https://attack.mitre.org/techniques/T1574/008", - "https://capec.mitre.org/data/definitions/159.html", "https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120", "https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN" ] @@ -1457,7 +1453,7 @@ "value": "LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001" }, { - "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nAdversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields. ", + "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.(Citation: copy_cmd_cisco)\n\nAdversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields. ", "meta": { "external_id": "T1048.003", "kill_chain": [ @@ -1473,11 +1469,13 @@ "mitre_platforms": [ "Linux", "macOS", - "Windows" + "Windows", + "Network" ], "refs": [ "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf", - "https://attack.mitre.org/techniques/T1048/003" + "https://attack.mitre.org/techniques/T1048/003", + "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/cf_command_ref/C_commands.html#wp1068167689" ] }, "related": [ @@ -1535,7 +1533,6 @@ "refs": [ "http://pages.endgame.com/rs/627-YBU-612/images/EndgameJournal_The%20Masquerade%20Ball_Pages_R2.pdf", "https://attack.mitre.org/techniques/T1036/005", - "https://capec.mitre.org/data/definitions/177.html", "https://docs.docker.com/engine/reference/commandline/images/", "https://twitter.com/ItsReallyNick/status/1055321652777619457" ] @@ -1550,7 +1547,7 @@ "value": "Match Legitimate Name or Location - T1036.005" }, { - "description": "Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.\n\nModifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. ", + "description": "Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.\n\nModifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. [Non-Standard Port](https://attack.mitre.org/techniques/T1571)).(Citation: change_rdp_port_conti)", "meta": { "external_id": "T1562.004", "kill_chain": [ @@ -1568,7 +1565,8 @@ "Windows" ], "refs": [ - "https://attack.mitre.org/techniques/T1562/004" + "https://attack.mitre.org/techniques/T1562/004", + "https://twitter.com/TheDFIRReport/status/1498657772254240768" ] }, "related": [ @@ -1581,7 +1579,7 @@ "value": "Disable or Modify System Firewall - T1562.004" }, { - "description": "Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls that are described in [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004). \n\nCloud environments typically utilize restrictive security groups and firewall rules that only allow network activity from trusted IP addresses via expected ports and protocols. An adversary may introduce new firewall rules or policies to allow access into a victim cloud environment. For example, an adversary may use a script or utility that creates new ingress rules in existing security groups to allow any TCP/IP connectivity.(Citation: Expel IO Evil in AWS)\n\nModifying or disabling a cloud firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed.", + "description": "Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls that are described in [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004). \n\nCloud environments typically utilize restrictive security groups and firewall rules that only allow network activity from trusted IP addresses via expected ports and protocols. An adversary may introduce new firewall rules or policies to allow access into a victim cloud environment. For example, an adversary may use a script or utility that creates new ingress rules in existing security groups to allow any TCP/IP connectivity, or remove networking limitations to support traffic associated with malicious activity (such as cryptomining).(Citation: Expel IO Evil in AWS)(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022)\n\nModifying or disabling a cloud firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed.", "meta": { "external_id": "T1562.007", "kill_chain": [ @@ -1596,7 +1594,8 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1562/007", - "https://expel.io/blog/finding-evil-in-aws/" + "https://expel.io/blog/finding-evil-in-aws/", + "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/" ] }, "related": [ @@ -1683,6 +1682,36 @@ "uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", "value": "Windows Management Instrumentation Event Subscription - T1546.003" }, + { + "description": "Adversaries may exfiltrate data to text storage sites instead of their primary command and control channel. Text storage sites, such as pastebin[.]com, are commonly used by developers to share code and other information. \n\nText storage sites are often used to host malicious code for C2 communication (e.g., [Stage Capabilities](https://attack.mitre.org/techniques/T1608)), but adversaries may also use these sites to exfiltrate collected data. Furthermore, paid features and encryption options may allow adversaries to conceal and store data more securely.(Citation: Pastebin EchoSec)\n\n**Note:** This is distinct from [Exfiltration to Code Repository](https://attack.mitre.org/techniques/T1567/001), which highlight access to code repositories via APIs.", + "meta": { + "external_id": "T1567.003", + "kill_chain": [ + "mitre-attack:exfiltration" + ], + "mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow" + ], + "mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1567/003", + "https://web.archive.org/web/20201107203304/https://www.echosec.net/blog/what-is-pastebin-and-why-do-hackers-love-it" + ] + }, + "related": [ + { + "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", + "type": "subtechnique-of" + } + ], + "uuid": "ba04e672-da86-4e69-aa15-0eca5db25f43", + "value": "Exfiltration to Text Storage Sites - T1567.003" + }, { "description": "Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.\n\nAnother variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).\n\nAdversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002). Several examples of this weakness in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012) (Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.", "meta": { @@ -1736,7 +1765,6 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1574/009", - "https://capec.mitre.org/data/definitions/38.html", "https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree", "https://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/14464", "https://securityboulevard.com/2018/04/windows-privilege-escalation-unquoted-services/", @@ -2128,8 +2156,7 @@ "Linux" ], "refs": [ - "https://attack.mitre.org/techniques/T1037", - "https://capec.mitre.org/data/definitions/564.html" + "https://attack.mitre.org/techniques/T1037" ] }, "uuid": "03259939-0b57-482f-8eb5-87c0e0d54334", @@ -2155,8 +2182,7 @@ "Windows" ], "refs": [ - "https://attack.mitre.org/techniques/T1039", - "https://capec.mitre.org/data/definitions/639.html" + "https://attack.mitre.org/techniques/T1039" ] }, "uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c", @@ -2925,7 +2951,6 @@ "http://msdn.microsoft.com/en-us/library/aa376977", "https://attack.mitre.org/techniques/T1547", "https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order", - "https://capec.mitre.org/data/definitions/564.html", "https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx", "https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx", "https://technet.microsoft.com/en-us/sysinternals/bb963902", @@ -2966,7 +2991,7 @@ "value": "Remotely Track Device Without Authorization - T1468" }, { - "description": "Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Azure AD device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview)\n\nAuthentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files), misplaced certificate files (i.e. [Unsecured Credentials](https://attack.mitre.org/techniques/T1552)), or directly from the Windows certificate store via various crypto APIs.(Citation: SpecterOps Certified Pre Owned)(Citation: GitHub CertStealer)(Citation: GitHub GhostPack Certificates) With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Of note, the certificate’s extended key usage (EKU) values define signing, encryption, and authentication use cases, while the certificate’s subject alternative name (SAN) values define the certificate owner’s alternate names.(Citation: Medium Certified Pre Owned)\n\nAbusing certificates for authentication credentials may enable other behaviors such as [Lateral Movement](https://attack.mitre.org/tactics/TA0008). Certificate-related misconfigurations may also enable opportunities for [Privilege Escalation](https://attack.mitre.org/tactics/TA0004), by way of allowing users to impersonate or assume privileged accounts or permissions via the identities (SANs) associated with a certificate. These abuses may also enable [Persistence](https://attack.mitre.org/tactics/TA0003) via stealing or forging certificates that can be used as [Valid Accounts](https://attack.mitre.org/techniques/T1078) for the duration of the certificate's validity, despite user password resets. Authentication certificates can also be stolen and forged for machine accounts.\n\nAdversaries who have access to root (or subordinate) CA certificate private keys (or mechanisms protecting/managing these keys) may also establish [Persistence](https://attack.mitre.org/tactics/TA0003) by forging arbitrary authentication certificates for the victim domain (known as “golden” certificates).(Citation: Medium Certified Pre Owned) Adversaries may also target certificates and related services in order to access other forms of credentials, such as [Golden Ticket](https://attack.mitre.org/techniques/T1558/001) ticket-granting tickets (TGT) or NTLM plaintext.(Citation: Medium Certified Pre Owned)", + "description": "Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Azure AD device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview)\n\nAuthentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files)(Citation: APT29 Deep Look at Credential Roaming), misplaced certificate files (i.e. [Unsecured Credentials](https://attack.mitre.org/techniques/T1552)), or directly from the Windows certificate store via various crypto APIs.(Citation: SpecterOps Certified Pre Owned)(Citation: GitHub CertStealer)(Citation: GitHub GhostPack Certificates) With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Of note, the certificate’s extended key usage (EKU) values define signing, encryption, and authentication use cases, while the certificate’s subject alternative name (SAN) values define the certificate owner’s alternate names.(Citation: Medium Certified Pre Owned)\n\nAbusing certificates for authentication credentials may enable other behaviors such as [Lateral Movement](https://attack.mitre.org/tactics/TA0008). Certificate-related misconfigurations may also enable opportunities for [Privilege Escalation](https://attack.mitre.org/tactics/TA0004), by way of allowing users to impersonate or assume privileged accounts or permissions via the identities (SANs) associated with a certificate. These abuses may also enable [Persistence](https://attack.mitre.org/tactics/TA0003) via stealing or forging certificates that can be used as [Valid Accounts](https://attack.mitre.org/techniques/T1078) for the duration of the certificate's validity, despite user password resets. Authentication certificates can also be stolen and forged for machine accounts.\n\nAdversaries who have access to root (or subordinate) CA certificate private keys (or mechanisms protecting/managing these keys) may also establish [Persistence](https://attack.mitre.org/tactics/TA0003) by forging arbitrary authentication certificates for the victim domain (known as “golden” certificates).(Citation: Medium Certified Pre Owned) Adversaries may also target certificates and related services in order to access other forms of credentials, such as [Golden Ticket](https://attack.mitre.org/techniques/T1558/001) ticket-granting tickets (TGT) or NTLM plaintext.(Citation: Medium Certified Pre Owned)", "meta": { "external_id": "T1649", "kill_chain": [ @@ -2994,7 +3019,8 @@ "https://github.com/TheWover/CertStealer", "https://o365blog.com/post/deviceidentity/", "https://posts.specterops.io/certified-pre-owned-d95910965cd2", - "https://web.archive.org/web/20220818094600/https://specterops.io/assets/resources/Certified_Pre-Owned.pdf" + "https://web.archive.org/web/20220818094600/https://specterops.io/assets/resources/Certified_Pre-Owned.pdf", + "https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming" ] }, "uuid": "7de1f7ac-5d0c-4c9c-8873-627202205331", @@ -3078,7 +3104,6 @@ "https://attack.mitre.org/techniques/T1558", "https://blog.stealthbits.com/detect-pass-the-ticket-attacks", "https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/", - "https://capec.mitre.org/data/definitions/652.html", "https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf", "https://docs.microsoft.com/windows-server/administration/windows-commands/klist", "https://gallery.technet.microsoft.com/scriptcenter/Kerberos-Golden-Ticket-b4814285", @@ -3185,7 +3210,7 @@ "value": "OS-vendor provided communication channels - T1390" }, { - "description": "Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.\n\nAdversaries in possession credentials to [Valid Accounts](https://attack.mitre.org/techniques/T1078) may be unable to complete the login process if they lack access to the 2FA or MFA mechanisms required as an additional credential and security control. To circumvent this, adversaries may abuse the automatic generation of push notifications to MFA services such as Duo Push, Microsoft Authenticator, Okta, or similar services to have the user grant access to their account.\n\nIn some cases, adversaries may continuously repeat login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls, potentially resulting in the user finally accepting the authentication request in response to “MFA fatigue.”(Citation: Russian 2FA Push Annoyance - Cimpanu)(Citation: MFA Fatigue Attacks - PortSwigger)(Citation: Suspected Russian Activity Targeting Government and Business Entities Around the Globe)", + "description": "Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.\n\nAdversaries in possession of credentials to [Valid Accounts](https://attack.mitre.org/techniques/T1078) may be unable to complete the login process if they lack access to the 2FA or MFA mechanisms required as an additional credential and security control. To circumvent this, adversaries may abuse the automatic generation of push notifications to MFA services such as Duo Push, Microsoft Authenticator, Okta, or similar services to have the user grant access to their account.\n\nIn some cases, adversaries may continuously repeat login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls, potentially resulting in the user finally accepting the authentication request in response to “MFA fatigue.”(Citation: Russian 2FA Push Annoyance - Cimpanu)(Citation: MFA Fatigue Attacks - PortSwigger)(Citation: Suspected Russian Activity Targeting Government and Business Entities Around the Globe)", "meta": { "external_id": "T1621", "kill_chain": [ @@ -3248,7 +3273,7 @@ "value": "Rogue Wi-Fi Access Points - T1465" }, { - "description": "Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.\n\nThe event logs can be cleared with the following utility commands:\n\n* wevtutil cl system\n* wevtutil cl application\n* wevtutil cl security\n\nThese logs may also be cleared through other mechanisms, such as the event viewer GUI or [PowerShell](https://attack.mitre.org/techniques/T1059/001).", + "description": "Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.\n\nThe event logs can be cleared with the following utility commands:\n\n* wevtutil cl system\n* wevtutil cl application\n* wevtutil cl security\n\nThese logs may also be cleared through other mechanisms, such as the event viewer GUI or [PowerShell](https://attack.mitre.org/techniques/T1059/001). For example, adversaries may use the PowerShell command Remove-EventLog -LogName Security to delete the Security EventLog and after reboot, disable future logging. Note: events may still be generated and logged in the .evtx file between the time the command is run and the reboot.(Citation: disable_win_evt_logging)", "meta": { "external_id": "T1070.001", "kill_chain": [ @@ -3266,7 +3291,8 @@ "https://attack.mitre.org/techniques/T1070/001", "https://docs.microsoft.com/powershell/module/microsoft.powershell.management/clear-eventlog", "https://docs.microsoft.com/windows-server/administration/windows-commands/wevtutil", - "https://msdn.microsoft.com/library/system.diagnostics.eventlog.clear.aspx" + "https://msdn.microsoft.com/library/system.diagnostics.eventlog.clear.aspx", + "https://ptylu.github.io/content/report/report.html?report=25" ] }, "related": [ @@ -3570,7 +3596,7 @@ "value": "Extra Window Memory Injection - T1055.011" }, { - "description": "Adversaries may create a new process with a different token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as CreateProcessWithTokenW and runas.(Citation: Microsoft RunAs)\n\nCreating processes with a different token may require the credentials of the target user, specific privileges to impersonate that user, or access to the token to be used (ex: gathered via other means such as [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) or [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003)).", + "description": "Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as CreateProcessWithTokenW and runas.(Citation: Microsoft RunAs)\n\nCreating processes with a token not associated with the current user may require the credentials of the target user, specific privileges to impersonate that user, or access to the token to be used. For example, the token could be duplicated via [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) or created via [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003) before being used to create a process.\n\nWhile this technique is distinct from [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001), the techniques can be used in conjunction where a token is duplicated and then used to create a new process.", "meta": { "external_id": "T1134.002", "kill_chain": [ @@ -3649,7 +3675,7 @@ "value": "System Runtime API Hijacking - T1625.001" }, { - "description": "Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware)\n\nAdversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls)\n\nIn cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor.\n\nFurthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk)\n\nAdditionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware)", + "description": "Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware)\n\nAdversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls) \n\nAdversaries may also focus on specific applications such as Sysmon. For example, the “Start” and “Enable” values in HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-Microsoft-Windows-Sysmon-Operational may be modified to tamper with and potentially disable Sysmon logging.(Citation: disable_win_evt_logging) \n\nIn cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor.\n\nFurthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk)\n\nAdditionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware)", "meta": { "external_id": "T1562.001", "kill_chain": [ @@ -3673,9 +3699,9 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1562/001", - "https://capec.mitre.org/data/definitions/578.html", "https://cdn.logic-control.com/docs/scadafence/Anatomy-Of-A-Targeted-Ransomware-Attack-WP.pdf", "https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/", + "https://ptylu.github.io/content/report/report.html?report=25", "https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/demystifying-ransomware-attacks-against-microsoft-defender/ba-p/1928947", "https://thehackernews.com/2022/05/avoslocker-ransomware-variant-using-new.html", "https://www.crowdstrike.com/blog/how-doppelpaymer-hunts-and-kills-windows-processes/", @@ -3724,7 +3750,7 @@ "value": "Compromise Software Supply Chain - T1195.002" }, { - "description": "Adversaries may make and impersonate tokens to escalate privileges and bypass access controls. If an adversary has a username and password but the user is not logged onto the system, the adversary can then create a logon session for the user using the LogonUser function. The function will return a copy of the new session's access token and the adversary can use SetThreadToken to assign the token to a thread.", + "description": "Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if an adversary has a username and password but the user is not logged onto the system the adversary can then create a logon session for the user using the `LogonUser` function. The function will return a copy of the new session's access token and the adversary can use `SetThreadToken` to assign the token to a thread.\n\nThis behavior is distinct from [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) in that this refers to creating a new user token instead of stealing or duplicating an existing one.", "meta": { "external_id": "T1134.003", "kill_chain": [ @@ -3799,7 +3825,6 @@ "refs": [ "http://msdn.microsoft.com/en-us/library/bb166549.aspx", "https://attack.mitre.org/techniques/T1546/001", - "https://capec.mitre.org/data/definitions/556.html", "https://docs.microsoft.com/windows-server/administration/windows-commands/assoc", "https://support.microsoft.com/en-us/help/18539/windows-7-change-default-programs", "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_fakeav.gzd" @@ -3867,7 +3892,6 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1574/001", - "https://capec.mitre.org/data/definitions/471.html", "https://docs.microsoft.com/en-us/security-updates/securityadvisories/2010/2269637", "https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection?redirectedfrom=MSDN", "https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order?redirectedfrom=MSDN", @@ -3906,8 +3930,7 @@ "Windows" ], "refs": [ - "https://attack.mitre.org/techniques/T1574/010", - "https://capec.mitre.org/data/definitions/17.html" + "https://attack.mitre.org/techniques/T1574/010" ] }, "related": [ @@ -3979,7 +4002,7 @@ "value": "Network Address Translation Traversal - T1599.001" }, { - "description": "Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more.(Citation: Windows Log Events) This data is used by security tools and analysts to generate detections.\n\nThe EventLog service maintains event logs from various system components and applications.(Citation: EventLog_Core_Technologies) By default, the service automatically starts when a system powers on. An audit policy, maintained by the Local Security Policy (secpol.msc), defines which system events the EventLog service logs. Security audit policy settings can be changed by running secpol.msc, then navigating to Security Settings\\Local Policies\\Audit Policy for basic audit policy settings or Security Settings\\Advanced Audit Policy Configuration for advanced audit policy settings.(Citation: Audit_Policy_Microsoft)(Citation: Advanced_sec_audit_policy_settings) auditpol.exe may also be used to set audit policies.(Citation: auditpol)\n\nAdversaries may target system-wide logging or just that of a particular application. For example, the EventLog service may be disabled using the following PowerShell line: Stop-Service -Name EventLog.(Citation: Disable_Win_Event_Logging) Additionally, adversaries may use auditpol and its sub-commands in a command prompt to disable auditing or clear the audit policy. To enable or disable a specified setting or audit category, adversaries may use the /success or /failure parameters. For example, auditpol /set /category:”Account Logon” /success:disable /failure:disable turns off auditing for the Account Logon category.(Citation: auditpol.exe_STRONTIC)(Citation: T1562.002_redcanaryco) To clear the audit policy, adversaries may run the following lines: auditpol /clear /y or auditpol /remove /allusers.(Citation: T1562.002_redcanaryco)\n\nBy disabling Windows event logging, adversaries can operate while leaving less evidence of a compromise behind.", + "description": "Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more.(Citation: Windows Log Events) This data is used by security tools and analysts to generate detections.\n\nThe EventLog service maintains event logs from various system components and applications.(Citation: EventLog_Core_Technologies) By default, the service automatically starts when a system powers on. An audit policy, maintained by the Local Security Policy (secpol.msc), defines which system events the EventLog service logs. Security audit policy settings can be changed by running secpol.msc, then navigating to Security Settings\\Local Policies\\Audit Policy for basic audit policy settings or Security Settings\\Advanced Audit Policy Configuration for advanced audit policy settings.(Citation: Audit_Policy_Microsoft)(Citation: Advanced_sec_audit_policy_settings) auditpol.exe may also be used to set audit policies.(Citation: auditpol)\n\nAdversaries may target system-wide logging or just that of a particular application. For example, the Windows EventLog service may be disabled using the Set-Service -Name EventLog -Status Stopped or sc config eventlog start=disabled commands (followed by manually stopping the service using Stop-Service -Name EventLog).(Citation: Disable_Win_Event_Logging)(Citation: disable_win_evt_logging) Additionally, the service may be disabled by modifying the “Start” value in HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\EventLog then restarting the system for the change to take effect.(Citation: disable_win_evt_logging)\n\nThere are several ways to disable the EventLog service via registry key modification. First, without Administrator privileges, adversaries may modify the \"Start\" value in the key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-Security, then reboot the system to disable the Security EventLog.(Citation: winser19_file_overwrite_bug_twitter) Second, with Administrator privilege, adversaries may modify the same values in HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-System and HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-Application to disable the entire EventLog.(Citation: disable_win_evt_logging)\n\nAdditionally, adversaries may use auditpol and its sub-commands in a command prompt to disable auditing or clear the audit policy. To enable or disable a specified setting or audit category, adversaries may use the /success or /failure parameters. For example, auditpol /set /category:”Account Logon” /success:disable /failure:disable turns off auditing for the Account Logon category.(Citation: auditpol.exe_STRONTIC)(Citation: T1562.002_redcanaryco) To clear the audit policy, adversaries may run the following lines: auditpol /clear /y or auditpol /remove /allusers.(Citation: T1562.002_redcanaryco)\n\nBy disabling Windows event logging, adversaries can operate while leaving less evidence of a compromise behind.", "meta": { "external_id": "T1562.002", "kill_chain": [ @@ -4003,8 +4026,10 @@ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings", "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/audit-policy", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md", + "https://ptylu.github.io/content/report/report.html?report=25", "https://strontic.github.io/xcyclopedia/library/auditpol.exe-214E0EA1F7F7C27C82D23F183F9D23F1.html", "https://svch0st.medium.com/event-log-tampering-part-1-disrupting-the-eventlog-service-8d4b7d67335c", + "https://web.archive.org/web/20211107115646/https://twitter.com/klinix5/status/1457316029114327040", "https://www.coretechnologies.com/blog/windows-services/eventlog/", "https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/" @@ -4038,7 +4063,6 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1562/003", - "https://capec.mitre.org/data/definitions/13.html", "https://community.sophos.com/products/intercept/early-access-program/f/live-discover-response-queries/121529/live-discover---powershell-command-audit", "https://community.sophos.com/products/malware/b/blog/posts/powershell-command-history-forensics", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_history?view=powershell-7" @@ -4565,7 +4589,6 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1574/011", - "https://capec.mitre.org/data/definitions/478.html", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree", "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-key-security-and-access-rights?redirectedfrom=MSDN", @@ -4619,7 +4642,7 @@ "value": "Component Object Model Hijacking - T1546.015" }, { - "description": "Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.\n\nOne such example is use of [certutil](https://attack.mitre.org/software/S0160) to decode a remote access tool portable executable file that has been hidden inside a certificate file. (Citation: Malwarebytes Targeted Attack against Saudi Arabia) Another example is using the Windows copy /b command to reassemble binary fragments into a malicious payload. (Citation: Carbon Black Obfuscation Sept 2016)\n\nSometimes a user's action may be required to open it for deobfuscation or decryption as part of [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016)", + "description": "Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.\n\nOne such example is the use of [certutil](https://attack.mitre.org/software/S0160) to decode a remote access tool portable executable file that has been hidden inside a certificate file.(Citation: Malwarebytes Targeted Attack against Saudi Arabia) Another example is using the Windows copy /b command to reassemble binary fragments into a malicious payload.(Citation: Carbon Black Obfuscation Sept 2016)\n\nSometimes a user's action may be required to open it for deobfuscation or decryption as part of [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016)", "meta": { "external_id": "T1140", "kill_chain": [ @@ -4712,7 +4735,7 @@ "value": "Data Transfer Size Limits - T1030" }, { - "description": "Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.\n\nAdversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106) as well as a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008), which have functionality to interact with the file system to gather information. Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.\n", + "description": "Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.\n\nAdversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106) as well as a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008), which have functionality to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco) Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.\n", "meta": { "external_id": "T1005", "kill_chain": [ @@ -4733,6 +4756,7 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1005", + "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/cf_command_ref/show_protocols_through_showmon.html#wp2760878733", "https://www.mandiant.com/resources/apt41-initiates-global-intrusion-campaign-using-multiple-exploits", "https://www.us-cert.gov/ncas/alerts/TA18-106A" ] @@ -4815,7 +4839,6 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1016", - "https://capec.mitre.org/data/definitions/309.html", "https://www.mandiant.com/resources/apt41-initiates-global-intrusion-campaign-using-multiple-exploits", "https://www.us-cert.gov/ncas/alerts/TA18-106A" ] @@ -4996,7 +5019,7 @@ "value": "Data from Configuration Repository - T1602" }, { - "description": "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. \n\nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also use compressed or archived scripts, such as JavaScript. \n\nPortions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)\n\nAdversaries may also obfuscate commands executed from payloads or directly via a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017) ", + "description": "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. \n\nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also use compressed or archived scripts, such as JavaScript. \n\nPortions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)\n\nAdversaries may also abuse [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010) to obscure commands executed from payloads or directly via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017) ", "meta": { "external_id": "T1027", "kill_chain": [ @@ -5008,7 +5031,10 @@ "File: File Metadata", "Module: Module Load", "Process: OS API Execution", - "Process: Process Creation" + "Process: Process Creation", + "Script: Script Execution", + "WMI: WMI Creation", + "Windows Registry: Windows Registry Key Creation" ], "mitre_platforms": [ "Linux", @@ -5017,12 +5043,11 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1027", - "https://capec.mitre.org/data/definitions/267.html", "https://github.com/danielbohannon/Revoke-Obfuscation", "https://github.com/itsreallynick/office-crackros", "https://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/", + "https://web.archive.org/web/20170923102302/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", "https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/", - "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/revoke-obfuscation-report.pdf", "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/", "https://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/" @@ -5177,8 +5202,6 @@ "refs": [ "https://attack.mitre.org/techniques/T1083", "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", - "https://capec.mitre.org/data/definitions/127.html", - "https://capec.mitre.org/data/definitions/497.html", "https://www.us-cert.gov/ncas/alerts/TA18-106A" ] }, @@ -5340,13 +5363,15 @@ "value": "Obtain Device Cloud Backups - T1470" }, { - "description": "Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nAlternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different protocol channels could also include Web services such as cloud storage. Adversaries may also opt to encrypt and/or obfuscate these alternate channels. \n\n[Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048) can be done using various common operating system utilities such as [Net](https://attack.mitre.org/software/S0039)/SMB or FTP.(Citation: Palo Alto OilRig Oct 2016) On macOS and Linux curl may be used to invoke protocols such as HTTP/S or FTP/S to exfiltrate data from a system.(Citation: 20 macOS Common Tools and Techniques) ", + "description": "Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nAlternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Adversaries may also opt to encrypt and/or obfuscate these alternate channels. \n\n[Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048) can be done using various common operating system utilities such as [Net](https://attack.mitre.org/software/S0039)/SMB or FTP.(Citation: Palo Alto OilRig Oct 2016) On macOS and Linux curl may be used to invoke protocols such as HTTP/S or FTP/S to exfiltrate data from a system.(Citation: 20 macOS Common Tools and Techniques)\n\nMany IaaS and SaaS platforms (such as Microsoft Exchange, Microsoft SharePoint, GitHub, and AWS S3) support the direct download of files, emails, source code, and other sensitive information via the web console or [Cloud API](https://attack.mitre.org/techniques/T1059/009).", "meta": { "external_id": "T1048", "kill_chain": [ "mitre-attack:exfiltration" ], "mitre_data_sources": [ + "Application Log: Application Log Content", + "Cloud Storage: Cloud Storage Access", "Command: Command Execution", "File: File Access", "Network Traffic: Network Connection Creation", @@ -5356,7 +5381,12 @@ "mitre_platforms": [ "Linux", "macOS", - "Windows" + "Windows", + "Office 365", + "SaaS", + "IaaS", + "Google Workspace", + "Network" ], "refs": [ "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/", @@ -5481,7 +5511,11 @@ "Linux", "macOS", "Windows", - "Network" + "Network", + "Office 365", + "Azure AD", + "IaaS", + "Google Workspace" ], "refs": [ "https://attack.mitre.org/techniques/T1059", @@ -5805,7 +5839,7 @@ "value": "Kernel Modules and Extensions - T1215" }, { - "description": "Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote build request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.(Citation: Docker Build Image)\n\nAn adversary may take advantage of that build API to build a custom image on the host that includes malware downloaded from their C2 server, and then they then may utilize [Deploy Container](https://attack.mitre.org/techniques/T1610) using that custom image.(Citation: Aqua Build Images on Hosts)(Citation: Aqua Security Cloud Native Threat Report June 2021) If the base image is pulled from a public registry, defenses will likely not detect the image as malicious since it’s a vanilla image. If the base image already resides in a local registry, the pull may be considered even less suspicious since the image is already in the environment. ", + "description": "Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote build request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.(Citation: Docker Build Image)\n\nAn adversary may take advantage of that build API to build a custom image on the host that includes malware downloaded from their C2 server, and then they may utilize [Deploy Container](https://attack.mitre.org/techniques/T1610) using that custom image.(Citation: Aqua Build Images on Hosts)(Citation: Aqua Security Cloud Native Threat Report June 2021) If the base image is pulled from a public registry, defenses will likely not detect the image as malicious since it’s a vanilla image. If the base image already resides in a local registry, the pull may be considered even less suspicious since the image is already in the environment. ", "meta": { "external_id": "T1612", "kill_chain": [ @@ -7068,10 +7102,6 @@ "refs": [ "https://arstechnica.com/information-technology/2015/03/massive-denial-of-service-attack-on-github-tied-to-chinese-government/", "https://attack.mitre.org/techniques/T1499", - "https://capec.mitre.org/data/definitions/125.html", - "https://capec.mitre.org/data/definitions/130.html", - "https://capec.mitre.org/data/definitions/131.html", - "https://capec.mitre.org/data/definitions/227.html", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf", "https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html", "https://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf", @@ -7333,7 +7363,7 @@ "value": "Dynamic-link Library Injection - T1055.001" }, { - "description": "Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other applications with Internet accessible open sockets, such as web servers and related services.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may include [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211). \n\nIf an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.\n\nFor websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)", + "description": "Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.\n\nExploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211). \n\nIf an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.\n\nAdversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)\n\nFor websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)", "meta": { "external_id": "T1190", "kill_chain": [ @@ -7359,7 +7389,9 @@ "https://nvd.nist.gov/vuln/detail/CVE-2016-6662", "https://us-cert.cisa.gov/ncas/alerts/TA18-106A", "https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-microsoft-windows-smb-server-could-allow-for-remote-code-execution/", - "https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project" + "https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem", + "https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project", + "https://www.wired.com/story/russia-ukraine-cyberattacks-mandiant/" ] }, "uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", @@ -7380,7 +7412,7 @@ "value": "Untargeted client-side exploitation - T1370" }, { - "description": "Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).\n\nICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution) Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts.(Citation: Microsoft ICMP) However, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.", + "description": "Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).\n\nICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution) Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts.(Citation: Microsoft ICMP) However, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.", "meta": { "external_id": "T1095", "kill_chain": [ @@ -7409,7 +7441,7 @@ "value": "Non-Application Layer Protocol - T1095" }, { - "description": "Adversaries may target multi-factor authentication (MFA) mechanisms, (I.e., smart cards, token generators, etc.) to gain access to credentials that can be used to access systems, services, and network resources. Use of MFA is recommended and provides a higher level of security than user names and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms. \n\nIf a smart card is used for multi-factor authentication, then a keylogger will need to be used to obtain the password associated with a smart card during normal use. With both an inserted card and access to the smart card password, an adversary can connect to a network resource using the infected system to proxy the authentication with the inserted hardware token. (Citation: Mandiant M Trends 2011)\n\nAdversaries may also employ a keylogger to similarly target other hardware tokens, such as RSA SecurID. Capturing token input (including a user's personal identification code) may provide temporary access (i.e. replay the one-time passcode until the next value rollover) as well as possibly enabling adversaries to reliably predict future authentication values (given access to both the algorithm and any seed values used to generate appended temporary codes). (Citation: GCN RSA June 2011)\n\nOther methods of MFA may be intercepted and used by an adversary to authenticate. It is common for one-time codes to be sent via out-of-band communications (email, SMS). If the device and/or service is not secured, then it may be vulnerable to interception. Although primarily focused on by cyber criminals, these authentication mechanisms have been targeted by advanced actors. (Citation: Operation Emmental)", + "description": "Adversaries may target multi-factor authentication (MFA) mechanisms, (i.e., smart cards, token generators, etc.) to gain access to credentials that can be used to access systems, services, and network resources. Use of MFA is recommended and provides a higher level of security than usernames and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms. \n\nIf a smart card is used for multi-factor authentication, then a keylogger will need to be used to obtain the password associated with a smart card during normal use. With both an inserted card and access to the smart card password, an adversary can connect to a network resource using the infected system to proxy the authentication with the inserted hardware token. (Citation: Mandiant M Trends 2011)\n\nAdversaries may also employ a keylogger to similarly target other hardware tokens, such as RSA SecurID. Capturing token input (including a user's personal identification code) may provide temporary access (i.e. replay the one-time passcode until the next value rollover) as well as possibly enabling adversaries to reliably predict future authentication values (given access to both the algorithm and any seed values used to generate appended temporary codes). (Citation: GCN RSA June 2011)\n\nOther methods of MFA may be intercepted and used by an adversary to authenticate. It is common for one-time codes to be sent via out-of-band communications (email, SMS). If the device and/or service is not secured, then it may be vulnerable to interception. Service providers can also be targeted: for example, an adversary may compromise an SMS messaging service in order to steal MFA codes sent to users’ phones.(Citation: Okta Scatter Swine 2022)", "meta": { "external_id": "T1111", "kill_chain": [ @@ -7426,10 +7458,10 @@ "macOS" ], "refs": [ - "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-finding-holes-operation-emmental.pdf", "https://attack.mitre.org/techniques/T1111", "https://dl.mandiant.com/EE/assets/PDF_MTrends_2011.pdf", - "https://gcn.com/cybersecurity/2011/06/rsa-confirms-its-tokens-used-in-lockheed-hack/282818/" + "https://gcn.com/cybersecurity/2011/06/rsa-confirms-its-tokens-used-in-lockheed-hack/282818/", + "https://sec.okta.com/scatterswine" ] }, "uuid": "dd43c543-bb85-4a6f-aa6e-160d90d06a49", @@ -7581,7 +7613,6 @@ "refs": [ "http://support.microsoft.com/kb/314984", "https://attack.mitre.org/techniques/T1021/002", - "https://capec.mitre.org/data/definitions/561.html", "https://docs.microsoft.com/en-us/archive/blogs/jepayne/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem", "https://docs.microsoft.com/en-us/archive/blogs/jepayne/tracking-lateral-movement-part-one-special-groups-and-specific-service-accounts", "https://en.wikipedia.org/wiki/Server_Message_Block", @@ -7777,13 +7808,14 @@ "value": "Clear Command History - T1070.003" }, { - "description": "Adversaries may modify mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete mailbox data via command line tools or use of APIs. Mail application data can be emails or logs generated by the application or operating system, such as export requests. \n\nAdversaries may manipulate email mailbox data to remove logs and artifacts, such as evidence of [Phishing](https://attack.mitre.org/techniques/T1566)/[Internal Spearphishing](https://attack.mitre.org/techniques/T1534), [Email Collection](https://attack.mitre.org/techniques/T1114), [Mail Protocols](https://attack.mitre.org/techniques/T1071/003) for command and control, or email-based exfiltration such as [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048). For example, to remove evidence on Exchange servers adversaries have used the ExchangePowerShell [PowerShell](https://attack.mitre.org/techniques/T1059/001) module, including Remove-MailboxExportRequest to remove evidence of mailbox exports.(Citation: Volexity SolarWinds)(Citation: ExchangePowerShell Module) On Linux and macOS, adversaries may also delete emails through a command line utility called mail or use [AppleScript](https://attack.mitre.org/techniques/T1059/002) to interact with APIs on macOS.(Citation: Cybereason Cobalt Kitty 2017)(Citation: mailx man page)", + "description": "Adversaries may modify mail and mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete mailbox data via command line tools or use of APIs. Mail application data can be emails, email metadata, or logs generated by the application or operating system, such as export requests. \n\nAdversaries may manipulate emails and mailbox data to remove logs, artifacts, and metadata, such as evidence of [Phishing](https://attack.mitre.org/techniques/T1566)/[Internal Spearphishing](https://attack.mitre.org/techniques/T1534), [Email Collection](https://attack.mitre.org/techniques/T1114), [Mail Protocols](https://attack.mitre.org/techniques/T1071/003) for command and control, or email-based exfiltration such as [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048). For example, to remove evidence on Exchange servers adversaries have used the ExchangePowerShell [PowerShell](https://attack.mitre.org/techniques/T1059/001) module, including Remove-MailboxExportRequest to remove evidence of mailbox exports.(Citation: Volexity SolarWinds)(Citation: ExchangePowerShell Module) On Linux and macOS, adversaries may also delete emails through a command line utility called mail or use [AppleScript](https://attack.mitre.org/techniques/T1059/002) to interact with APIs on macOS.(Citation: Cybereason Cobalt Kitty 2017)(Citation: mailx man page)\n\nAdversaries may also remove emails and metadata/headers indicative of spam or suspicious activity (for example, through the use of organization-wide transport rules) to reduce the likelihood of malicious emails being detected by security products.(Citation: Microsoft OAuth Spam 2022)", "meta": { "external_id": "T1070.008", "kill_chain": [ "mitre-attack:defense-evasion" ], "mitre_data_sources": [ + "Application Log: Application Log Content", "Command: Command Execution", "File: File Deletion", "File: File Modification", @@ -7801,6 +7833,7 @@ "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf", "https://docs.microsoft.com/en-us/powershell/module/exchange/?view=exchange-ps#mailboxes", "https://man7.org/linux/man-pages/man1/mailx.1p.html", + "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/", "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" ] }, @@ -7894,7 +7927,6 @@ "refs": [ "http://blog.crowdstrike.com/adversary-tricks-crowdstrike-treats/", "https://attack.mitre.org/techniques/T1021/001", - "https://capec.mitre.org/data/definitions/555.html", "https://technet.microsoft.com/en-us/windowsserver/ee236407.aspx" ] }, @@ -8176,7 +8208,7 @@ "value": "Local Data Staging - T1074.001" }, { - "description": "Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users or services and used in lieu of login credentials.\n\nApplication access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) \n\nIn AWS and GCP environments, adversaries can trigger a request for a short-lived access token with the privileges of another user account.(Citation: Google Cloud Service Account Credentials)(Citation: AWS Temporary Security Credentials) The adversary can then use this token to request data or perform actions the original account could not. If permissions for this feature are misconfigured – for example, by allowing all users to request a token for a particular account - an adversary may be able to gain initial access to a Cloud Account or escalate their privileges.(Citation: Rhino Security Labs Enumerating AWS Roles)\n\nOAuth is one commonly implemented framework that issues tokens to users for access to systems. These frameworks are used collaboratively to verify the user and determine what actions the user is allowed to perform. Once identity is established, the token allows actions to be authorized, without passing the actual credentials of the user. Therefore, compromise of the token can grant the adversary access to resources of other sites through a malicious application.(Citation: okta)\n\nFor example, with a cloud-based email service once an OAuth access token is granted to a malicious application, it can potentially gain long-term access to features of the user account if a \"refresh\" token enabling background access is awarded.(Citation: Microsoft Identity Platform Access 2019) With an OAuth access token an adversary can use the user-granted REST API to perform functions such as email searching and contact enumeration.(Citation: Staaldraad Phishing with OAuth 2017)\n\nCompromised access tokens may be used as an initial step in compromising other services. For example, if a token grants access to a victim’s primary email, the adversary may be able to extend access to all other services which the target subscribes by triggering forgotten password routines. Direct API access through a token negates the effectiveness of a second authentication factor and may be immune to intuitive countermeasures like changing passwords. Access abuse over an API channel can be difficult to detect even from the service provider end, as the access can still align well with a legitimate workflow.", + "description": "Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users or services and used in lieu of login credentials.\n\nApplication access tokens are used to make authorized API requests on behalf of a user or service and are commonly used to access resources in cloud, container-based applications, and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) \n\nOAuth is one commonly implemented framework that issues tokens to users for access to systems. These frameworks are used collaboratively to verify the user and determine what actions the user is allowed to perform. Once identity is established, the token allows actions to be authorized, without passing the actual credentials of the user. Therefore, compromise of the token can grant the adversary access to resources of other sites through a malicious application.(Citation: okta)\n\nFor example, with a cloud-based email service, once an OAuth access token is granted to a malicious application, it can potentially gain long-term access to features of the user account if a \"refresh\" token enabling background access is awarded.(Citation: Microsoft Identity Platform Access 2019) With an OAuth access token an adversary can use the user-granted REST API to perform functions such as email searching and contact enumeration.(Citation: Staaldraad Phishing with OAuth 2017)\n\nCompromised access tokens may be used as an initial step in compromising other services. For example, if a token grants access to a victim’s primary email, the adversary may be able to extend access to all other services which the target subscribes by triggering forgotten password routines. In AWS and GCP environments, adversaries can trigger a request for a short-lived access token with the privileges of another user account.(Citation: Google Cloud Service Account Credentials)(Citation: AWS Temporary Security Credentials) The adversary can then use this token to request data or perform actions the original account could not. If permissions for this feature are misconfigured – for example, by allowing all users to request a token for a particular account - an adversary may be able to gain initial access to a Cloud Account or escalate their privileges.(Citation: Rhino Security Labs Enumerating AWS Roles)\n\nDirect API access through a token negates the effectiveness of a second authentication factor and may be immune to intuitive countermeasures like changing passwords. For example, in AWS environments, an adversary who compromises a user’s AWS API credentials may be able to use the `sts:GetFederationToken` API call to create a federated user session, which will have the same permissions as the original user but may persist even if the original user credentials are deactivated.(Citation: Crowdstrike AWS User Federation Persistence) Additionally, access abuse over an API channel can be difficult to detect even from the service provider end, as the access can still align well with a legitimate workflow.", "meta": { "external_id": "T1550.001", "kill_chain": [ @@ -8197,7 +8229,6 @@ "refs": [ "https://attack.mitre.org/techniques/T1550/001", "https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/", - "https://capec.mitre.org/data/definitions/593.html", "https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials", "https://cloud.google.com/iam/docs/service-account-monitoring", "https://developer.okta.com/blog/2018/06/20/what-happens-if-your-jwt-is-stolen", @@ -8205,7 +8236,8 @@ "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html", "https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens", "https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration", - "https://staaldraad.github.io/2017/08/02/o356-phishing-with-oauth/" + "https://staaldraad.github.io/2017/08/02/o356-phishing-with-oauth/", + "https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/" ] }, "related": [ @@ -8250,7 +8282,7 @@ "value": "SQL Stored Procedures - T1505.001" }, { - "description": "Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.\n\nAdversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as tar on Linux and macOS or zip on Windows systems. On Windows, diantz or makecab may be used to package collected files into a cabinet (.cab) file. diantz may also be used to download and compress files from remote locations (i.e. [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002)).(Citation: diantz.exe_lolbas) Additionally, xcopy on Windows can copy files and directories with a variety of options.\n\nAdversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.(Citation: 7zip Homepage)(Citation: WinRAR Homepage)(Citation: WinZip Homepage)", + "description": "Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.\n\nAdversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as tar on Linux and macOS or zip on Windows systems. \n\nOn Windows, diantz or makecab may be used to package collected files into a cabinet (.cab) file. diantz may also be used to download and compress files from remote locations (i.e. [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002)).(Citation: diantz.exe_lolbas) xcopy on Windows can copy files and directories with a variety of options. Additionally, adversaries may use [certutil](https://attack.mitre.org/software/S0160) to Base64 encode collected data before exfiltration. \n\nAdversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.(Citation: 7zip Homepage)(Citation: WinRAR Homepage)(Citation: WinZip Homepage)", "meta": { "external_id": "T1560.001", "kill_chain": [ @@ -8285,14 +8317,13 @@ "value": "Archive via Utility - T1560.001" }, { - "description": "Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.\n\nFor example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn infrastructure-as-a-service (IaaS) environments, after gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes)\n\nAdversaries may also use the CreateAccessKey API in AWS or the gcloud iam service-accounts keys create command in GCP to add access keys to an account. If the target account has different permissions from the requesting account, the adversary may also be able to escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation: Rhino Security Labs AWS Privilege Escalation)", + "description": "Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.\n\nFor example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn infrastructure-as-a-service (IaaS) environments, after gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes)\n\nAdversaries may also use the CreateAccessKey API in AWS or the gcloud iam service-accounts keys create command in GCP to add access keys to an account. If the target account has different permissions from the requesting account, the adversary may also be able to escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation: Rhino Security Labs AWS Privilege Escalation)\n\nIn AWS environments, adversaries with the appropriate permissions may also use the `sts:GetFederationToken` API call to create a temporary set of credentials tied to the permissions of the original user account. These credentials may remain valid for the duration of their lifetime even if the original account’s API credentials are deactivated.\n(Citation: Crowdstrike AWS User Federation Persistence)", "meta": { "external_id": "T1098.001", "kill_chain": [ "mitre-attack:persistence" ], "mitre_data_sources": [ - "Active Directory: Active Directory Object Modification", "User Account: User Account Modification" ], "mitre_platforms": [ @@ -8309,6 +8340,7 @@ "https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", "https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1", + "https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/", "https://www.youtube.com/watch?v=wQ1CuAPnrLM&feature=youtu.be&t=2815" ] }, @@ -8465,7 +8497,6 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1550/002", - "https://capec.mitre.org/data/definitions/644.html", "https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/" ] }, @@ -8532,7 +8563,6 @@ "refs": [ "https://attack.mitre.org/techniques/T1056/002", "https://baesystemsai.blogspot.com/2015/06/new-mac-os-malware-exploits-mackeeper.html", - "https://capec.mitre.org/data/definitions/659.html", "https://embracethered.com/blog/posts/2021/spoofing-credential-dialogs/", "https://enigma0x3.net/2015/01/21/phishing-for-credentials-if-you-want-it-just-ask/", "https://logrhythm.com/blog/do-you-trust-your-computer/", @@ -8698,7 +8728,6 @@ "http://defcon.org/images/defcon-22/dc-22-presentations/Campbell/DEFCON-22-Christopher-Campbell-The-Secret-Life-of-Krbtgt.pdf", "https://adsecurity.org/?p=556", "https://attack.mitre.org/techniques/T1550/003", - "https://capec.mitre.org/data/definitions/645.html", "https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf", "https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/" ] @@ -8730,7 +8759,6 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1056/003", - "https://capec.mitre.org/data/definitions/569.html", "https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/" ] }, @@ -8844,8 +8872,7 @@ ], "refs": [ "https://arstechnica.com/security/2016/07/after-hiatus-in-the-wild-mac-backdoors-are-suddenly-back/", - "https://attack.mitre.org/techniques/T1036/006", - "https://capec.mitre.org/data/definitions/649.html" + "https://attack.mitre.org/techniques/T1036/006" ] }, "related": [ @@ -8915,6 +8942,36 @@ "uuid": "c071d8c1-3b3a-4f22-9407-ca4e96921069", "value": "Install Digital Certificate - T1608.003" }, + { + "description": "Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the file’s signature, extension, and contents. Various file types have a typical standard format, including how they are encoded and organized. For example, a file’s signature (also known as header or magic bytes) is the beginning bytes of a file and is often used to identify the file’s type. For example, the header of a JPEG file, is 0xFF 0xD8 and the file extension is either `.JPE`, `.JPEG` or `.JPG`. \n\nAdversaries may edit the header’s hex code and/or the file extension of a malicious payload in order to bypass file validation checks and/or input sanitization. This behavior is commonly used when payload files are transferred (e.g., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) and stored (e.g., [Upload Malware](https://attack.mitre.org/techniques/T1608/001)) so that adversaries may move their malware without triggering detections. \n\nCommon non-executable file types and extensions, such as text files (`.txt`) and image files (`.jpg`, `.gif`, etc.) may be typically treated as benign. Based on this, adversaries may use a file extension to disguise malware, such as naming a PHP backdoor code with a file name of test.gif. A user may not know that a file is malicious due to the benign appearance and file extension.\n\nPolygot files, which are files that have multiple different file types and that function differently based on the application that will execute them, may also be used to disguise malicious malware and capabilities.(Citation: polygot_icedID)", + "meta": { + "external_id": "T1036.008", + "kill_chain": [ + "mitre-attack:defense-evasion" + ], + "mitre_data_sources": [ + "Command: Command Execution", + "File: File Modification" + ], + "mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1036/008", + "https://unit42.paloaltonetworks.com/polyglot-file-icedid-payload" + ] + }, + "related": [ + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "type": "subtechnique-of" + } + ], + "uuid": "208884f1-7b83-4473-ac22-4e1cf6c41471", + "value": "Masquerade File Type - T1036.008" + }, { "description": "An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.(Citation: AWS IAM Policies and Permissions)(Citation: Google Cloud IAM Policies)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).(Citation: Expel AWS Attacker)\n(Citation: Microsoft O365 Admin Roles) \n\nThis account modification may immediately follow [Create Account](https://attack.mitre.org/techniques/T1136) or other malicious account activity. Adversaries may also modify existing [Valid Accounts](https://attack.mitre.org/techniques/T1078) that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts.\n\nFor example, in Azure AD environments, an adversary with the Application Administrator role can add [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) to their application's service principal. In doing so the adversary would be able to gain the service principal’s roles and permissions, which may be different from those of the Application Administrator.(Citation: SpecterOps Azure Privilege Escalation) Similarly, in AWS environments, an adversary with appropriate permissions may be able to use the CreatePolicyVersion API to define a new version of an IAM policy or the AttachUserPolicy API to attach an IAM policy with additional or distinct permissions to a compromised user account.(Citation: Rhino Security Labs AWS Privilege Escalation)\n\nSimilarly, an adversary with the Azure AD Global Administrator role can toggle the “Access management for Azure resources” option to gain the ability to assign privileged access to Azure subscriptions and virtual machines to Azure AD users, including themselves.(Citation: Azure AD to AD) ", "meta": { @@ -9007,7 +9064,6 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1550/004", - "https://capec.mitre.org/data/definitions/60.html", "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/", "https://wunderwuzzi23.github.io/blog/passthecookie.html" ] @@ -9064,7 +9120,7 @@ "value": "Credential API Hooking - T1056.004" }, { - "description": "Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <user-home>/.ssh/authorized_keys.(Citation: SSH Authorized Keys) Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value “yes” to ensure public key and RSA authentication are enabled. The SSH config file is usually located under /etc/ssh/sshd_config.\n\nAdversaries may modify SSH authorized_keys files directly with scripts or shell commands to add their own adversary-supplied public keys. In cloud environments, adversaries may be able to modify the SSH authorized_keys file of a particular virtual machine via the command line interface or rest API. For example, by using the Google Cloud CLI’s “add-metadata” command an adversary may add SSH keys to a user account.(Citation: Google Cloud Add Metadata)(Citation: Google Cloud Privilege Escalation) Similarly, in Azure, an adversary may update the authorized_keys file of a virtual machine via a PATCH request to the API.(Citation: Azure Update Virtual Machines) This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse)(Citation: Cybereason Linux Exim Worm)\n\nWhere authorized_keys files are modified via cloud APIs or command line interfaces, an adversary may achieve privilege escalation on the target virtual machine if they add a key to a higher-privileged user. ", + "description": "Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <user-home>/.ssh/authorized_keys.(Citation: SSH Authorized Keys) Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value “yes” to ensure public key and RSA authentication are enabled. The SSH config file is usually located under /etc/ssh/sshd_config.\n\nAdversaries may modify SSH authorized_keys files directly with scripts or shell commands to add their own adversary-supplied public keys. In cloud environments, adversaries may be able to modify the SSH authorized_keys file of a particular virtual machine via the command line interface or rest API. For example, by using the Google Cloud CLI’s “add-metadata” command an adversary may add SSH keys to a user account.(Citation: Google Cloud Add Metadata)(Citation: Google Cloud Privilege Escalation) Similarly, in Azure, an adversary may update the authorized_keys file of a virtual machine via a PATCH request to the API.(Citation: Azure Update Virtual Machines) This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse)(Citation: Cybereason Linux Exim Worm) \n\nWhere authorized_keys files are modified via cloud APIs or command line interfaces, an adversary may achieve privilege escalation on the target virtual machine if they add a key to a higher-privileged user. \n\nSSH keys can also be added to accounts on network devices, such as with the `ip ssh pubkey-chain` [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) command.(Citation: cisco_ip_ssh_pubkey_ch_cmd)", "meta": { "external_id": "T1098.004", "kill_chain": [ @@ -9078,13 +9134,15 @@ "mitre_platforms": [ "Linux", "macOS", - "IaaS" + "IaaS", + "Network" ], "refs": [ "https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/", "https://attack.mitre.org/techniques/T1098/004", "https://cloud.google.com/sdk/gcloud/reference/compute/instances/add-metadata", "https://docs.microsoft.com/en-us/rest/api/compute/virtual-machines/update", + "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478", "https://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability", "https://www.ssh.com/ssh/authorized_keys/", "https://www.venafi.com/blog/growing-abuse-ssh-keys-commodity-malware-campaigns-now-equipped-ssh-capabilities" @@ -9345,14 +9403,15 @@ "value": "Compiled HTML File - T1218.001" }, { - "description": "Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email-forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim’s organization to use as part of further exploits or operations.(Citation: US-CERT TA18-068A 2018) Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim's emails even after compromised credentials are reset by administrators.(Citation: Pfammatter - Hidden Inbox Rules) Most email clients allow users to create inbox rules for various email functions, including forwarding to a different recipient. These rules may be created through a local email application, a web interface, or by command-line interface. Messages can be forwarded to internal or external recipients, and there are no restrictions limiting the extent of this rule. Administrators may also create forwarding rules for user accounts with the same considerations and outcomes.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2)(Citation: Mac Forwarding Rules)\n\nAny user or administrator within the organization (or adversary with valid credentials) can create rules to automatically forward all received messages to another recipient, forward emails to different locations based on the sender, and more. Adversaries may also hide the rule by making use of the Microsoft Messaging API (MAPI) to modify the rule properties, making it hidden and not visible from Outlook, OWA or most Exchange Administration tools.(Citation: Pfammatter - Hidden Inbox Rules)", + "description": "Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim’s organization to use as part of further exploits or operations.(Citation: US-CERT TA18-068A 2018) Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim's emails even after compromised credentials are reset by administrators.(Citation: Pfammatter - Hidden Inbox Rules) Most email clients allow users to create inbox rules for various email functions, including forwarding to a different recipient. These rules may be created through a local email application, a web interface, or by command-line interface. Messages can be forwarded to internal or external recipients, and there are no restrictions limiting the extent of this rule. Administrators may also create forwarding rules for user accounts with the same considerations and outcomes.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2)(Citation: Mac Forwarding Rules)\n\nAny user or administrator within the organization (or adversary with valid credentials) can create rules to automatically forward all received messages to another recipient, forward emails to different locations based on the sender, and more. Adversaries may also hide the rule by making use of the Microsoft Messaging API (MAPI) to modify the rule properties, making it hidden and not visible from Outlook, OWA or most Exchange Administration tools.(Citation: Pfammatter - Hidden Inbox Rules)\n\nIn some environments, administrators may be able to enable email forwarding rules that operate organization-wide rather than on individual inboxes. For example, Microsoft Exchange supports transport rules that evaluate all mail an organization receives against user-specified conditions, then performs a user-specified action on mail that adheres to those conditions.(Citation: Microsoft Mail Flow Rules 2023) Adversaries that abuse such features may be able to enable forwarding on all or specific mail an organization receives. ", "meta": { "external_id": "T1114.003", "kill_chain": [ "mitre-attack:collection" ], "mitre_data_sources": [ - "Application Log: Application Log Content" + "Application Log: Application Log Content", + "Command: Command Execution" ], "mitre_platforms": [ "Office 365", @@ -9365,6 +9424,7 @@ "https://attack.mitre.org/techniques/T1114/003", "https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/", "https://blogs.technet.microsoft.com/timmcmic/2015/06/08/exchange-and-office-365-mail-forwarding-2/", + "https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules", "https://support.apple.com/guide/mail/reply-to-forward-or-redirect-emails-mlhlp1010/mac", "https://www.us-cert.gov/ncas/alerts/TA18-086A" ] @@ -9555,7 +9615,7 @@ "value": "Security Software Discovery - T1418.001" }, { - "description": "Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.\n\nAdversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: DOJ Lazarus Sony 2018) Instead of wiping specific disk structures or files, adversaries with destructive intent may wipe arbitrary portions of disk content. To wipe disk content, adversaries may acquire direct access to the hard drive in order to overwrite arbitrarily sized portions of disk with random data.(Citation: Novetta Blockbuster Destructive Malware) Adversaries have been observed leveraging third-party drivers like [RawDisk](https://attack.mitre.org/software/S0364) to directly access disk content.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware) This behavior is distinct from [Data Destruction](https://attack.mitre.org/techniques/T1485) because sections of the disk are erased instead of individual files.\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disk content may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Novetta Blockbuster Destructive Malware)", + "description": "Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.\n\nAdversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: DOJ Lazarus Sony 2018) Instead of wiping specific disk structures or files, adversaries with destructive intent may wipe arbitrary portions of disk content. To wipe disk content, adversaries may acquire direct access to the hard drive in order to overwrite arbitrarily sized portions of disk with random data.(Citation: Novetta Blockbuster Destructive Malware) Adversaries have also been observed leveraging third-party drivers like [RawDisk](https://attack.mitre.org/software/S0364) to directly access disk content.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware) This behavior is distinct from [Data Destruction](https://attack.mitre.org/techniques/T1485) because sections of the disk are erased instead of individual files.\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disk content may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Novetta Blockbuster Destructive Malware)", "meta": { "external_id": "T1561.001", "kill_chain": [ @@ -9616,7 +9676,6 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1518/001", - "https://capec.mitre.org/data/definitions/581.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html", "https://expel.io/blog/finding-evil-in-aws/" ] @@ -9713,7 +9772,6 @@ "http://blogs.technet.com/b/srd/archive/2014/05/13/ms14-025-an-update-for-group-policy-preferences.aspx", "http://carnal0wnage.attackresearch.com/2014/05/mimikatz-against-virtual-machine-memory.html", "https://attack.mitre.org/techniques/T1552/001", - "https://capec.mitre.org/data/definitions/639.html", "https://posts.specterops.io/head-in-the-clouds-bd038bb69e48", "https://unit42.paloaltonetworks.com/attackers-tactics-and-techniques-in-unsecured-docker-daemons-revealed/", "https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/" @@ -9729,7 +9787,7 @@ "value": "Credentials In Files - T1552.001" }, { - "description": "Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources. \n\nAdversaries may attempt to render the system unable to boot by overwriting critical data located in structures such as the master boot record (MBR) or partition table.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) The data contained in disk structures may include the initial executable code for loading an operating system or the location of the file system partitions on disk. If this information is not present, the computer will not be able to load an operating system during the boot process, leaving the computer unavailable. [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) may be performed in isolation, or along with [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) if all sectors of a disk are wiped.\n\nTo maximize impact on the target organization, malware designed for destroying disk structures may have worm-like features to propagate across a network by leveraging other techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)", + "description": "Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources. \n\nAdversaries may attempt to render the system unable to boot by overwriting critical data located in structures such as the master boot record (MBR) or partition table.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) The data contained in disk structures may include the initial executable code for loading an operating system or the location of the file system partitions on disk. If this information is not present, the computer will not be able to load an operating system during the boot process, leaving the computer unavailable. [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) may be performed in isolation, or along with [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) if all sectors of a disk are wiped.\n\nOn a network devices, adversaries may reformat the file system using [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `format`.(Citation: format_cmd_cisco)\n\nTo maximize impact on the target organization, malware designed for destroying disk structures may have worm-like features to propagate across a network by leveraging other techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)", "meta": { "external_id": "T1561.002", "kill_chain": [ @@ -9745,7 +9803,8 @@ "mitre_platforms": [ "Linux", "macOS", - "Windows" + "Windows", + "Network" ], "refs": [ "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/", @@ -9753,6 +9812,7 @@ "https://docs.microsoft.com/sysinternals/downloads/sysmon", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf", "https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/", + "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/cf_command_ref/F_through_K.html#wp2829794668", "https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html", "https://www.symantec.com/connect/blogs/shamoon-attacks" ] @@ -9961,7 +10021,7 @@ "value": "Domain Generation Algorithms - T1637.001" }, { - "description": "Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predicable network path \\\\<DOMAIN>\\SYSVOL\\<DOMAIN>\\Policies\\.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016) \n\nLike other objects in AD, GPOs have access controls associated with them. By default all user accounts in the domain have permission to read GPOs. It is possible to delegate GPO access control permissions, e.g. write access, to specific users or groups in the domain.\n\nMalicious GPO modifications can be used to implement many other malicious behaviors such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001), [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105), [Create Account](https://attack.mitre.org/techniques/T1136), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and more.(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions)(Citation: Mandiant M Trends 2016)(Citation: Microsoft Hacking Team Breach) Since GPOs can control so many user and machine settings in the AD environment, there are a great number of potential attacks that can stem from this GPO abuse.(Citation: Wald0 Guide to GPOs)\n\nFor example, publicly available scripts such as New-GPOImmediateTask can be leveraged to automate the creation of a malicious [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) by modifying GPO settings, in this case modifying <GPO_PATH>\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml.(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) In some cases an adversary might modify specific user rights like SeEnableDelegationPrivilege, set in <GPO_PATH>\\MACHINE\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf, to achieve a subtle AD backdoor with complete control of the domain because the user account under the adversary's control would then be able to modify GPOs.(Citation: Harmj0y SeEnableDelegationPrivilege Right)", + "description": "Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predictable network path `\\\\SYSVOL\\\\Policies\\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016) \n\nLike other objects in AD, GPOs have access controls associated with them. By default all user accounts in the domain have permission to read GPOs. It is possible to delegate GPO access control permissions, e.g. write access, to specific users or groups in the domain.\n\nMalicious GPO modifications can be used to implement many other malicious behaviors such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001), [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105), [Create Account](https://attack.mitre.org/techniques/T1136), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and more.(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions)(Citation: Mandiant M Trends 2016)(Citation: Microsoft Hacking Team Breach) Since GPOs can control so many user and machine settings in the AD environment, there are a great number of potential attacks that can stem from this GPO abuse.(Citation: Wald0 Guide to GPOs)\n\nFor example, publicly available scripts such as New-GPOImmediateTask can be leveraged to automate the creation of a malicious [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) by modifying GPO settings, in this case modifying <GPO_PATH>\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml.(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) In some cases an adversary might modify specific user rights like SeEnableDelegationPrivilege, set in <GPO_PATH>\\MACHINE\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf, to achieve a subtle AD backdoor with complete control of the domain because the user account under the adversary's control would then be able to modify GPOs.(Citation: Harmj0y SeEnableDelegationPrivilege Right)", "meta": { "external_id": "T1484.001", "kill_chain": [ @@ -10030,7 +10090,7 @@ "value": "Process Argument Spoofing - T1564.010" }, { - "description": "An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.\n\nInstead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications (i.e. [Linux and Mac File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222/002)). The chmod command can set these bits with bitmasking, chmod 4777 [file] or via shorthand naming, chmod u+s [file]. This will enable the setuid bit. To enable the setgit bit, chmod 2775 and chmod g+s can be used.\n\nAdversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.(Citation: OSX Keydnap malware) This abuse is often part of a \"shell escape\" or other actions to bypass an execution environment with restricted permissions.\n\nAlternatively, adversaries may choose to find and target vulnerable binaries with the setuid or setgid bits already enabled (i.e. [File and Directory Discovery](https://attack.mitre.org/techniques/T1083)). The setuid and setguid bits are indicated with an \"s\" instead of an \"x\" when viewing a file's attributes via ls -l. The find command can also be used to search for such files. For example, find / -perm +4000 2>/dev/null can be used to find files with setuid set and find / -perm +2000 2>/dev/null may be used for setgid. Binaries that have these bits set may then be abused by adversaries.(Citation: GTFOBins Suid)", + "description": "An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.\n\nInstead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications (i.e. [Linux and Mac File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222/002)). The chmod command can set these bits with bitmasking, chmod 4777 [file] or via shorthand naming, chmod u+s [file]. This will enable the setuid bit. To enable the setgid bit, chmod 2775 and chmod g+s can be used.\n\nAdversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.(Citation: OSX Keydnap malware) This abuse is often part of a \"shell escape\" or other actions to bypass an execution environment with restricted permissions.\n\nAlternatively, adversaries may choose to find and target vulnerable binaries with the setuid or setgid bits already enabled (i.e. [File and Directory Discovery](https://attack.mitre.org/techniques/T1083)). The setuid and setguid bits are indicated with an \"s\" instead of an \"x\" when viewing a file's attributes via ls -l. The find command can also be used to search for such files. For example, find / -perm +4000 2>/dev/null can be used to find files with setuid set and find / -perm +2000 2>/dev/null may be used for setgid. Binaries that have these bits set may then be abused by adversaries.(Citation: GTFOBins Suid)", "meta": { "external_id": "T1548.001", "kill_chain": [ @@ -10085,8 +10145,6 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1498/001", - "https://capec.mitre.org/data/definitions/125.html", - "https://capec.mitre.org/data/definitions/486.html", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf", "https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged" ] @@ -10119,8 +10177,6 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1499/001", - "https://capec.mitre.org/data/definitions/469.html", - "https://capec.mitre.org/data/definitions/482.html", "https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf", "https://www.cloudflare.com/learning/ddos/syn-flood-ddos-attack/", @@ -10466,9 +10522,6 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1499/002", - "https://capec.mitre.org/data/definitions/488.html", - "https://capec.mitre.org/data/definitions/489.html", - "https://capec.mitre.org/data/definitions/528.html", "https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf", "https://www.cloudflare.com/learning/ddos/http-flood-ddos-attack/", @@ -10690,7 +10743,7 @@ "value": "Domain Generation Algorithms - T1568.002" }, { - "description": "An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. \n\nCloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable logging to avoid detection of their activities. For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic)", + "description": "An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable logging to avoid detection of their activities.\n\nFor example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic) In Office 365, an adversary may disable logging on mail collection activities for specific users by using the `Set-MailboxAuditBypassAssociation` cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user’s license from an Enterprise E5 to an Enterprise E3 license.(Citation: Dark Reading Microsoft 365 Attacks 2021)", "meta": { "external_id": "T1562.008", "kill_chain": [ @@ -10698,17 +10751,23 @@ ], "mitre_data_sources": [ "Cloud Service: Cloud Service Disable", - "Cloud Service: Cloud Service Modification" + "Cloud Service: Cloud Service Modification", + "User Account: User Account Modification" ], "mitre_platforms": [ - "IaaS" + "IaaS", + "SaaS", + "Google Workspace", + "Azure AD", + "Office 365" ], "refs": [ "https://attack.mitre.org/techniques/T1562/008", "https://cloud.google.com/logging/docs/audit/configure-data-access", "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/stop-cloudtrail-from-sending-events-to-cloudwatch-logs.html", "https://docs.microsoft.com/en-us/cli/azure/monitor/diagnostic-settings?view=azure-cli-latest#az_monitor_diagnostic_settings_delete", - "https://expel.io/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/" + "https://expel.io/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/", + "https://www.darkreading.com/threat-intelligence/incident-responders-explore-microsoft-365-attacks-in-the-wild/d/d-id/1341591" ] }, "related": [ @@ -10890,7 +10949,6 @@ "refs": [ "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-finding-holes-operation-emmental.pdf", "https://attack.mitre.org/techniques/T1553/004", - "https://capec.mitre.org/data/definitions/479.html", "https://docs.microsoft.com/sysinternals/downloads/sigcheck", "https://en.wikipedia.org/wiki/Root_certificate", "https://objective-see.com/blog/blog_0x26.html", @@ -11101,8 +11159,7 @@ "Windows" ], "refs": [ - "https://attack.mitre.org/techniques/T1566/003", - "https://capec.mitre.org/data/definitions/163.html" + "https://attack.mitre.org/techniques/T1566/003" ] }, "related": [ @@ -11229,7 +11286,6 @@ "refs": [ "https://attack.mitre.org/techniques/T1547/004", "https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order", - "https://capec.mitre.org/data/definitions/579.html", "https://technet.microsoft.com/en-us/sysinternals/bb963902" ] }, @@ -11468,8 +11524,6 @@ "http://www.nth-dimension.org.uk/pub/BTL.pdf", "https://attack.mitre.org/techniques/T1574/006", "https://blog.timac.org/2012/1218-simple-code-injection-using-dyld_insert_libraries/", - "https://capec.mitre.org/data/definitions/13.html", - "https://capec.mitre.org/data/definitions/640.html", "https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/OverviewOfDynamicLibraries.html", "https://jon-gabilondo-angulo-7635.medium.com/how-to-inject-code-into-mach-o-apps-part-ii-ddb13ebc8191", "https://theevilbit.github.io/posts/dyld_insert_libraries_dylib_injection_in_macos_osx_deep_dive/", @@ -11489,7 +11543,7 @@ "value": "Dynamic Linker Hijacking - T1574.006" }, { - "description": "Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the New-InboxRule or Set-InboxRule [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)\n\nAdversaries may utilize email rules within a compromised user's mailbox to delete and/or move emails to less noticeable folders. Adversaries may do this to hide security alerts, C2 communication, or responses to [Internal Spearphishing](https://attack.mitre.org/techniques/T1534) emails sent from the compromised account.\n\nAny user or administrator within the organization (or adversary with valid credentials) may be able to create rules to automatically move or delete emails. These rules can be abused to impair/delay detection had the email content been immediately seen by a user or defender. Malicious rules commonly filter out emails based on key words (such as malware, suspicious, phish, and hack) found in message bodies and subject lines. (Citation: Microsoft Cloud App Security)", + "description": "Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the New-InboxRule or Set-InboxRule [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)\n\nAdversaries may utilize email rules within a compromised user's mailbox to delete and/or move emails to less noticeable folders. Adversaries may do this to hide security alerts, C2 communication, or responses to [Internal Spearphishing](https://attack.mitre.org/techniques/T1534) emails sent from the compromised account.\n\nAny user or administrator within the organization (or adversary with valid credentials) may be able to create rules to automatically move or delete emails. These rules can be abused to impair/delay detection had the email content been immediately seen by a user or defender. Malicious rules commonly filter out emails based on key words (such as malware, suspicious, phish, and hack) found in message bodies and subject lines. (Citation: Microsoft Cloud App Security)\n\nIn some environments, administrators may be able to enable email rules that operate organization-wide rather than on individual inboxes. For example, Microsoft Exchange supports transport rules that evaluate all mail an organization receives against user-specified conditions, then performs a user-specified action on mail that adheres to those conditions.(Citation: Microsoft Mail Flow Rules 2023) Adversaries that abuse such features may be able to automatically modify or delete all emails related to specific topics (such as internal security incident notifications).", "meta": { "external_id": "T1564.008", "kill_chain": [ @@ -11511,6 +11565,7 @@ "https://attack.mitre.org/techniques/T1564/008", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/set-inboxrule?view=exchange-ps", + "https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules", "https://support.apple.com/guide/mail/use-rules-to-manage-emails-you-receive-mlhlp1017/mac", "https://support.microsoft.com/en-us/office/manage-email-messages-by-using-rules-c24f5dea-9465-4df4-ad17-a50704d66c59", "https://techcommunity.microsoft.com/t5/security-compliance-and-identity/rule-your-inbox-with-microsoft-cloud-app-security/ba-p/299154", @@ -11557,6 +11612,72 @@ "uuid": "0708ae90-d0eb-4938-9a76-d0fc94f6eec1", "value": "Revert Cloud Instance - T1578.004" }, + { + "description": "Adversaries may register malicious network provider dynamic link libraries (DLLs) to capture cleartext user credentials during the authentication process. Network provider DLLs allow Windows to interface with specific network protocols and can also support add-on credential management functions.(Citation: Network Provider API) During the logon process, Winlogon (the interactive logon module) sends credentials to the local `mpnotify.exe` process via RPC. The `mpnotify.exe` process then shares the credentials in cleartext with registered credential managers when notifying that a logon event is happening.(Citation: NPPSPY - Huntress)(Citation: NPPSPY Video)(Citation: NPLogonNotify) \n\nAdversaries can configure a malicious network provider DLL to receive credentials from `mpnotify.exe`.(Citation: NPPSPY) Once installed as a credential manager (via the Registry), a malicious DLL can receive and save credentials each time a user logs onto a Windows workstation or domain via the `NPLogonNotify()` function.(Citation: NPLogonNotify)\n\nAdversaries may target planting malicious network provider DLLs on systems known to have increased logon activity and/or administrator logon activity, such as servers and domain controllers.(Citation: NPPSPY - Huntress)", + "meta": { + "external_id": "T1556.008", + "kill_chain": [ + "mitre-attack:credential-access", + "mitre-attack:defense-evasion", + "mitre-attack:persistence" + ], + "mitre_data_sources": [ + "File: File Creation", + "Process: OS API Execution", + "Windows Registry: Windows Registry Key Creation", + "Windows Registry: Windows Registry Key Modification" + ], + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1556/008", + "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", + "https://learn.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify", + "https://learn.microsoft.com/en-us/windows/win32/secauthn/network-provider-api", + "https://www.huntress.com/blog/cleartext-shenanigans-gifting-user-passwords-to-adversaries-with-nppspy", + "https://www.youtube.com/watch?v=ggY3srD9dYs" + ] + }, + "related": [ + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "type": "subtechnique-of" + } + ], + "uuid": "90c4a591-d02d-490b-92aa-619d9701ac04", + "value": "Network Provider DLL - T1556.008" + }, + { + "description": "Adversaries may spoof security alerting from tools, presenting false evidence to impair defenders’ awareness of malicious activity.(Citation: BlackBasta) Messages produced by defensive tools contain information about potential security events as well as the functioning status of security software and the system. Security reporting messages are important for monitoring the normal operation of a system and identifying important events that can signal a security incident.\n\nRather than or in addition to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), an adversary can spoof positive affirmations that security tools are continuing to function even after legitimate security tools have been disabled (e.g., [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001)). An adversary can also present a “healthy” system status even after infection. This can be abused to enable further malicious activity by delaying defender responses.\n\nFor example, adversaries may show a fake Windows Security GUI and tray icon with a “healthy” system status after Windows Defender and other system tools have been disabled.(Citation: BlackBasta)", + "meta": { + "external_id": "T1562.011", + "kill_chain": [ + "mitre-attack:defense-evasion" + ], + "mitre_data_sources": [ + "Process: Process Creation", + "Sensor Health: Host Status" + ], + "mitre_platforms": [ + "Windows", + "macOS", + "Linux" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1562/011", + "https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/" + ] + }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "type": "subtechnique-of" + } + ], + "uuid": "bef8aaee-961d-4359-a308-4c2182bcedff", + "value": "Spoof Security Alerting - T1562.011" + }, { "description": "Adversaries may modify XDG autostart entries to execute programs or commands during system boot. Linux desktop environments that are XDG compliant implement functionality for XDG autostart entries. These entries will allow an application to automatically start during the startup of a desktop environment after user logon. By default, XDG autostart entries are stored within the /etc/xdg/autostart or ~/.config/autostart directories and have a .desktop file extension.(Citation: Free Desktop Application Autostart Feb 2006)\n\nWithin an XDG autostart entry file, the Type key specifies if the entry is an application (type 1), link (type 2) or directory (type 3). The Name key indicates an arbitrary name assigned by the creator and the Exec key indicates the application and command line arguments to execute.(Citation: Free Desktop Entry Keys)\n\nAdversaries may use XDG autostart entries to maintain persistence by executing malicious commands and payloads, such as remote access tools, during the startup of a desktop environment. Commands included in XDG autostart entries with execute after user logon in the context of the currently logged on user. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make XDG autostart entries look as if they are associated with legitimate programs.", "meta": { @@ -11604,7 +11725,7 @@ "value": "Identify business processes/tempo - T1280" }, { - "description": "Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nVarious utilities and commands may acquire this information, including whoami. In macOS and Linux, the currently logged in user can be identified with w and who. On macOS the dscl . list /Users | grep -v '_' command can also be used to enumerate user accounts. Environment variables, such as %USERNAME% and $USER, may also be used to access this information.", + "description": "Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nVarious utilities and commands may acquire this information, including whoami. In macOS and Linux, the currently logged in user can be identified with w and who. On macOS the dscl . list /Users | grep -v '_' command can also be used to enumerate user accounts. Environment variables, such as %USERNAME% and $USER, may also be used to access this information.\n\nOn network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show users` and `show ssh` can be used to display users currently logged into the device.(Citation: show_ssh_users_cmd_cisco)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)", "meta": { "external_id": "T1033", "kill_chain": [ @@ -11624,11 +11745,13 @@ "mitre_platforms": [ "Linux", "macOS", - "Windows" + "Windows", + "Network" ], "refs": [ "https://attack.mitre.org/techniques/T1033", - "https://capec.mitre.org/data/definitions/577.html" + "https://us-cert.cisa.gov/ncas/alerts/TA18-106A", + "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html" ] }, "uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", @@ -11810,7 +11933,7 @@ "value": "Obtain booter/stressor subscription - T1396" }, { - "description": "Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger.(Citation: Prevailion DarkWatchman 2021)", + "description": "Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.(Citation: Prevailion DarkWatchman 2021) For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ([Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) to evade.(Citation: ESET Grandoreiro April 2020)\n\nAdversaries typically abuse system features for this type of enumeration. For example, they may gather information through native system features such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) commands and [Native API](https://attack.mitre.org/techniques/T1106) functions.", "meta": { "external_id": "T1010", "kill_chain": [ @@ -11828,7 +11951,8 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1010", - "https://www.prevailion.com/darkwatchman-new-fileless-techniques/" + "https://www.prevailion.com/darkwatchman-new-fileless-techniques/", + "https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/" ] }, "uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", @@ -12005,8 +12129,7 @@ "Linux" ], "refs": [ - "https://attack.mitre.org/techniques/T1007", - "https://capec.mitre.org/data/definitions/574.html" + "https://attack.mitre.org/techniques/T1007" ] }, "uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", @@ -12034,7 +12157,6 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1080", - "https://capec.mitre.org/data/definitions/562.html", "https://rewtin.blogspot.ch/2017/11/abusing-user-shares-for-efficient.html" ] }, @@ -12088,7 +12210,6 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1120", - "https://capec.mitre.org/data/definitions/646.html", "https://linuxhint.com/list-usb-devices-linux/", "https://ss64.com/osx/system_profiler.html" ] @@ -12235,7 +12356,7 @@ "value": "Device Administrator Permissions - T1401" }, { - "description": "Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://attack.mitre.org/software/S0095). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016)\n\nOn Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`, and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as IEX(New-Object Net.WebClient).downloadString() and Invoke-WebRequest. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)", + "description": "Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://attack.mitre.org/software/S0095). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016)\n\nOn Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as IEX(New-Object Net.WebClient).downloadString() and Invoke-WebRequest. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)", "meta": { "external_id": "T1105", "kill_chain": [ @@ -12334,7 +12455,7 @@ "value": "Application Deployment Software - T1017" }, { - "description": "Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nAdversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP. ", + "description": "Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nAdversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP. ", "meta": { "external_id": "T1071", "kill_chain": [ @@ -12411,7 +12532,6 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1018", - "https://capec.mitre.org/data/definitions/292.html", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", "https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql", "https://www.us-cert.gov/ncas/alerts/TA18-106A" @@ -12690,8 +12810,7 @@ "Windows" ], "refs": [ - "https://attack.mitre.org/techniques/T1072", - "https://capec.mitre.org/data/definitions/187.html" + "https://attack.mitre.org/techniques/T1072" ] }, "uuid": "92a78814-b191-47ca-909c-1ccfe3777414", @@ -12718,7 +12837,6 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1082", - "https://capec.mitre.org/data/definitions/312.html", "https://cloud.google.com/compute/docs/reference/rest/v1/instances", "https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html", "https://docs.microsoft.com/en-us/rest/api/compute/virtualmachines/get", @@ -12898,7 +13016,6 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1046", - "https://capec.mitre.org/data/definitions/300.html", "https://developer.apple.com/library/archive/documentation/Cocoa/Conceptual/NetServices/Introduction.html", "https://themittenmac.com/what-does-apt-activity-look-like-on-macos/", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a" @@ -12971,28 +13088,36 @@ "value": "Stored Application Data - T1409" }, { - "description": "Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.\n\nOperating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017)\n\nA number of native Windows utilities have been used by adversaries to disable or delete system recovery features:\n\n* vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet\n* [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) can be used to delete volume shadow copies - wmic shadowcopy delete\n* wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet\n* bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no", + "description": "Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.\n\nOperating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Furthermore, adversaries may disable recovery notifications, then corrupt backups.(Citation: disable_notif_synology_ransom)\n\nA number of native Windows utilities have been used by adversaries to disable or delete system recovery features:\n\n* vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet\n* [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) can be used to delete volume shadow copies - wmic shadowcopy delete\n* wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet\n* bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no\n* REAgentC.exe can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system\n\nOn network devices, adversaries may leverage [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.\n\nAdversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)", "meta": { "external_id": "T1490", "kill_chain": [ "mitre-attack:impact" ], "mitre_data_sources": [ + "Cloud Storage: Cloud Storage Deletion", "Command: Command Execution", "File: File Deletion", "Process: Process Creation", "Service: Service Metadata", + "Snapshot: Snapshot Deletion", "Windows Registry: Windows Registry Key Modification" ], "mitre_platforms": [ "Windows", "macOS", - "Linux" + "Linux", + "Network", + "IaaS" ], "refs": [ "https://attack.mitre.org/techniques/T1490", "https://blog.talosintelligence.com/2018/02/olympic-destroyer.html", - "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html" + "https://rhinosecuritylabs.com/aws/s3-ransomware-part-2-prevention-and-defense/", + "https://twitter.com/TheDFIRReport/status/1498657590259109894", + "https://www.darkreading.com/attacks-breaches/code-hosting-service-shuts-down-after-cyber-attack", + "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html", + "https://www.zdnet.com/article/ransomware-victims-thought-their-backups-were-safe-they-were-wrong/" ] }, "uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", @@ -13260,7 +13385,7 @@ "value": "Cloud Infrastructure Discovery - T1580" }, { - "description": "Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.\n\nAdversaries may generate these credential materials in order to gain access to web resources. This differs from [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539), [Steal Application Access Token](https://attack.mitre.org/techniques/T1528), and other similar behaviors in that the credentials are new and forged by the adversary, rather than stolen or intercepted from legitimate users. The generation of web credentials often requires secret values, such as passwords, [Private Keys](https://attack.mitre.org/techniques/T1552/004), or other cryptographic seed values.(Citation: GitHub AWS-ADFS-Credential-Generator)\n\nOnce forged, adversaries may use these web credentials to access resources (ex: [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550)), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)(Citation: Microsoft SolarWinds Customer Guidance)", + "description": "Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.\n\nAdversaries may generate these credential materials in order to gain access to web resources. This differs from [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539), [Steal Application Access Token](https://attack.mitre.org/techniques/T1528), and other similar behaviors in that the credentials are new and forged by the adversary, rather than stolen or intercepted from legitimate users. The generation of web credentials often requires secret values, such as passwords, [Private Keys](https://attack.mitre.org/techniques/T1552/004), or other cryptographic seed values.(Citation: GitHub AWS-ADFS-Credential-Generator) Adversaries may also forge tokens by taking advantage of features such as the `AssumeRole` and `GetFederationToken` APIs in AWS, which allow users to request temporary security credentials.(Citation: AWS Temporary Security Credentials)\n\nOnce forged, adversaries may use these web credentials to access resources (ex: [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550)), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)(Citation: Microsoft SolarWinds Customer Guidance) ", "meta": { "external_id": "T1606", "kill_chain": [ @@ -13283,6 +13408,7 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1606", + "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html", "https://github.com/damianh/aws-adfs-credential-generator", "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/", "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/", @@ -13387,7 +13513,7 @@ "value": "NTFS File Attributes - T1096" }, { - "description": "Adversaries may attempt to find group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.", + "description": "Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.\n\nAdversaries may attempt to discover group permission settings in many different ways. This data may provide the adversary with information about the compromised environment that can be used in follow-on activity and targeting.(Citation: CrowdStrike BloodHound April 2018)", "meta": { "external_id": "T1069", "kill_chain": [ @@ -13413,8 +13539,8 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1069", - "https://capec.mitre.org/data/definitions/576.html", - "https://kubernetes.io/docs/reference/access-authn-authz/authorization/" + "https://kubernetes.io/docs/reference/access-authn-authz/authorization/", + "https://www.crowdstrike.com/blog/hidden-administrative-accounts-bloodhound-to-the-rescue/" ] }, "uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", @@ -13648,7 +13774,7 @@ "value": "Credentials in Registry - T1214" }, { - "description": "An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. (Citation: MSDN System Time) (Citation: Technet Windows Time Service)\n\nSystem time information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039) on Windows by performing net time \\\\hostname to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using w32tm /tz. (Citation: Technet Windows Time Service)\n\nThis information could be useful for performing other techniques, such as executing a file with a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) (Citation: RSA EU12 They're Inside), or to discover locality information based on time zone to assist in victim targeting (i.e. [System Location Discovery](https://attack.mitre.org/techniques/T1614)). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.(Citation: AnyRun TimeBomb)", + "description": "An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. (Citation: MSDN System Time)(Citation: Technet Windows Time Service)\n\nSystem time information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039) on Windows by performing net time \\\\hostname to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using w32tm /tz.(Citation: Technet Windows Time Service)\n\nOn network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show clock detail` can be used to see the current time configuration.(Citation: show_clock_detail_cisco_cmd)\n\nThis information could be useful for performing other techniques, such as executing a file with a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)(Citation: RSA EU12 They're Inside), or to discover locality information based on time zone to assist in victim targeting (i.e. [System Location Discovery](https://attack.mitre.org/techniques/T1614)). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.(Citation: AnyRun TimeBomb)", "meta": { "external_id": "T1124", "kill_chain": [ @@ -13660,14 +13786,15 @@ "Process: Process Creation" ], "mitre_platforms": [ - "Windows" + "Windows", + "Network" ], "refs": [ "https://any.run/cybersecurity-blog/time-bombs-malware-with-delayed-execution/", "https://attack.mitre.org/techniques/T1124", - "https://capec.mitre.org/data/definitions/295.html", "https://msdn.microsoft.com/ms724961.aspx", "https://technet.microsoft.com/windows-server-docs/identity/ad-ds/get-started/windows-time-service/windows-time-service-tools-and-settings", + "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674", "https://www.rsaconference.com/writable/presentations/file_upload/ht-209_rivner_schwartz.pdf" ] }, @@ -13689,7 +13816,7 @@ "value": "Determine strategic target - T1241" }, { - "description": "Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.\n\nBrowser bookmarks may also highlight additional targets after an adversary has access to valid credentials, especially [Credentials In Files](https://attack.mitre.org/techniques/T1552/001) associated with logins cached by a browser.\n\nSpecific storage locations vary based on platform and/or application, but browser bookmarks are typically stored in local files/databases.", + "description": "Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.(Citation: Kaspersky Autofill)\n\nBrowser information may also highlight additional targets after an adversary has access to valid credentials, especially [Credentials In Files](https://attack.mitre.org/techniques/T1552/001) associated with logins cached by a browser.\n\nSpecific storage locations vary based on platform and/or application, but browser information is typically stored in local files and databases (e.g., `%APPDATA%/Google/Chrome`).(Citation: Chrome Roaming Profiles)", "meta": { "external_id": "T1217", "kill_chain": [ @@ -13706,11 +13833,13 @@ "macOS" ], "refs": [ - "https://attack.mitre.org/techniques/T1217" + "https://attack.mitre.org/techniques/T1217", + "https://support.google.com/chrome/a/answer/7349337", + "https://www.kaspersky.com/blog/browser-data-theft/27871/" ] }, "uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7", - "value": "Browser Bookmark Discovery - T1217" + "value": "Browser Information Discovery - T1217" }, { "description": "Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. (Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\\SOFTWARE\\Microsoft\\Netsh.\n\nAdversaries can use netsh.exe with helper DLLs to proxy execution of arbitrary code in a persistent manner when netsh.exe is executed automatically with another Persistence technique or if other persistent software is present on the system that executes netsh.exe as part of its normal functionality. Examples include some VPN software that invoke netsh.exe. (Citation: Demaske Netsh Persistence)\n\nProof of concept code exists to load Cobalt Strike's payload using netsh.exe helper DLLs. (Citation: Github Netsh Helper CS Beacon)", @@ -13792,7 +13921,6 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1133", - "https://capec.mitre.org/data/definitions/555.html", "https://support.apple.com/guide/remote-desktop/set-up-a-computer-running-vnc-software-apdbed09830/mac", "https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/", "https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html", @@ -13837,7 +13965,6 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1134", - "https://capec.mitre.org/data/definitions/633.html", "https://msdn.microsoft.com/en-us/library/windows/desktop/aa378184(v=vs.85).aspx", "https://msdn.microsoft.com/en-us/library/windows/desktop/aa378612(v=vs.85).aspx", "https://msdn.microsoft.com/en-us/library/windows/desktop/aa446617(v=vs.85).aspx", @@ -13850,7 +13977,7 @@ "value": "Access Token Manipulation - T1134" }, { - "description": "Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. Adversaries may also subsequently log off and/or perform a [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019)\n\nIn Windows, [Net](https://attack.mitre.org/software/S0039) utility, Set-LocalUser and Set-ADAccountPassword [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets may be used by adversaries to modify user accounts. In Linux, the passwd utility may be used to change passwords. Accounts could also be disabled by Group Policy. \n\nAdversaries who use ransomware may first perform this and other Impact behaviors, such as [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Defacement](https://attack.mitre.org/techniques/T1491), before completing the [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) objective. ", + "description": "Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. Adversaries may also subsequently log off and/or perform a [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019)\n\nIn Windows, [Net](https://attack.mitre.org/software/S0039) utility, Set-LocalUser and Set-ADAccountPassword [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets may be used by adversaries to modify user accounts. In Linux, the passwd utility may be used to change passwords. Accounts could also be disabled by Group Policy. \n\nAdversaries who use ransomware or similar attacks may first perform this and other Impact behaviors, such as [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Defacement](https://attack.mitre.org/techniques/T1491), in order to impede incident response/recovery before completing the [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) objective. ", "meta": { "external_id": "T1531", "kill_chain": [ @@ -13896,7 +14023,6 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1135", - "https://capec.mitre.org/data/definitions/643.html", "https://en.wikipedia.org/wiki/Shared_resource", "https://technet.microsoft.com/library/cc770880.aspx" ] @@ -14170,7 +14296,34 @@ "value": "Spearphishing via Service - T1194" }, { - "description": "Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predicable network path \\\\SYSVOL\\\\Policies\\.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)\n\nAdversaries may use commands such as gpresult or various publicly available PowerShell functions, such as Get-DomainGPO and Get-DomainGPOLocalGroup, to gather information on Group Policy settings.(Citation: Microsoft gpresult)(Citation: Github PowerShell Empire) Adversaries may use this information to shape follow-on behaviors, including determining potential attack paths within the target network as well as opportunities to manipulate Group Policy settings (i.e. [Domain Policy Modification](https://attack.mitre.org/techniques/T1484)) for their benefit.", + "description": "Adversaries may abuse cloud management services to execute commands within virtual machines or hybrid-joined devices. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. Similarly, in Azure AD environments, Microsoft Endpoint Manager allows Global or Intune Administrators to run scripts as SYSTEM on on-premises devices joined to the Azure AD.(Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run Command)(Citation: SpecterOps Lateral Movement from Azure to On-Prem AD 2020)\n\nIf an adversary gains administrative access to a cloud environment, they may be able to abuse cloud management services to execute commands in the environment’s virtual machines or on-premises hybrid-joined devices. Additionally, an adversary that compromises a service provider or delegated administrator account may similarly be able to leverage a [Trusted Relationship](https://attack.mitre.org/techniques/T1199) to execute commands in connected virtual machines.(Citation: MSTIC Nobelium Oct 2021)", + "meta": { + "external_id": "T1651", + "kill_chain": [ + "mitre-attack:execution" + ], + "mitre_data_sources": [ + "Command: Command Execution", + "Process: Process Creation", + "Script: Script Execution" + ], + "mitre_platforms": [ + "IaaS", + "Azure AD" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1651", + "https://docs.aws.amazon.com/systems-manager/latest/userguide/run-command.html", + "https://learn.microsoft.com/en-us/azure/virtual-machines/run-command-overview", + "https://posts.specterops.io/death-from-above-lateral-movement-from-azure-to-on-prem-ad-d18cb3959d4d", + "https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/" + ] + }, + "uuid": "d94b3ae9-8059-4989-8e9f-ea0f601f80a7", + "value": "Cloud Administration Command - T1651" + }, + { + "description": "Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path `\\\\SYSVOL\\\\Policies\\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)\n\nAdversaries may use commands such as gpresult or various publicly available PowerShell functions, such as Get-DomainGPO and Get-DomainGPOLocalGroup, to gather information on Group Policy settings.(Citation: Microsoft gpresult)(Citation: Github PowerShell Empire) Adversaries may use this information to shape follow-on behaviors, including determining potential attack paths within the target network as well as opportunities to manipulate Group Policy settings (i.e. [Domain Policy Modification](https://attack.mitre.org/techniques/T1484)) for their benefit.", "meta": { "external_id": "T1615", "kill_chain": [ @@ -14270,9 +14423,6 @@ "refs": [ "https://attack.mitre.org/techniques/T1195", "https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities", - "https://capec.mitre.org/data/definitions/437.html", - "https://capec.mitre.org/data/definitions/438.html", - "https://capec.mitre.org/data/definitions/439.html", "https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/", "https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf", "https://www-01.ibm.com/support/docview.wss?uid=ssg1S1010146&myns=s028&mynp=OCSTHGUJ&mynp=OCSTLM5A&mynp=OCSTLM6B&mynp=OCHW206&mync=E&cm_sp=s028-_-OCSTHGUJ-OCSTLM5A-OCSTLM6B-OCHW206-_-E", @@ -14967,7 +15117,7 @@ "value": "Implant Internal Image - T1525" }, { - "description": "An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. \n\nAdversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)\n\nStormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)", + "description": "An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.\n\nAdversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)\n\nFor example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)\n\nAdversaries may use the information gained to shape follow-on behaviors, such as targeting data or credentials from enumerated services or evading identified defenses through [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001) or [Disable Cloud Logs](https://attack.mitre.org/techniques/T1562/008).", "meta": { "external_id": "T1526", "kill_chain": [ @@ -14994,6 +15144,37 @@ "uuid": "e24fcba8-2557-4442-a139-1ee2f2e784db", "value": "Cloud Service Discovery - T1526" }, + { + "description": "Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights that shape follow-on behaviors, such as the function/purpose of the host, present security tools (i.e. [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) or other defenses (e.g., [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497)), as well as potential exploitable vulnerabilities (e.g., [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)).\n\nMany OS utilities may provide information about local device drivers, such as `driverquery.exe` and the `EnumDeviceDrivers()` API function on Windows.(Citation: Microsoft Driverquery)(Citation: Microsoft EnumDeviceDrivers) Information about device drivers (as well as associated services, i.e., [System Service Discovery](https://attack.mitre.org/techniques/T1007)) may also be available in the Registry.(Citation: Microsoft Registry Drivers)\n\nOn Linux/macOS, device drivers (in the form of kernel modules) may be visible within `/dev` or using utilities such as `lsmod` and `modinfo`.(Citation: Linux Kernel Programming)(Citation: lsmod man)(Citation: modinfo man)", + "meta": { + "external_id": "T1652", + "kill_chain": [ + "mitre-attack:discovery" + ], + "mitre_data_sources": [ + "Command: Command Execution", + "Process: OS API Execution", + "Process: Process Creation", + "Windows Registry: Windows Registry Key Access" + ], + "mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1652", + "https://learn.microsoft.com/windows-hardware/drivers/install/overview-of-registry-trees-and-keys", + "https://learn.microsoft.com/windows-server/administration/windows-commands/driverquery", + "https://learn.microsoft.com/windows/win32/api/psapi/nf-psapi-enumdevicedrivers", + "https://linux.die.net/man/8/modinfo", + "https://man7.org/linux/man-pages/man8/lsmod.8.html", + "https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf" + ] + }, + "uuid": "215d9700-5881-48b8-8265-6449dbb7195d", + "value": "Device Driver Discovery - T1652" + }, { "description": "Adversaries may execute their own malicious payloads by hijacking the way operating systems run applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur over time. \n\nThere are many ways an adversary may hijack the flow of execution. A primary way is by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs or resources, such as file directories, could also be poisoned to include malicious payloads.", "meta": { @@ -16018,6 +16199,7 @@ "Process: Process Access", "User Account: User Account Authentication", "User Account: User Account Modification", + "Windows Registry: Windows Registry Key Creation", "Windows Registry: Windows Registry Key Modification" ], "mitre_platforms": [ @@ -16109,7 +16291,7 @@ "value": "Search Closed Sources - T1597" }, { - "description": "Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from [Phishing](https://attack.mitre.org/techniques/T1566) in that the objective is gathering data from the victim rather than executing malicious code.\n\nAll forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass credential harvesting campaigns.\n\nAdversaries may also try to obtain information directly through the exchange of emails, instant messages, or other electronic conversation means.(Citation: ThreatPost Social Media Phishing)(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin)(Citation: Sophos Attachment)(Citation: GitHub Phishery) Phishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.", + "description": "Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from [Phishing](https://attack.mitre.org/techniques/T1566) in that the objective is gathering data from the victim rather than executing malicious code.\n\nAll forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass credential harvesting campaigns.\n\nAdversaries may also try to obtain information directly through the exchange of emails, instant messages, or other electronic conversation means.(Citation: ThreatPost Social Media Phishing)(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin)(Citation: Sophos Attachment)(Citation: GitHub Phishery) Victims may also receive phishing messages that direct them to call a phone number where the adversary attempts to collect confidential information.(Citation: Avertium callback phishing)\n\nPhishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages. Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof) the identity of the sender which can be used to fool both the human recipient as well as automated security tools.(Citation: cyberproof-double-bounce) \n\nPhishing for information may also involve evasive techniques, such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014)", "meta": { "external_id": "T1598", "kill_chain": [ @@ -16125,12 +16307,17 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1598", + "https://blog.cyberproof.com/blog/double-bounced-attacks-with-email-spoofing-2022-trends", "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide", "https://github.com/ryhanson/phishery", "https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/", "https://threatpost.com/facebook-launching-pad-phishing-attacks/160351/", + "https://unit42.paloaltonetworks.com/examining-vba-initiated-infostealer-campaign/", + "https://www.avertium.com/resources/threat-reports/everything-you-need-to-know-about-callback-phishing", "https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf", + "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/", "https://www.pcmag.com/news/hackers-try-to-phish-united-nations-staffers-with-fake-login-pages", + "https://www.proofpoint.com/us/threat-reference/email-spoofing", "https://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html" ] }, @@ -16191,7 +16378,7 @@ "value": "At (Linux) - T1053.001" }, { - "description": "Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.(Citation: Microsoft Zone.Identifier 2020) Files that are tagged with MOTW are protected and cannot perform certain actions. For example, starting in MS Office 10, if a MS Office file has the MOTW, it will open in Protected View. Executables tagged with the MOTW will be processed by Windows Defender SmartScreen that compares files with an allowlist of well-known executables. If the file in not known/trusted, SmartScreen will prevent the execution and warn the user not to run it.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)(Citation: Intezer Russian APT Dec 2020)\n\nAdversaries may abuse container files such as compressed/archive (.arj, .gzip) and/or disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW. Container files downloaded from the Internet will be marked with MOTW but the files within may not inherit the MOTW after the container files are extracted and/or mounted. MOTW is a NTFS feature and many container files do not support NTFS alternative data streams. After a container file is extracted and/or mounted, the files contained within them may be treated as local files on disk and run without protections.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)", + "description": "Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.(Citation: Microsoft Zone.Identifier 2020) Files that are tagged with MOTW are protected and cannot perform certain actions. For example, starting in MS Office 10, if a MS Office file has the MOTW, it will open in Protected View. Executables tagged with the MOTW will be processed by Windows Defender SmartScreen that compares files with an allowlist of well-known executables. If the file is not known/trusted, SmartScreen will prevent the execution and warn the user not to run it.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)(Citation: Intezer Russian APT Dec 2020)\n\nAdversaries may abuse container files such as compressed/archive (.arj, .gzip) and/or disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW. Container files downloaded from the Internet will be marked with MOTW but the files within may not inherit the MOTW after the container files are extracted and/or mounted. MOTW is a NTFS feature and many container files do not support NTFS alternative data streams. After a container file is extracted and/or mounted, the files contained within them may be treated as local files on disk and run without protections.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)", "meta": { "external_id": "T1553.005", "kill_chain": [ @@ -16317,7 +16504,7 @@ "value": "One-Way Communication - T1102.003" }, { - "description": "Adversaries may prepare an operational environment to infect systems that visit a website over the normal course of browsing. Endpoint systems may be compromised through browsing to adversary controlled sites, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). In such cases, the user's web browser is typically targeted for exploitation (often not requiring any extra user interaction once landing on the site), but adversaries may also set up websites for non-exploitation behavior such as [Application Access Token](https://attack.mitre.org/techniques/T1550/001). Prior to [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), adversaries must stage resources needed to deliver that exploit to users who browse to an adversary controlled site. Drive-by content can be staged on adversary controlled infrastructure that has been acquired ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or previously compromised ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)).\n\nAdversaries may upload or inject malicious web content, such as [JavaScript](https://attack.mitre.org/techniques/T1059/007), into websites.(Citation: FireEye CFR Watering Hole 2012)(Citation: Gallagher 2015) This may be done in a number of ways, including inserting malicious script into web pages or other user controllable web content such as forum posts. Adversaries may also craft malicious web advertisements and purchase ad space on a website through legitimate ad providers. In addition to staging content to exploit a user's web browser, adversaries may also stage scripting content to profile the user's browser (as in [Gather Victim Host Information](https://attack.mitre.org/techniques/T1592)) to ensure it is vulnerable prior to attempting exploitation.(Citation: ATT ScanBox)\n\nWebsites compromised by an adversary and used to stage a drive-by may be ones visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is referred to a strategic web compromise or watering hole attack.\n\nAdversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).", + "description": "Adversaries may prepare an operational environment to infect systems that visit a website over the normal course of browsing. Endpoint systems may be compromised through browsing to adversary controlled sites, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). In such cases, the user's web browser is typically targeted for exploitation (often not requiring any extra user interaction once landing on the site), but adversaries may also set up websites for non-exploitation behavior such as [Application Access Token](https://attack.mitre.org/techniques/T1550/001). Prior to [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), adversaries must stage resources needed to deliver that exploit to users who browse to an adversary controlled site. Drive-by content can be staged on adversary controlled infrastructure that has been acquired ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or previously compromised ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)).\n\nAdversaries may upload or inject malicious web content, such as [JavaScript](https://attack.mitre.org/techniques/T1059/007), into websites.(Citation: FireEye CFR Watering Hole 2012)(Citation: Gallagher 2015) This may be done in a number of ways, including:\n\n* Inserting malicious scripts into web pages or other user controllable web content such as forum posts\n* Modifying script files served to websites from publicly writeable cloud storage buckets\n* Crafting malicious web advertisements and purchasing ad space on a website through legitimate ad providers (i.e., [Malvertising](https://attack.mitre.org/techniques/T1583/008))\n\nIn addition to staging content to exploit a user's web browser, adversaries may also stage scripting content to profile the user's browser (as in [Gather Victim Host Information](https://attack.mitre.org/techniques/T1592)) to ensure it is vulnerable prior to attempting exploitation.(Citation: ATT ScanBox)\n\nWebsites compromised by an adversary and used to stage a drive-by may be ones visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is referred to a strategic web compromise or watering hole attack.\n\nAdversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).", "meta": { "external_id": "T1608.004", "kill_chain": [ @@ -16455,7 +16642,6 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1574/002", - "https://capec.mitre.org/data/definitions/641.html", "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf" ] }, @@ -16712,7 +16898,7 @@ "value": "Re-opened Applications - T1164" }, { - "description": "Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.", + "description": "Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.\n\nAdversaries may also make changes to victim systems to abuse non-standard ports. For example, Registry keys and other configuration settings can be used to modify protocol and port pairings.(Citation: change_rdp_port_conti)", "meta": { "external_id": "T1571", "kill_chain": [ @@ -16730,6 +16916,7 @@ "refs": [ "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf", "https://attack.mitre.org/techniques/T1571", + "https://twitter.com/TheDFIRReport/status/1498657772254240768", "https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html", "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" ] @@ -16798,7 +16985,7 @@ "value": "Multi-hop Proxy - T1188" }, { - "description": "Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring [Application Access Token](https://attack.mitre.org/techniques/T1550/001).\n\nMultiple ways of delivering exploit code to a browser exist, including:\n\n* A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting.\n* Malicious ads are paid for and served through legitimate ad providers.\n* Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).\n\nOften the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is often referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.(Citation: Shadowserver Strategic Web Compromise)\n\nTypical drive-by compromise process:\n\n1. A user visits a website that is used to host the adversary controlled content.\n2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version. \n * The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.\n3. Upon finding a vulnerable version, exploit code is delivered to the browser.\n4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place.\n * In some cases a second visit to the website after the initial scan is required before exploit code is delivered.\n\nUnlike [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), the focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ.\n\nAdversaries may also use compromised websites to deliver a user to a malicious application designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, to gain access to protected applications and information. These malicious applications have been delivered through popups on legitimate websites.(Citation: Volexity OceanLotus Nov 2017)", + "description": "Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring [Application Access Token](https://attack.mitre.org/techniques/T1550/001).\n\nMultiple ways of delivering exploit code to a browser exist (i.e., [Drive-by Target](https://attack.mitre.org/techniques/T1608/004)), including:\n\n* A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting\n* Script files served to a legitimate website from a publicly writeable cloud storage bucket are modified by an adversary\n* Malicious ads are paid for and served through legitimate ad providers (i.e., [Malvertising](https://attack.mitre.org/techniques/T1583/008))\n* Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).\n\nOften the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is often referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.(Citation: Shadowserver Strategic Web Compromise)\n\nTypical drive-by compromise process:\n\n1. A user visits a website that is used to host the adversary controlled content.\n2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version. \n * The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.\n3. Upon finding a vulnerable version, exploit code is delivered to the browser.\n4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place.\n * In some cases a second visit to the website after the initial scan is required before exploit code is delivered.\n\nUnlike [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), the focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ.\n\nAdversaries may also use compromised websites to deliver a user to a malicious application designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, to gain access to protected applications and information. These malicious applications have been delivered through popups on legitimate websites.(Citation: Volexity OceanLotus Nov 2017)", "meta": { "external_id": "T1189", "kill_chain": [ @@ -16905,7 +17092,7 @@ "value": "Inter-Process Communication - T1559" }, { - "description": "Adversaries may duplicate then impersonate another user's token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token using DuplicateToken(Ex). The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken to assign the impersonated token to a thread.\n\nAn adversary may do this when they have a specific, existing process they want to assign the new token to. For example, this may be useful for when the target user has a non-network logon session on the system.", + "description": "Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using `DuplicateToken` or `DuplicateTokenEx`. The token can then be used with `ImpersonateLoggedOnUser` to allow the calling thread to impersonate a logged on user's security context, or with `SetThreadToken` to assign the impersonated token to a thread.\n\nAn adversary may perform [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) when they have a specific, existing process they want to assign the duplicated token to. For example, this may be useful for when the target user has a non-network logon session on the system.\n\nWhen an adversary would instead use a duplicated token to create a new process rather than attaching to an existing process, they can additionally [Create Process with Token](https://attack.mitre.org/techniques/T1134/002) using `CreateProcessWithTokenW` or `CreateProcessAsUserW`. [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) is also distinct from [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003) in that it refers to duplicating an existing token, rather than creating a new one.", "meta": { "external_id": "T1134.001", "kill_chain": [ @@ -16988,7 +17175,7 @@ "value": "Junk Data - T1001.001" }, { - "description": "Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised network infrastructure. Traffic mirroring is a native feature for some network devices and used for network analysis and may be configured to duplicate traffic and forward to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring)(Citation: Juniper Traffic Mirroring)\n\nAdversaries may abuse traffic mirroring to mirror or redirect network traffic through other network infrastructure they control. Malicious modifications to network devices to enable traffic redirection may be possible through [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) or [Patch System Image](https://attack.mitre.org/techniques/T1601/001).(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks) Adversaries may use traffic duplication in conjunction with [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Input Capture](https://attack.mitre.org/techniques/T1056), or [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) depending on the goals and objectives of the adversary.", + "description": "Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some devices, often used for network analysis. For example, devices may be configured to forward network traffic to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring)(Citation: Juniper Traffic Mirroring)\n\nAdversaries may abuse traffic mirroring to mirror or redirect network traffic through other infrastructure they control. Malicious modifications to network devices to enable traffic redirection may be possible through [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) or [Patch System Image](https://attack.mitre.org/techniques/T1601/001).(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks)\n\nMany cloud-based environments also support traffic mirroring. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual Network TAP)\n\nAdversaries may use traffic duplication in conjunction with [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Input Capture](https://attack.mitre.org/techniques/T1056), or [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) depending on the goals and objectives of the adversary.", "meta": { "external_id": "T1020.001", "kill_chain": [ @@ -16999,12 +17186,15 @@ "Network Traffic: Network Traffic Flow" ], "mitre_platforms": [ - "Network" + "Network", + "IaaS" ], "refs": [ "https://attack.mitre.org/techniques/T1020/001", - "https://capec.mitre.org/data/definitions/117.html", + "https://cloud.google.com/vpc/docs/packet-mirroring", "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954", + "https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-how-it-works.html", + "https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-tap-overview", "https://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r5-1/interfaces/configuration/guide/hc51xcrsbook/hc51span.html", "https://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html", "https://www.us-cert.gov/ncas/alerts/TA18-106A" @@ -17180,7 +17370,7 @@ "value": "LSA Secrets - T1003.004" }, { - "description": "Adversaries may gather credentials from information stored in the Proc filesystem or /proc. The Proc filesystem on Linux contains a great deal of information regarding the state of the running operating system. Processes running with root privileges can use this facility to scrape live memory of other running programs. If any of these programs store passwords in clear text or password hashes in memory, these values can then be harvested for either usage or brute force attacks, respectively.\n\nThis functionality has been implemented in the MimiPenguin(Citation: MimiPenguin GitHub May 2017), an open source tool inspired by Mimikatz. The tool dumps process memory, then harvests passwords and hashes by looking for text strings and regex patterns for how given applications such as Gnome Keyring, sshd, and Apache use memory to store such authentication artifacts.", + "description": "Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the `/proc//maps` file shows how memory is mapped within the process’s virtual address space. And `/proc//mem`, exposed for debugging purposes, provides access to the process’s virtual address space.(Citation: Picus Labs Proc cump 2022)(Citation: baeldung Linux proc map 2022)\n\nWhen executing with root privileges, adversaries can search these memory locations for all processes on a system that contain patterns that are indicative of credentials, such as looking for fixed strings in memory structures or cached hashes. When running without privileged access, processes can still view their own virtual memory locations. Some services or programs may save credentials in clear text inside the process’s memory.(Citation: MimiPenguin GitHub May 2017)(Citation: Polop Linux PrivEsc Gitbook)\n\nIf running as or with the permissions of a web browser, a process can search the `/maps` & `/mem` locations for common website credential patterns (that can also be used to find adjacent memory within the same structure) in which hashes or cleartext credentials may be located.", "meta": { "external_id": "T1003.007", "kill_chain": [ @@ -17195,7 +17385,10 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1003/007", - "https://github.com/huntergregal/mimipenguin" + "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#proc-usdpid-maps-and-proc-usdpid-mem", + "https://github.com/huntergregal/mimipenguin", + "https://www.baeldung.com/linux/proc-id-maps", + "https://www.picussecurity.com/resource/the-mitre-attck-t1003-os-credential-dumping-technique-and-its-adversary-use" ] }, "related": [ @@ -17254,8 +17447,7 @@ ], "refs": [ "http://www.icir.org/vern/papers/meek-PETS-2015.pdf", - "https://attack.mitre.org/techniques/T1090/004", - "https://capec.mitre.org/data/definitions/481.html" + "https://attack.mitre.org/techniques/T1090/004" ] }, "related": [ @@ -17268,7 +17460,7 @@ "value": "Domain Fronting - T1090.004" }, { - "description": "Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, [Modify Registry](https://attack.mitre.org/techniques/T1112), [Plist File Modification](https://attack.mitre.org/techniques/T1647), or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.(Citation: Cylance Dust Storm)\n\nIn some instances, artifacts of persistence may also be removed once an adversary’s persistence is executed in order to prevent errors with the new instance of the malware.(Citation: NCC Group Team9 June 2020)", + "description": "Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, [Modify Registry](https://attack.mitre.org/techniques/T1112), [Plist File Modification](https://attack.mitre.org/techniques/T1647), or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.(Citation: Cylance Dust Storm) Adversaries may also delete accounts previously created to maintain persistence (i.e. [Create Account](https://attack.mitre.org/techniques/T1136)).(Citation: Talos - Cisco Attack 2022)\n\nIn some instances, artifacts of persistence may also be removed once an adversary’s persistence is executed in order to prevent errors with the new instance of the malware.(Citation: NCC Group Team9 June 2020)", "meta": { "external_id": "T1070.009", "kill_chain": [ @@ -17280,6 +17472,7 @@ "File: File Modification", "Process: Process Creation", "Scheduled Job: Scheduled Job Modification", + "User Account: User Account Deletion", "Windows Registry: Windows Registry Key Deletion", "Windows Registry: Windows Registry Key Modification" ], @@ -17290,6 +17483,7 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1070/009", + "https://blog.talosintelligence.com/recent-cyber-attack/", "https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/", "https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" ] @@ -17328,7 +17522,6 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1110/001", - "https://capec.mitre.org/data/definitions/49.html", "https://web.archive.org/web/20200302085133/https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/emotet-now-spreads-via-wi-fi", "https://www.us-cert.gov/ncas/alerts/TA18-086A" @@ -17364,7 +17557,6 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1110/002", - "https://capec.mitre.org/data/definitions/55.html", "https://en.wikipedia.org/wiki/Password_cracking", "https://www.us-cert.gov/ncas/alerts/TA18-106A" ] @@ -17403,7 +17595,6 @@ "refs": [ "http://www.blackhillsinfosec.com/?p=4645", "https://attack.mitre.org/techniques/T1110/003", - "https://capec.mitre.org/data/definitions/565.html", "https://www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing", "https://www.us-cert.gov/ncas/alerts/TA18-086A" ] @@ -17441,7 +17632,6 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1110/004", - "https://capec.mitre.org/data/definitions/600.html", "https://www.us-cert.gov/ncas/alerts/TA18-086A" ] }, @@ -17455,7 +17645,7 @@ "value": "Credential Stuffing - T1110.004" }, { - "description": "Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as HTTP and HTTPS that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ", + "description": "Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as HTTP/S(Citation: CrowdStrike Putter Panda) and WebSocket(Citation: Brazking-Websockets) that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ", "meta": { "external_id": "T1071.001", "kill_chain": [ @@ -17471,8 +17661,10 @@ "Windows" ], "refs": [ + "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf", - "https://attack.mitre.org/techniques/T1071/001" + "https://attack.mitre.org/techniques/T1071/001", + "https://securityintelligence.com/posts/brazking-android-malware-upgraded-targeting-brazilian-banks/" ] }, "related": [ @@ -17595,8 +17787,6 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1027/001", - "https://capec.mitre.org/data/definitions/572.html", - "https://capec.mitre.org/data/definitions/655.html", "https://securelist.com/old-malware-tricks-to-bypass-detection-in-the-age-of-big-data/78010/", "https://www.virustotal.com/en/faq/", "https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/" @@ -17611,6 +17801,75 @@ "uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", "value": "Binary Padding - T1027.001" }, + { + "description": "Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns within commands and scripts more difficult to signature and analyze. This type of obfuscation can be included within commands executed by delivered payloads (e.g., [Phishing](https://attack.mitre.org/techniques/T1566) and [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)) or interactively via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation: Akamai JS)(Citation: Malware Monday VBE)\n\nFor example, adversaries may abuse syntax that utilizes various symbols and escape characters (such as spacing, `^`, `+`. `$`, and `%`) to make commands difficult to analyze while maintaining the same intended functionality.(Citation: RC PowerShell) Many languages support built-in obfuscation in the form of base64 or URL encoding.(Citation: Microsoft PowerShellB64) Adversaries may also manually implement command obfuscation via string splitting (`“Wor”+“d.Application”`), order and casing of characters (`rev <<<'dwssap/cte/ tac'`), globing (`mkdir -p '/tmp/:&$NiA'`), as well as various tricks involving passing strings through tokens/environment variables/input streams.(Citation: Bashfuscator Command Obfuscators)(Citation: FireEye Obfuscation June 2017)\n\nAdversaries may also use tricks such as directory traversals to obfuscate references to the binary being invoked by a command (`C:\\voi\\pcw\\..\\..\\Windows\\tei\\qs\\k\\..\\..\\..\\system32\\erool\\..\\wbem\\wg\\je\\..\\..\\wmic.exe shadowcopy delete`).(Citation: Twitter Richard WMIC)\n\nTools such as Invoke-Obfuscation and Invoke-DOSfucation have also been used to obfuscate commands.(Citation: Invoke-DOSfuscation)(Citation: Invoke-Obfuscation)", + "meta": { + "external_id": "T1027.010", + "kill_chain": [ + "mitre-attack:defense-evasion" + ], + "mitre_data_sources": [ + "Command: Command Execution", + "File: File Metadata", + "Script: Script Execution" + ], + "mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1027/010", + "https://bashfuscator.readthedocs.io/en/latest/Mutators/command_obfuscators/index.html", + "https://bromiley.medium.com/malware-monday-vbscript-and-vbe-files-292252c1a16", + "https://github.com/danielbohannon/Invoke-DOSfuscation", + "https://github.com/danielbohannon/Invoke-Obfuscation", + "https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_powershell_exe?view=powershell-5.1#-encodedcommand-base64encodedcommand", + "https://redcanary.com/threat-detection-report/techniques/powershell/", + "https://twitter.com/rfackroyd/status/1639136000755765254", + "https://web.archive.org/web/20170923102302/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", + "https://www.akamai.com/blog/security/catch-me-if-you-can-javascript-obfuscation" + ] + }, + "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "type": "subtechnique-of" + } + ], + "uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", + "value": "Command Obfuscation - T1027.010" + }, + { + "description": "Adversaries may log into accessible cloud services within a compromised environment using [Valid Accounts](https://attack.mitre.org/techniques/T1078) that are synchronized with or federated to on-premises user identities. The adversary may then perform management actions or access cloud-hosted resources as the logged-on user. \n\nMany enterprises federate centrally managed user identities to cloud services, allowing users to login with their domain credentials in order to access the cloud control plane. Similarly, adversaries may connect to available cloud services through the web console or through the cloud command line interface (CLI) (e.g., [Cloud API](https://attack.mitre.org/techniques/T1059/009)), using commands such as Connect-AZAccount for Azure PowerShell, Connect-MgGraph for Microsoft Graph PowerShell, and gcloud auth login for the Google Cloud CLI.\n\nIn some cases, adversaries may be able to authenticate to these services via [Application Access Token](https://attack.mitre.org/techniques/T1550/001) instead of a username and password. ", + "meta": { + "external_id": "T1021.007", + "kill_chain": [ + "mitre-attack:lateral-movement" + ], + "mitre_data_sources": [ + "Logon Session: Logon Session Creation" + ], + "mitre_platforms": [ + "Office 365", + "Azure AD", + "SaaS", + "IaaS", + "Google Workspace" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1021/007" + ] + }, + "related": [ + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "type": "subtechnique-of" + } + ], + "uuid": "8861073d-d1b8-4941-82ce-dce621d398f0", + "value": "Cloud Services - T1021.007" + }, { "description": "Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as SMTP/S, POP3/S, and IMAP that carry electronic mail may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the email messages themselves. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ", "meta": { @@ -17740,7 +17999,7 @@ "value": "Web Cookies - T1606.001" }, { - "description": "Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server.\n\nMalware may be placed on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)). Malware can also be staged on web services, such as GitHub or Pastebin.(Citation: Volexity Ocean Lotus November 2020)\n\nAdversaries may upload backdoored files, such as application binaries, virtual machine images, or container images, to third-party software stores or repositories (ex: GitHub, CNET, AWS Community AMIs, Docker Hub). By chance encounter, victims may directly download/install these backdoored files via [User Execution](https://attack.mitre.org/techniques/T1204). [Masquerading](https://attack.mitre.org/techniques/T1036) may increase the chance of users mistakenly executing these files.", + "description": "Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server.\n\nMalware may be placed on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)). Malware can also be staged on web services, such as GitHub or Pastebin, or hosted on the InterPlanetary File System (IPFS), where decentralized content storage makes the removal of malicious files difficult.(Citation: Volexity Ocean Lotus November 2020)(Citation: Talos IPFS 2022)\n\nAdversaries may upload backdoored files, such as application binaries, virtual machine images, or container images, to third-party software stores or repositories (ex: GitHub, CNET, AWS Community AMIs, Docker Hub). By chance encounter, victims may directly download/install these backdoored files via [User Execution](https://attack.mitre.org/techniques/T1204). [Masquerading](https://attack.mitre.org/techniques/T1036) may increase the chance of users mistakenly executing these files.", "meta": { "external_id": "T1608.001", "kill_chain": [ @@ -17754,6 +18013,7 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1608/001", + "https://blog.talosintelligence.com/ipfs-abuse/", "https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/" ] }, @@ -17824,7 +18084,6 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1078/001", - "https://capec.mitre.org/data/definitions/70.html", "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html", "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts", "https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/linux/ssh", @@ -17955,7 +18214,6 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1027/002", - "https://capec.mitre.org/data/definitions/570.html", "https://github.com/dhondta/awesome-executable-packing", "https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf" ] @@ -18271,7 +18529,6 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1078/002", - "https://capec.mitre.org/data/definitions/560.html", "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-accounts", "https://technet.microsoft.com/en-us/library/dn487457.aspx", "https://technet.microsoft.com/en-us/library/dn535501.aspx", @@ -18288,7 +18545,7 @@ "value": "Domain Accounts - T1078.002" }, { - "description": "Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior.\n\nCommands such as net user /domain and net group /domain of the [Net](https://attack.mitre.org/software/S0039) utility, dscacheutil -q groupon macOS, and ldapsearch on Linux can list domain users and groups.", + "description": "Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges.\n\nCommands such as net user /domain and net group /domain of the [Net](https://attack.mitre.org/software/S0039) utility, dscacheutil -q groupon macOS, and ldapsearch on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets including Get-ADUser and Get-ADGroupMember may enumerate members of Active Directory groups. ", "meta": { "external_id": "T1087.002", "kill_chain": [ @@ -18307,8 +18564,7 @@ "Windows" ], "refs": [ - "https://attack.mitre.org/techniques/T1087/002", - "https://capec.mitre.org/data/definitions/575.html" + "https://attack.mitre.org/techniques/T1087/002" ] }, "related": [ @@ -18488,7 +18744,6 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1505/003", - "https://capec.mitre.org/data/definitions/650.html", "https://github.com/nsacyber/Mitigating-Web-Shells", "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html", "https://www.us-cert.gov/ncas/alerts/TA15-314A", @@ -18574,7 +18829,7 @@ "value": "Startup Items - T1037.005" }, { - "description": "Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.\n\nWith authenticated access there are several tools that can be used to find permissions groups. The Get-MsolRole PowerShell cmdlet can be used to obtain roles and permissions groups for Exchange and Office 365 accounts (Citation: Microsoft Msolrole)(Citation: GitHub Raindance).\n\nAzure CLI (AZ CLI) and the Google Cloud Identity Provider API also provide interfaces to obtain permissions groups. The command az ad user get-member-groups will list groups associated to a user account for Azure while the API endpoint GET https://cloudidentity.googleapis.com/v1/groups lists group resources available to a user for Google.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)(Citation: Google Cloud Identity API Documentation)\n\nAdversaries may attempt to list ACLs for objects to determine the owner and other accounts with access to the object, for example, via the AWS GetBucketAcl API (Citation: AWS Get Bucket ACL). Using this information an adversary can target accounts with permissions to a given object or leverage accounts they have already compromised to access the object.", + "description": "Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.\n\nWith authenticated access there are several tools that can be used to find permissions groups. The Get-MsolRole PowerShell cmdlet can be used to obtain roles and permissions groups for Exchange and Office 365 accounts (Citation: Microsoft Msolrole)(Citation: GitHub Raindance).\n\nAzure CLI (AZ CLI) and the Google Cloud Identity Provider API also provide interfaces to obtain permissions groups. The command az ad user get-member-groups will list groups associated to a user account for Azure while the API endpoint GET https://cloudidentity.googleapis.com/v1/groups lists group resources available to a user for Google.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)(Citation: Google Cloud Identity API Documentation) In AWS, the commands `ListRolePolicies` and `ListAttachedRolePolicies` allow users to enumerate the policies attached to a role.(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022)\n\nAdversaries may attempt to list ACLs for objects to determine the owner and other accounts with access to the object, for example, via the AWS GetBucketAcl API (Citation: AWS Get Bucket ACL). Using this information an adversary can target accounts with permissions to a given object or leverage accounts they have already compromised to access the object.", "meta": { "external_id": "T1069.003", "kill_chain": [ @@ -18601,6 +18856,7 @@ "https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest", "https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrole?view=azureadps-1.0", "https://github.com/True-Demon/raindance", + "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/", "https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/" ] }, @@ -18773,7 +19029,7 @@ "value": "Unix Shell - T1059.004" }, { - "description": "Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory.(Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)\n\nCompromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment.\n\nOnce a cloud account is compromised, an adversary may perform [Account Manipulation](https://attack.mitre.org/techniques/T1098) - for example, by adding [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) - to maintain persistence and potentially escalate their privileges.", + "description": "Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management systems, such as Windows Active Directory.(Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)\n\nCompromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment.\n\nOnce a cloud account is compromised, an adversary may perform [Account Manipulation](https://attack.mitre.org/techniques/T1098) - for example, by adding [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) - to maintain persistence and potentially escalate their privileges.", "meta": { "external_id": "T1078.004", "kill_chain": [ @@ -18941,7 +19197,7 @@ "value": "Proc Memory - T1055.009" }, { - "description": "Adversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user clicking a malicious link in order to divulge information (including credentials) or to gain execution, as in [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Links can be used for spearphishing, such as sending an email accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003)) or a phish to gain initial access to a system (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002)), an adversary must set up the resources for a link target for the spearphishing link. \n\nTypically, the resources for a link target will be an HTML page that may include some client-side script such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) to decide what content to serve to the user. Adversaries may clone legitimate sites to serve as the link target, this can include cloning of login pages of legitimate web services or organization login pages in an effort to harvest credentials during [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003).(Citation: Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September 2019) Adversaries may also [Upload Malware](https://attack.mitre.org/techniques/T1608/001) and have the link target point to malware for download/execution by the user.\n\nAdversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Link shortening services can also be employed. Adversaries may also use free or paid accounts on Platform-as-a-Service providers to host link targets while taking advantage of the widely trusted domains of those providers to avoid being blocked.(Citation: Netskope GCP Redirection)(Citation: Netskope Cloud Phishing)(Citation: Intezer App Service Phishing)", + "description": "Adversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user clicking a malicious link in order to divulge information (including credentials) or to gain execution, as in [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Links can be used for spearphishing, such as sending an email accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003)) or a phish to gain initial access to a system (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002)), an adversary must set up the resources for a link target for the spearphishing link. \n\nTypically, the resources for a link target will be an HTML page that may include some client-side script such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) to decide what content to serve to the user. Adversaries may clone legitimate sites to serve as the link target, this can include cloning of login pages of legitimate web services or organization login pages in an effort to harvest credentials during [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003).(Citation: Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September 2019) Adversaries may also [Upload Malware](https://attack.mitre.org/techniques/T1608/001) and have the link target point to malware for download/execution by the user.\n\nAdversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Link shortening services can also be employed. Adversaries may also use free or paid accounts on Platform-as-a-Service providers to host link targets while taking advantage of the widely trusted domains of those providers to avoid being blocked.(Citation: Netskope GCP Redirection)(Citation: Netskope Cloud Phishing)(Citation: Intezer App Service Phishing) Finally, adversaries may take advantage of the decentralized nature of the InterPlanetary File System (IPFS) to host link targets that are difficult to remove.(Citation: Talos IPFS 2022)", "meta": { "external_id": "T1608.005", "kill_chain": [ @@ -18956,6 +19212,7 @@ "refs": [ "https://attack.mitre.org/techniques/T1608/005", "https://blog.malwarebytes.com/malwarebytes-news/2020/10/silent-librarian-apt-phishing-attack/", + "https://blog.talosintelligence.com/ipfs-abuse/", "https://www.intezer.com/blog/malware-analysis/kud-i-enter-your-server-new-vulnerabilities-in-microsoft-azure/", "https://www.netskope.com/blog/a-big-catch-cloud-phishing-from-google-app-engine-and-azure-app-service", "https://www.netskope.com/blog/targeted-attacks-abusing-google-cloud-platform-open-redirection", @@ -18972,7 +19229,7 @@ "value": "Link Target - T1608.005" }, { - "description": "Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance.\n\nMFA systems, such as Duo or Okta, allow users to associate devices with their accounts in order to complete MFA requirements. An adversary that compromises a user’s credentials may enroll a new device in order to bypass initial MFA requirements and gain persistent access to a network.(Citation: CISA MFA PrintNightmare)(Citation: DarkReading FireEye SolarWinds)\n\nSimilarly, an adversary with existing access to a network may register a device to Azure AD and/or its device management system, Microsoft Intune, in order to access sensitive data or resources while bypassing conditional access policies.(Citation: AADInternals - Device Registration)(Citation: AADInternals - Conditional Access Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Azure AD may be able to conduct [Internal Spearphishing](https://attack.mitre.org/techniques/T1534) campaigns via intra-organizational emails, which are less likely to be treated as suspicious by the email client.(Citation: Microsoft - Device Registration) Additionally, an adversary may be able to perform a [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002) on an Azure AD tenant by registering a large number of devices.(Citation: AADInternals - BPRT)", + "description": "Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance.\n\nMFA systems, such as Duo or Okta, allow users to associate devices with their accounts in order to complete MFA requirements. An adversary that compromises a user’s credentials may enroll a new device in order to bypass initial MFA requirements and gain persistent access to a network.(Citation: CISA MFA PrintNightmare)(Citation: DarkReading FireEye SolarWinds) In some cases, the MFA self-enrollment process may require only a username and password to enroll the account's first device or to enroll a device to an inactive account. (Citation: Mandiant APT29 Microsoft 365 2022)\n\nSimilarly, an adversary with existing access to a network may register a device to Azure AD and/or its device management system, Microsoft Intune, in order to access sensitive data or resources while bypassing conditional access policies.(Citation: AADInternals - Device Registration)(Citation: AADInternals - Conditional Access Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Azure AD may be able to conduct [Internal Spearphishing](https://attack.mitre.org/techniques/T1534) campaigns via intra-organizational emails, which are less likely to be treated as suspicious by the email client.(Citation: Microsoft - Device Registration) Additionally, an adversary may be able to perform a [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002) on an Azure AD tenant by registering a large number of devices.(Citation: AADInternals - BPRT)", "meta": { "external_id": "T1098.005", "kill_chain": [ @@ -18995,6 +19252,7 @@ "https://o365blog.com/post/mdm", "https://www.cisa.gov/uscert/ncas/alerts/aa22-074a", "https://www.darkreading.com/threat-intelligence/fireeye-s-mandia-severity-zero-alert-led-to-discovery-of-solarwinds-attack", + "https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft", "https://www.microsoft.com/security/blog/2022/01/26/evolved-phishing-device-registration-trick-adds-to-phishers-toolbox-for-victims-without-mfa", "https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" ] @@ -19008,6 +19266,37 @@ "uuid": "7decb26c-715c-40cf-b7e0-026f7d7cc215", "value": "Device Registration - T1098.005" }, + { + "description": "Adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access to nearly all aspects of a tenant. These APIs may be utilized through various methods such as command line interpreters (CLIs), in-browser Cloud Shells, [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules like Azure for PowerShell(Citation: A), or software developer kits (SDKs) available for languages such as [Python](https://attack.mitre.org/techniques/T1059/006). \n\nCloud API functionality may allow for administrative access across all major services in a tenant such as compute, storage, identity and access management (IAM), networking, and security policies.\n\nWith proper permissions (often via use of credentials such as [Application Access Token](https://attack.mitre.org/techniques/T1550/001) and [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004)), adversaries may abuse cloud APIs to invoke various functions that execute malicious actions. For example, CLI and PowerShell functionality may be accessed through binaries installed on cloud-hosted or on-premises hosts or accessed through a browser-based cloud shell offered by many cloud platforms (such as AWS, Azure, and GCP). These cloud shells are often a packaged unified environment to use CLI and/or scripting modules hosted as a container in the cloud environment. ", + "meta": { + "external_id": "T1059.009", + "kill_chain": [ + "mitre-attack:execution" + ], + "mitre_data_sources": [ + "Command: Command Execution" + ], + "mitre_platforms": [ + "IaaS", + "Azure AD", + "Office 365", + "SaaS", + "Google Workspace" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1059/009", + "https://github.com/Azure/azure-powershell" + ] + }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "type": "subtechnique-of" + } + ], + "uuid": "55bb4471-ff1f-43b4-88c1-c9384ec47abf", + "value": "Cloud API - T1059.009" + }, { "description": "Adversaries may poison mechanisms that influence search engine optimization (SEO) to further lure staged capabilities towards potential victims. Search engines typically display results to users based on purchased ads as well as the site’s ranking/score/reputation calculated by their web crawlers and algorithms.(Citation: Atlas SEO)(Citation: MalwareBytes SEO)\n\nTo help facilitate [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), adversaries may stage content that explicitly manipulates SEO rankings in order to promote sites hosting their malicious payloads (such as [Drive-by Target](https://attack.mitre.org/techniques/T1608/004)) within search engines. Poisoning SEO rankings may involve various tricks, such as stuffing keywords (including in the form of hidden text) into compromised sites. These keywords could be related to the interests/browsing habits of the intended victim(s) as well as more broad, seasonably popular topics (e.g. elections, trending news).(Citation: ZScaler SEO)(Citation: Atlas SEO)\n\nAdversaries may also purchase or plant incoming links to staged capabilities in order to boost the site’s calculated relevance and reputation.(Citation: MalwareBytes SEO)(Citation: DFIR Report Gootloader)\n\nSEO poisoning may also be combined with evasive redirects and other cloaking mechanisms (such as measuring mouse movements or serving content based on browser user agents, user language/localization settings, or HTTP headers) in order to feed SEO inputs while avoiding scrutiny from defenders.(Citation: ZScaler SEO)(Citation: Sophos Gootloader)", "meta": { @@ -19040,7 +19329,7 @@ "value": "SEO Poisoning - T1608.006" }, { - "description": "Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.", + "description": "Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME.(Citation: Wikipedia Binary-to-text Encoding)(Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.", "meta": { "external_id": "T1132.001", "kill_chain": [ @@ -19095,7 +19384,36 @@ "value": "Symmetric Cryptography - T1521.001" }, { - "description": "Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the net user /add command can be used to create a local account. On macOS systems the dscl -create command can be used to create a local account.\n\nSuch accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.", + "description": "Adversaries may store data in \"fileless\" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage include the Windows Registry, event logs, or WMI repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless)\n\nSimilar to fileless in-memory behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620) and [Process Injection](https://attack.mitre.org/techniques/T1055), fileless data storage may remain undetected by anti-virus and other endpoint security tools that can only access specific file formats from disk storage.\n\nAdversaries may use fileless storage to conceal various types of stored data, including payloads/shellcode (potentially being used as part of [Persistence](https://attack.mitre.org/tactics/TA0003)) and collected data not yet exfiltrated from the victim (e.g., [Local Data Staging](https://attack.mitre.org/techniques/T1074/001)). Adversaries also often encrypt, encode, splice, or otherwise obfuscate this fileless data when stored.\n\nSome forms of fileless storage activity may indirectly create artifacts in the file system, but in central and otherwise difficult to inspect formats such as the WMI (e.g., `%SystemRoot%\\System32\\Wbem\\Repository`) or Registry (e.g., `%SystemRoot%\\System32\\Config`) physical files.(Citation: Microsoft Fileless) ", + "meta": { + "external_id": "T1027.011", + "kill_chain": [ + "mitre-attack:defense-evasion" + ], + "mitre_data_sources": [ + "WMI: WMI Creation", + "Windows Registry: Windows Registry Key Creation" + ], + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1027/011", + "https://learn.microsoft.com/microsoft-365/security/intelligence/fileless-threats", + "https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/" + ] + }, + "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "type": "subtechnique-of" + } + ], + "uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", + "value": "Fileless Storage - T1027.011" + }, + { + "description": "Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the net user /add command can be used to create a local account. On macOS systems the dscl -create command can be used to create a local account. Local accounts may also be added to network devices, often via common [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as username.(Citation: cisco_username_cmd)\n\nSuch accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.", "meta": { "external_id": "T1136.001", "kill_chain": [ @@ -19109,11 +19427,13 @@ "mitre_platforms": [ "Linux", "macOS", - "Windows" + "Windows", + "Network" ], "refs": [ "https://attack.mitre.org/techniques/T1136/001", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720" + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720", + "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630" ] }, "related": [ @@ -19358,7 +19678,6 @@ "http://www.mitre.org/publications/project-stories/going-deep-into-the-bios-with-mitre-firmware-security-research", "http://www.uefi.org/about", "https://attack.mitre.org/techniques/T1542/001", - "https://capec.mitre.org/data/definitions/532.html", "https://en.wikipedia.org/wiki/BIOS", "https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface", "https://github.com/chipsec/chipsec", @@ -19551,7 +19870,7 @@ "value": "Business Relationships - T1591.002" }, { - "description": "Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)\n\nAdversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection.", + "description": "Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)\n\nAdversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection.\n\nOnce an adversary has created a cloud account, they can then manipulate that account to ensure persistence and allow access to additional resources - for example, by adding [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) or assigning [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003).", "meta": { "external_id": "T1136.003", "kill_chain": [ @@ -20162,7 +20481,6 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1566/001", - "https://capec.mitre.org/data/definitions/163.html", "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide", "https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf", "https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql" @@ -20323,7 +20641,7 @@ "value": "Device Lockout - T1629.002" }, { - "description": "Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014)(Citation: Freedesktop.org Linux systemd 29SEP2018) Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems.\n\nSystemd utilizes configuration files known as service units to control how services boot and under what conditions. By default, these unit files are stored in the /etc/systemd/system and /usr/lib/systemd/system directories and have the file extension .service. Each service unit file may contain numerous directives that can execute system commands:\n\n* ExecStart, ExecStartPre, and ExecStartPost directives cover execution of commands when a services is started manually by 'systemctl' or on system start if the service is set to automatically start. \n* ExecReload directive covers when a service restarts. \n* ExecStop and ExecStopPost directives cover when a service is stopped or manually by 'systemctl'.\n\nAdversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at system boot.(Citation: Anomali Rocke March 2019)\n\nWhile adversaries typically require root privileges to create/modify service unit files in the /etc/systemd/system and /usr/lib/systemd/system directories, low privilege users can create/modify service unit files in directories such as ~/.config/systemd/user/ to achieve user-level persistence.(Citation: Rapid7 Service Persistence 22JUNE2016)", + "description": "Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014) Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible. \n\nSystemd utilizes unit configuration files with the `.service` file extension to encode information about a service's process. By default, system level unit files are stored in the `/systemd/system` directory of the root owned directories (`/`). User level unit files are stored in the `/systemd/user` directories of the user owned directories (`$HOME`). (Citation: lambert systemd 2022) \n\nService unit files use the following directives to execute system commands:(Citation: freedesktop systemd.service) \n\n* `ExecStart`, `ExecStartPre`, and `ExecStartPost` directives cover execution of commands when a service is started manually by `systemctl`, or on system start if the service is set to automatically start.\n* `ExecReload` directive covers when a service restarts. \n* `ExecStop`, `ExecStopPre`, and `ExecStopPost` directives cover when a service is stopped. \n\nAdversaries may abuse systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files systemd uses upon reboot or starting a service.(Citation: Anomali Rocke March 2019) Adversaries may also place symbolic links in these directories, enabling systemd to find these payloads regardless of where they reside on the filesystem.\n\nThe `.service` file’s `User` directive can be used to run service as a specific user, which could result in privilege escalation based on specific user/group permissions.(Citation: Rapid7 Service Persistence 22JUNE2016) ", "meta": { "external_id": "T1543.002", "kill_chain": [ @@ -20344,10 +20662,10 @@ "refs": [ "http://man7.org/linux/man-pages/man1/systemd.1.html", "https://attack.mitre.org/techniques/T1543/002", - "https://capec.mitre.org/data/definitions/550.html", - "https://capec.mitre.org/data/definitions/551.html", + "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/", + "https://redcanary.com/blog/attck-t1501-understanding-systemd-service-persistence/", "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang", - "https://www.freedesktop.org/wiki/Software/systemd/", + "https://www.freedesktop.org/software/systemd/man/systemd.service.html", "https://www.rapid7.com/db/modules/exploit/linux/local/service_persistence" ] }, @@ -20595,7 +20913,7 @@ "value": "TFTP Boot - T1542.005" }, { - "description": "Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc. \n\nAdversaries may also look in common key directories, such as ~/.ssh for SSH keys on * nix-based systems or C:\Users\(username)\.ssh\ on Windows. These private keys can be used to authenticate to [Remote Services](https://attack.mitre.org/techniques/T1021) like SSH or for use in decrypting other collected files such as email.\n\nAdversary tools have been discovered that search compromised systems for file extensions relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation: Palo Alto Prince of Persia)\n\nSome private keys require a password or passphrase for operation, so an adversary may also use [Input Capture](https://attack.mitre.org/techniques/T1056) for keylogging or attempt to [Brute Force](https://attack.mitre.org/techniques/T1110) the passphrase off-line.", + "description": "Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc. \n\nAdversaries may also look in common key directories, such as ~/.ssh for SSH keys on * nix-based systems or C:\Users\(username)\.ssh\ on Windows. Adversary tools may also search compromised systems for file extensions relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation: Palo Alto Prince of Persia)\n\nWhen a device is registered to Azure AD, a device key and a transport key are generated and used to verify the device’s identity.(Citation: Microsoft Primary Refresh Token) An adversary with access to the device may be able to export the keys in order to impersonate the device.(Citation: AADInternals Azure AD Device Identities)\n\nOn network devices, private keys may be exported via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `crypto pki export`.(Citation: cisco_deploy_rsa_keys) \n\nSome private keys require a password or passphrase for operation, so an adversary may also use [Input Capture](https://attack.mitre.org/techniques/T1056) for keylogging or attempt to [Brute Force](https://attack.mitre.org/techniques/T1110) the passphrase off-line. These private keys can be used to authenticate to [Remote Services](https://attack.mitre.org/techniques/T1021) like SSH or for use in decrypting other collected files such as email.", "meta": { "external_id": "T1552.004", "kill_chain": [ @@ -20608,13 +20926,17 @@ "mitre_platforms": [ "Linux", "macOS", - "Windows" + "Windows", + "Network" ], "refs": [ + "https://aadinternals.com/post/deviceidentity/", "https://attack.mitre.org/techniques/T1552/004", "https://en.wikipedia.org/wiki/Public-key_cryptography", "https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf", - "https://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/" + "https://learn.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token", + "https://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/", + "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-17/sec-pki-xe-17-book/sec-deploy-rsa-pki.html#GUID-1CB802D8-9DE3-447F-BECE-CF22F5E11436" ] }, "related": [ @@ -20781,7 +21103,6 @@ "https://attack.mitre.org/techniques/T1498/002", "https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/", "https://blog.cloudflare.com/reflections-on-reflections/", - "https://capec.mitre.org/data/definitions/490.html", "https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf", "https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/", @@ -20883,6 +21204,35 @@ "uuid": "65013dd2-bc61-43e3-afb5-a14c4fa7437a", "value": "Email Accounts - T1585.002" }, + { + "description": "Adversaries may directly collect unsecured credentials stored or passed through user communication services. Credentials may be sent and stored in user chat communication applications such as email, chat services like Slack or Teams, collaboration tools like Jira or Trello, and any other services that support user communication. Users may share various forms of credentials (such as usernames and passwords, API keys, or authentication tokens) on private or public corporate internal communications channels.\n\nRather than accessing the stored chat logs (i.e., [Credentials In Files](https://attack.mitre.org/techniques/T1552/001)), adversaries may directly access credentials within these services on the user endpoint, through servers hosting the services, or through administrator portals for cloud hosted services. Adversaries may also compromise integration tools like Slack Workflows to automatically search through messages to extract user credentials. These credentials may then be abused to perform follow-on activities such as lateral movement or privilege escalation (Citation: Slack Security Risks).", + "meta": { + "external_id": "T1552.008", + "kill_chain": [ + "mitre-attack:credential-access" + ], + "mitre_data_sources": [ + "Application Log: Application Log Content" + ], + "mitre_platforms": [ + "Office 365", + "SaaS", + "Google Workspace" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1552/008", + "https://www.nightfall.ai/blog/saas-slack-security-risks-2020" + ] + }, + "related": [ + { + "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", + "type": "subtechnique-of" + } + ], + "uuid": "9664ad0e-789e-40ac-82e2-d7b17fbe8fb3", + "value": "Chat Messages - T1552.008" + }, { "description": "Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.(Citation: ADSecurity Silver Tickets)\n\nSilver tickets are more limited in scope in than golden tickets in that they only enable adversaries to access a particular resource (e.g. MSSQL) and the system that hosts the resource; however, unlike golden tickets, adversaries with the ability to forge silver tickets are able to create TGS tickets without interacting with the Key Distribution Center (KDC), potentially making detection more difficult.(Citation: ADSecurity Detecting Forged Tickets)\n\nPassword hashes for target services may be obtained using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).", "meta": { @@ -20928,7 +21278,7 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1595/002", - "https://wiki.owasp.org/index.php/OAT-014_Vulnerability_Scanning" + "https://owasp.org/www-project-automated-threats-to-web-applications/assets/oats/EN/OAT-014_Vulnerability_Scanning" ] }, "related": [ @@ -20941,7 +21291,7 @@ "value": "Vulnerability Scanning - T1595.002" }, { - "description": "An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting (Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW),(Citation: Microsoft About Event Tracing 2018) by tampering settings that control the collection and flow of event telemetry. (Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as [PowerShell](https://attack.mitre.org/techniques/T1059/001) or [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).\n\nETW interruption can be achieved multiple ways, however most directly by defining conditions using the [PowerShell](https://attack.mitre.org/techniques/T1059/001) Set-EtwTraceProvider cmdlet or by interfacing directly with the Registry to make alterations.\n\nIn the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products.\n\nIn Linux environments, adversaries may disable or reconfigure log processing tools such as syslog or nxlog to inhibit detection and monitoring capabilities to facilitate follow on behaviors (Citation: LemonDuck).", + "description": "An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting(Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW)(Citation: Microsoft About Event Tracing 2018), by tampering settings that control the collection and flow of event telemetry.(Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as [PowerShell](https://attack.mitre.org/techniques/T1059/001) or [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).\n\nFor example, adversaries may modify the `File` value in HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\EventLog\\Security to hide their malicious actions in a new or different .evtx log file. This action does not require a system reboot and takes effect immediately.(Citation: disable_win_evt_logging) \n\nETW interruption can be achieved multiple ways, however most directly by defining conditions using the [PowerShell](https://attack.mitre.org/techniques/T1059/001) Set-EtwTraceProvider cmdlet or by interfacing directly with the Registry to make alterations.\n\nIn the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products.\n\nIn Linux environments, adversaries may disable or reconfigure log processing tools such as syslog or nxlog to inhibit detection and monitoring capabilities to facilitate follow on behaviors (Citation: LemonDuck).", "meta": { "external_id": "T1562.006", "kill_chain": [ @@ -20959,9 +21309,9 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1562/006", - "https://capec.mitre.org/data/definitions/571.html", "https://docs.microsoft.com/en-us/windows/desktop/etw/consuming-events", "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", + "https://ptylu.github.io/content/report/report.html?report=25", "https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Backdoor:Win32/Lamin.A" ] @@ -20976,7 +21326,7 @@ "value": "Indicator Blocking - T1562.006" }, { - "description": "Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly or verify the receipt of an email (i.e. web bugs/web beacons). Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an \"IDN homograph attack\").(Citation: CISA IDN ST05-016)\n\nAdversaries may also utilize links to perform consent phishing, typically with OAuth 2.0 request URLs that when accepted by the user provide permissions/access for malicious applications, allowing adversaries to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: Trend Micro Pawn Storm OAuth 2017) These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls. (Citation: Microsoft OAuth 2.0 Consent Phishing 2021)", + "description": "Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly. Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an \"IDN homograph attack\").(Citation: CISA IDN ST05-016)\n\nAdversaries may also utilize links to perform consent phishing, typically with OAuth 2.0 request URLs that when accepted by the user provide permissions/access for malicious applications, allowing adversaries to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: Trend Micro Pawn Storm OAuth 2017) These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls. (Citation: Microsoft OAuth 2.0 Consent Phishing 2021)", "meta": { "external_id": "T1566.002", "kill_chain": [ @@ -20998,7 +21348,6 @@ "refs": [ "https://attack.mitre.org/techniques/T1566/002", "https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks", - "https://capec.mitre.org/data/definitions/163.html", "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide", "https://us-cert.cisa.gov/ncas/tips/ST05-016", "https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf", @@ -21015,7 +21364,7 @@ "value": "Spearphishing Link - T1566.002" }, { - "description": "Adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566). Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. Compromised email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)).\n\nA variety of methods exist for compromising email accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps).(Citation: AnonHBGary) Prior to compromising email accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.\n\nAdversaries can use a compromised email account to hijack existing email threads with targets of interest.", + "description": "Adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598), [Phishing](https://attack.mitre.org/techniques/T1566), or large-scale spam email campaigns. Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship with, or knowledge of, the compromised persona. Compromised email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)).\n\nA variety of methods exist for compromising email accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, brute forcing credentials (ex: password reuse from breach credential dumps), or paying employees, suppliers or business partners for access to credentials.(Citation: AnonHBGary)(Citation: Microsoft DEV-0537) Prior to compromising email accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation. Adversaries may target compromising well-known email accounts or domains from which malicious spam or [Phishing](https://attack.mitre.org/techniques/T1566) emails may evade reputation-based email filtering rules.\n\nAdversaries can use a compromised email account to hijack existing email threads with targets of interest.", "meta": { "external_id": "T1586.002", "kill_chain": [ @@ -21026,7 +21375,8 @@ ], "refs": [ "https://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/", - "https://attack.mitre.org/techniques/T1586/002" + "https://attack.mitre.org/techniques/T1586/002", + "https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" ] }, "related": [ @@ -21155,9 +21505,6 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1543/003", - "https://capec.mitre.org/data/definitions/478.html", - "https://capec.mitre.org/data/definitions/550.html", - "https://capec.mitre.org/data/definitions/551.html", "https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4697", "https://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection", "https://technet.microsoft.com/en-us/library/cc772408.aspx", @@ -21248,8 +21595,6 @@ "refs": [ "https://attack.mitre.org/techniques/T1543/004", "https://bradleyjkemp.dev/post/launchdaemon-hijacking/", - "https://capec.mitre.org/data/definitions/550.html", - "https://capec.mitre.org/data/definitions/551.html", "https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html", "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf", "https://www.real-world-systems.com/docs/launchdPlist.1.html", @@ -21537,7 +21882,7 @@ "value": "DNS Calculation - T1568.003" }, { - "description": "Adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)) or [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567). Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, adversaries can make it difficult to physically tie back operations to them.", + "description": "Adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)), [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567), or [Phishing](https://attack.mitre.org/techniques/T1566). Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, adversaries can make it difficult to physically tie back operations to them.", "meta": { "external_id": "T1583.006", "kill_chain": [ @@ -21640,7 +21985,7 @@ "value": "Employee Names - T1589.003" }, { - "description": "Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may be a clone of a legitimate site (such as an online or corporate login portal) or may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. \n\nFrom the fake website, information is gathered in web forms and sent to the adversary. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.", + "description": "Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may be a clone of a legitimate site (such as an online or corporate login portal) or may closely resemble a legitimate site in appearance and have a URL containing elements from the real site.\n\nAdversaries may also link to \"web bugs\" or \"web beacons\" within phishing messages to verify the receipt of an email, while also potentially profiling and tracking victim information such as IP address.(Citation: NIST Web Bug)\n\nAdversaries may also be able to spoof a complete website using what is known as a \"browser-in-the-browser\" (BitB) attack. By generating a fake browser popup window with an HTML-based address bar that appears to contain a legitimate URL (such as an authentication portal), they may be able to prompt users to enter their credentials while bypassing typical URL verification methods.(Citation: ZScaler BitB 2020)(Citation: Mr. D0x BitB 2022)\n\nFrom the fake website, information is gathered in web forms and sent to the adversary. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.", "meta": { "external_id": "T1598.003", "kill_chain": [ @@ -21656,10 +22001,13 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1598/003", + "https://csrc.nist.gov/glossary/term/web_bug", "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide", + "https://mrd0x.com/browser-in-the-browser-phishing-attack/", "https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf", "https://www.pcmag.com/news/hackers-try-to-phish-united-nations-staffers-with-fake-login-pages", - "https://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html" + "https://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html", + "https://www.zscaler.com/blogs/security-research/fake-sites-stealing-steam-credentials" ] }, "related": [ @@ -21690,7 +22038,6 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1574/004", - "https://capec.mitre.org/data/definitions/471.html", "https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/RunpathDependentLibraries.html", "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py", "https://github.com/EmpireProject/Empire/blob/master/lib/modules/python/situational_awareness/host/osx/HijackScanner.py", @@ -21799,7 +22146,6 @@ "refs": [ "http://blog.crowdstrike.com/registry-analysis-with-crowdresponse/", "https://attack.mitre.org/techniques/T1546/008", - "https://capec.mitre.org/data/definitions/558.html", "https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html", "https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-1.html", "https://www.slideshare.net/DennisMaldonado5/sticky-keys-to-the-kingdom" @@ -21815,7 +22161,7 @@ "value": "Accessibility Features - T1546.008" }, { - "description": "Adversaries may compromise access to third-party web services that can be used during targeting. A variety of popular websites exist for legitimate users to register for web-based services, such as GitHub, Twitter, Dropbox, Google, etc. Adversaries may try to take ownership of a legitimate user's access to a web service and use that web service as infrastructure in support of cyber operations. Such web services can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)) or [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567).(Citation: Recorded Future Turla Infra 2020) Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, particularly when access is stolen from legitimate users, adversaries can make it difficult to physically tie back operations to them.", + "description": "Adversaries may compromise access to third-party web services that can be used during targeting. A variety of popular websites exist for legitimate users to register for web-based services, such as GitHub, Twitter, Dropbox, Google, SendGrid, etc. Adversaries may try to take ownership of a legitimate user's access to a web service and use that web service as infrastructure in support of cyber operations. Such web services can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)), [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567), or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Recorded Future Turla Infra 2020) Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, particularly when access is stolen from legitimate users, adversaries can make it difficult to physically tie back operations to them. Additionally, leveraging compromised web-based email services may allow adversaries to leverage the trust associated with legitimate domains.", "meta": { "external_id": "T1584.006", "kill_chain": [ @@ -21962,7 +22308,6 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1547/009", - "https://capec.mitre.org/data/definitions/132.html", "https://www.elastic.co/guide/en/security/7.17/shortcut-file-written-or-modified-for-persistence.html#shortcut-file-written-or-modified-for-persistence", "https://www.youtube.com/watch?v=nJ0UsyiUEqQ" ] @@ -22444,7 +22789,6 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1053", - "https://capec.mitre.org/data/definitions/557.html", "https://technet.microsoft.com/en-us/library/cc785125.aspx", "https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain" ] @@ -22488,7 +22832,7 @@ "value": "Develop KITs/KIQs - T1227" }, { - "description": "Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) (e.g. reload).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A) Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.\n\nAdversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) or [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490), to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018)", + "description": "Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) (e.g. reload).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A)\n\nShutting down or rebooting systems may disrupt access to computer resources for legitimate users while also impeding incident response/recovery.\n\nAdversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) or [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490), to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018)", "meta": { "external_id": "T1529", "kill_chain": [ @@ -22664,7 +23008,6 @@ "refs": [ "https://arstechnica.com/information-technology/2012/03/the-pwn-plug-is-a-little-white-box-that-can-hack-your-network/", "https://attack.mitre.org/techniques/T1200", - "https://capec.mitre.org/data/definitions/440.html", "https://ossmann.blogspot.com/2011/02/throwing-star-lan-tap.html", "https://www.youtube.com/watch?v=fXthwl6ShOg", "https://www.youtube.com/watch?v=lDvf4ScWbcQ" @@ -22703,7 +23046,7 @@ "value": "Data Compressed - T1002" }, { - "description": "Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n\nData captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.\n\nNetwork sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.\n\nIn cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring) (Citation: GCP Packet Mirroring) (Citation: Azure Virtual Network TAP) Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring) (Citation: SpecterOps AWS Traffic Mirroring) The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic. (Citation: Rhino Security Labs AWS VPC Traffic Mirroring)", + "description": "Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n\nData captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.\n\nNetwork sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.\n\nIn cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual Network TAP) Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)(Citation: SpecterOps AWS Traffic Mirroring) The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)\n\nOn network devices, adversaries may perform network captures using [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `monitor capture`.(Citation: US-CERT-TA18-106A)(Citation: capture_embedded_packet_on_software)", "meta": { "external_id": "T1040", "kill_chain": [ @@ -22723,12 +23066,13 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1040", - "https://capec.mitre.org/data/definitions/158.html", "https://cloud.google.com/vpc/docs/packet-mirroring", "https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-how-it-works.html", "https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-tap-overview", "https://posts.specterops.io/through-the-looking-glass-part-1-f539ae308512", - "https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/" + "https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/", + "https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-embedded-packet-capture/116045-productconfig-epc-00.html", + "https://www.us-cert.gov/ncas/alerts/TA18-106A" ] }, "uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", @@ -22796,6 +23140,7 @@ "mitre-attack:defense-evasion" ], "mitre_data_sources": [ + "Application Log: Application Log Content", "Command: Command Execution", "File: File Deletion", "File: File Metadata", @@ -22806,6 +23151,7 @@ "Process: Process Creation", "Scheduled Job: Scheduled Job Modification", "User Account: User Account Authentication", + "User Account: User Account Deletion", "Windows Registry: Windows Registry Key Deletion", "Windows Registry: Windows Registry Key Modification" ], @@ -22819,8 +23165,7 @@ "Google Workspace" ], "refs": [ - "https://attack.mitre.org/techniques/T1070", - "https://capec.mitre.org/data/definitions/93.html" + "https://attack.mitre.org/techniques/T1070" ] }, "uuid": "799ace7f-e227-4411-baa0-8868704f2a69", @@ -22907,8 +23252,7 @@ "Network" ], "refs": [ - "https://attack.mitre.org/techniques/T1110", - "https://capec.mitre.org/data/definitions/49.html" + "https://attack.mitre.org/techniques/T1110" ] }, "uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", @@ -22932,7 +23276,6 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1012", - "https://capec.mitre.org/data/definitions/647.html", "https://en.wikipedia.org/wiki/Windows_Registry" ] }, @@ -22940,7 +23283,7 @@ "value": "Query Registry - T1012" }, { - "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.\n\nIn an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).(Citation: SSH Secure Shell)(Citation: TechNet Remote Desktop Services)\n\nLegitimate applications (such as [Software Deployment Tools](https://attack.mitre.org/techniques/T1072) and other administrative programs) may utilize [Remote Services](https://attack.mitre.org/techniques/T1021) to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS is native software used for remote management. ARD leverages a blend of protocols, including [VNC](https://attack.mitre.org/techniques/T1021/005) to send the screen and control buffers and [SSH](https://attack.mitre.org/techniques/T1021/004) for secure file transfer.(Citation: Remote Management MDM macOS)(Citation: Kickstart Apple Remote Desktop commands)(Citation: Apple Remote Desktop Admin Guide 3.3) Adversaries can abuse applications such as ARD to gain remote code execution and perform lateral movement. In versions of macOS prior to 10.14, an adversary can escalate an SSH session to an ARD session which enables an adversary to accept TCC (Transparency, Consent, and Control) prompts without user interaction and gain access to data.(Citation: FireEye 2019 Apple Remote Desktop)(Citation: Lockboxx ARD 2019)(Citation: Kickstart Apple Remote Desktop commands)", + "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.\n\nIn an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).(Citation: SSH Secure Shell)(Citation: TechNet Remote Desktop Services) They could also login to accessible SaaS or IaaS services, such as those that federate their identities to the domain. \n\nLegitimate applications (such as [Software Deployment Tools](https://attack.mitre.org/techniques/T1072) and other administrative programs) may utilize [Remote Services](https://attack.mitre.org/techniques/T1021) to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS is native software used for remote management. ARD leverages a blend of protocols, including [VNC](https://attack.mitre.org/techniques/T1021/005) to send the screen and control buffers and [SSH](https://attack.mitre.org/techniques/T1021/004) for secure file transfer.(Citation: Remote Management MDM macOS)(Citation: Kickstart Apple Remote Desktop commands)(Citation: Apple Remote Desktop Admin Guide 3.3) Adversaries can abuse applications such as ARD to gain remote code execution and perform lateral movement. In versions of macOS prior to 10.14, an adversary can escalate an SSH session to an ARD session which enables an adversary to accept TCC (Transparency, Consent, and Control) prompts without user interaction and gain access to data.(Citation: FireEye 2019 Apple Remote Desktop)(Citation: Lockboxx ARD 2019)(Citation: Kickstart Apple Remote Desktop commands)", "meta": { "external_id": "T1021", "kill_chain": [ @@ -22963,7 +23306,6 @@ "refs": [ "http://lockboxx.blogspot.com/2019/07/macos-red-teaming-206-ard-apple-remote.html", "https://attack.mitre.org/techniques/T1021", - "https://capec.mitre.org/data/definitions/555.html", "https://images.apple.com/remotedesktop/pdf/ARD_Admin_Guide_v3.3.pdf", "https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins", "https://support.apple.com/en-us/HT201710", @@ -23142,15 +23484,7 @@ "https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/" ] }, - "related": [ - { - "dest-uuid": "6747daa2-3533-4e78-8fb8-446ebb86448a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "revoked-by" - } - ], + "related": [], "uuid": "06780952-177c-4247-b978-79c357fb311f", "value": "Plist Modification - T1150" }, @@ -24089,7 +24423,6 @@ "http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html", "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing", "https://attack.mitre.org/techniques/T1055", - "https://capec.mitre.org/data/definitions/640.html", "https://docs.microsoft.com/sysinternals/downloads/sysmon", "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "https://www.gnu.org/software/acct/" @@ -24098,6 +24431,27 @@ "uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "value": "Process Injection - T1055" }, + { + "description": "Adversaries may purchase or otherwise acquire an existing access to a target system or network. A variety of online services and initial access broker networks are available to sell access to previously compromised systems.(Citation: Microsoft Ransomware as a Service)(Citation: CrowdStrike Access Brokers)(Citation: Krebs Access Brokers Fortune 500) In some cases, adversary groups may form partnerships to share compromised systems with each other.(Citation: CISA Karakurt 2022)\n\nFootholds to compromised systems may take a variety of forms, such as access to planted backdoors (e.g., [Web Shell](https://attack.mitre.org/techniques/T1505/003)) or established access via [External Remote Services](https://attack.mitre.org/techniques/T1133). In some cases, access brokers will implant compromised systems with a “load” that can be used to install additional malware for paying customers.(Citation: Microsoft Ransomware as a Service)\n\nBy leveraging existing access broker networks rather than developing or obtaining their own initial access capabilities, an adversary can potentially reduce the resources required to gain a foothold on a target network and focus their efforts on later stages of compromise. Adversaries may prioritize acquiring access to systems that have been determined to lack security monitoring or that have high privileges, or systems that belong to organizations in a particular sector.(Citation: Microsoft Ransomware as a Service)(Citation: CrowdStrike Access Brokers)\n\nIn some cases, purchasing access to an organization in sectors such as IT contracting, software development, or telecommunications may allow an adversary to compromise additional victims via a [Trusted Relationship](https://attack.mitre.org/techniques/T1199), [Multi-Factor Authentication Interception](https://attack.mitre.org/techniques/T1111), or even [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195).\n\n**Note:** while this technique is distinct from other behaviors such as [Purchase Technical Data](https://attack.mitre.org/techniques/T1597/002) and [Credentials](https://attack.mitre.org/techniques/T1589/001), they may often be used in conjunction (especially where the acquired foothold requires [Valid Accounts](https://attack.mitre.org/techniques/T1078)).", + "meta": { + "external_id": "T1650", + "kill_chain": [ + "mitre-attack:resource-development" + ], + "mitre_platforms": [ + "PRE" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1650", + "https://krebsonsecurity.com/2012/10/service-sells-access-to-fortune-500-firms/", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-152a", + "https://www.crowdstrike.com/blog/access-brokers-targets-and-worth/", + "https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/" + ] + }, + "uuid": "d21bb61f-08ad-4dc1-b001-81ca6cb79954", + "value": "Acquire Access - T1650" + }, { "description": "Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004)) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. [Web Portal Capture](https://attack.mitre.org/techniques/T1056/003)).", "meta": { @@ -24122,15 +24476,14 @@ ], "refs": [ "http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf", - "https://attack.mitre.org/techniques/T1056", - "https://capec.mitre.org/data/definitions/569.html" + "https://attack.mitre.org/techniques/T1056" ] }, "uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "value": "Input Capture - T1056" }, { - "description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nIn Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or Get-Process via [PowerShell](https://attack.mitre.org/techniques/T1059/001). Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as CreateToolhelp32Snapshot. In Mac and Linux, this is accomplished with the ps command. Adversaries may also opt to enumerate processes via /proc.", + "description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nIn Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or Get-Process via [PowerShell](https://attack.mitre.org/techniques/T1059/001). Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as CreateToolhelp32Snapshot. In Mac and Linux, this is accomplished with the ps command. Adversaries may also opt to enumerate processes via /proc.\n\nOn network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show processes` can be used to display current running processes.(Citation: US-CERT-TA18-106A)(Citation: show_processes_cisco_cmd)", "meta": { "external_id": "T1057", "kill_chain": [ @@ -24144,11 +24497,13 @@ "mitre_platforms": [ "Linux", "macOS", - "Windows" + "Windows", + "Network" ], "refs": [ "https://attack.mitre.org/techniques/T1057", - "https://capec.mitre.org/data/definitions/573.html" + "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/cf_command_ref/show_monitor_permit_list_through_show_process_memory.html#wp3599497760", + "https://www.us-cert.gov/ncas/alerts/TA18-106A" ] }, "uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", @@ -24186,7 +24541,7 @@ "value": "Stage Capabilities - T1608" }, { - "description": "Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.", + "description": "Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., [Valid Accounts](https://attack.mitre.org/techniques/T1078)).\n\nAdversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and potential misconfigurations that leak account names and roles or permissions in the targeted environment.\n\nFor examples, cloud environments typically provide easily accessible interfaces to obtain user lists. On hosts, adversaries can use default [PowerShell](https://attack.mitre.org/techniques/T1059/001) and other command line functionality to identify accounts. Information about email addresses and accounts may also be extracted by searching an infected system’s files.", "meta": { "external_id": "T1087", "kill_chain": [ @@ -24209,7 +24564,6 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1087", - "https://capec.mitre.org/data/definitions/575.html", "https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql" ] }, @@ -24245,7 +24599,6 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1078", - "https://capec.mitre.org/data/definitions/560.html", "https://technet.microsoft.com/en-us/library/dn487457.aspx", "https://technet.microsoft.com/en-us/library/dn535501.aspx", "https://www.cisa.gov/uscert/ncas/alerts/aa22-074a", @@ -24310,7 +24663,8 @@ "Linux", "macOS", "Google Workspace", - "SaaS" + "SaaS", + "Network" ], "refs": [ "https://attack.mitre.org/techniques/T1098", @@ -24344,7 +24698,6 @@ "refs": [ "https://attack.mitre.org/techniques/T1112", "https://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-malware-hides-in-windows-registry/", - "https://capec.mitre.org/data/definitions/203.html", "https://docs.microsoft.com/en-us/sysinternals/downloads/regdelnull", "https://docs.microsoft.com/sysinternals/downloads/reghide", "https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4657", @@ -24404,7 +24757,6 @@ "refs": [ "https://attack.mitre.org/techniques/T1113", "https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/", - "https://capec.mitre.org/data/definitions/648.html", "https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen?view=netframework-4.8" ] }, @@ -24536,7 +24888,7 @@ "value": "Input Prompt - T1141" }, { - "description": "Adversaries may collect data stored in the clipboard from users copying information within or between applications. \n\nIn Windows, Applications can access clipboard data by using the Windows API.(Citation: MSDN Clipboard) OSX provides a native command, pbpaste, to grab clipboard contents.(Citation: Operating with EmPyre)", + "description": "Adversaries may collect data stored in the clipboard from users copying information within or between applications. \n\nFor example, on Windows adversaries can access clipboard data by using clip.exe or Get-Clipboard.(Citation: MSDN Clipboard)(Citation: clip_win_server)(Citation: CISA_AA21_200B) Additionally, adversaries may monitor then replace users’ clipboard with their data (e.g., [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002)).(Citation: mining_ruby_reversinglabs)\n\nmacOS and Linux also have commands, such as pbpaste, to grab clipboard contents.(Citation: Operating with EmPyre)", "meta": { "external_id": "T1115", "kill_chain": [ @@ -24553,9 +24905,11 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1115", - "https://capec.mitre.org/data/definitions/637.html", + "https://blog.reversinglabs.com/blog/mining-for-malicious-ruby-gems", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/clip", "https://medium.com/rvrsh3ll/operating-with-empyre-ea764eda3363", - "https://msdn.microsoft.com/en-us/library/ms649012" + "https://msdn.microsoft.com/en-us/library/ms649012", + "https://www.cisa.gov/uscert/ncas/alerts/aa21-200b" ] }, "uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", @@ -24694,8 +25048,7 @@ "Windows" ], "refs": [ - "https://attack.mitre.org/techniques/T1123", - "https://capec.mitre.org/data/definitions/634.html" + "https://attack.mitre.org/techniques/T1123" ] }, "uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", @@ -24781,7 +25134,6 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1125", - "https://capec.mitre.org/data/definitions/634.html", "https://objective-see.com/blog/blog_0x25.html" ] }, @@ -24806,15 +25158,7 @@ "https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf" ] }, - "related": [ - { - "dest-uuid": "6747daa2-3533-4e78-8fb8-446ebb86448a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "revoked-by" - } - ], + "related": [], "uuid": "36675cd3-fe00-454c-8516-aebecacbe9d9", "value": "Login Item - T1162" }, @@ -25025,7 +25369,8 @@ "IaaS", "Linux", "macOS", - "Google Workspace" + "Google Workspace", + "Network" ], "refs": [ "https://attack.mitre.org/techniques/T1136", @@ -25466,7 +25811,7 @@ "value": "LC_MAIN Hijacking - T1149" }, { - "description": "Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disks may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Novetta Blockbuster Destructive Malware)", + "description": "Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disks may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Novetta Blockbuster Destructive Malware)\n\nOn network devices, adversaries may wipe configuration files and other data from the device using [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `erase`.(Citation: erase_cmd_cisco)", "meta": { "external_id": "T1561", "kill_chain": [ @@ -25482,12 +25827,14 @@ "mitre_platforms": [ "Linux", "macOS", - "Windows" + "Windows", + "Network" ], "refs": [ "https://attack.mitre.org/techniques/T1561", "https://docs.microsoft.com/sysinternals/downloads/sysmon", - "https://web.archive.org/web/20160303200515/https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf" + "https://web.archive.org/web/20160303200515/https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf", + "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/cf_command_ref/D_through_E.html#wp3557227463" ] }, "uuid": "1988cc35-ced8-4dad-b2d1-7628488fa967", @@ -25617,8 +25964,7 @@ "Google Workspace" ], "refs": [ - "https://attack.mitre.org/techniques/T1518", - "https://capec.mitre.org/data/definitions/580.html" + "https://attack.mitre.org/techniques/T1518" ] }, "uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", @@ -26041,6 +26387,7 @@ "mitre-attack:credential-access" ], "mitre_data_sources": [ + "Application Log: Application Log Content", "Command: Command Execution", "File: File Access", "Process: Process Creation", @@ -26056,7 +26403,8 @@ "Linux", "macOS", "Google Workspace", - "Containers" + "Containers", + "Network" ], "refs": [ "https://attack.mitre.org/techniques/T1552" @@ -26066,7 +26414,7 @@ "value": "Unsecured Credentials - T1552" }, { - "description": "Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.\n\nAdversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.", + "description": "Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.\n\nAdversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out of a computer or stopping it from being shut down. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Emotet shutdown)\n\nAdversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.", "meta": { "external_id": "T1562", "kill_chain": [ @@ -26084,6 +26432,7 @@ "Script: Script Execution", "Sensor Health: Host Status", "Service: Service Metadata", + "User Account: User Account Modification", "Windows Registry: Windows Registry Key Deletion", "Windows Registry: Windows Registry Key Modification" ], @@ -26097,7 +26446,8 @@ "Network" ], "refs": [ - "https://attack.mitre.org/techniques/T1562" + "https://attack.mitre.org/techniques/T1562", + "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/#:~:text=Don’t%20Sleep%20has%20the%20capability%20to%20keep%20the%20computer%20from%20being%20shutdown%20and%20the%20user%20from%20being%20signed%20off.%20This%20was%20likely%20done%20to%20ensure%20nothing%20will%20interfere%20with%20the%20propagation%20of%20the%20ransomware%20payload" ] }, "uuid": "3d333250-30e4-4a82-9edc-756c68afc529", @@ -26326,7 +26676,7 @@ "value": "Encrypted Channel - T1573" }, { - "description": "Adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Additionally, botnets are available for rent or purchase.\n\nUse of these infrastructure solutions allows an adversary to stage, launch, and execute an operation. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contact to third-party web services. Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.", + "description": "Adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Additionally, botnets are available for rent or purchase.\n\nUse of these infrastructure solutions allows adversaries to stage, launch, and execute operations. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contacting third-party web services or acquiring infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090).(Citation: amnesty_nso_pegasus) Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.", "meta": { "external_id": "T1583", "kill_chain": [ @@ -26347,6 +26697,7 @@ "https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf", "https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2", "https://threatconnect.com/blog/infrastructure-research-hunting/", + "https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/", "https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation" ] }, @@ -26443,7 +26794,7 @@ "value": "Hide Artifacts - T1564" }, { - "description": "Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.\n\nUse of compromised infrastructure allows an adversary to stage, launch, and execute an operation. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. For example, adversaries may leverage compromised infrastructure (potentially also in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004)) to further blend in and support staged information gathering and/or [Phishing](https://attack.mitre.org/techniques/T1566) campaigns.(Citation: FireEye DNS Hijack 2019) \n\nBy using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig)", + "description": "Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.\n\nUse of compromised infrastructure allows adversaries to stage, launch, and execute operations. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. For example, adversaries may leverage compromised infrastructure (potentially also in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004)) to further blend in and support staged information gathering and/or [Phishing](https://attack.mitre.org/techniques/T1566) campaigns.(Citation: FireEye DNS Hijack 2019) Additionally, adversaries may also compromise infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090).(Citation: amnesty_nso_pegasus)\n\nBy using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig)", "meta": { "external_id": "T1584", "kill_chain": [ @@ -26466,6 +26817,7 @@ "https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2", "https://threatconnect.com/blog/infrastructure-research-hunting/", "https://web.archive.org/web/20151226205946/https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html", + "https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/", "https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html", "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", "https://www.icann.org/groups/ssac/documents/sac-007-en", @@ -26732,7 +27084,7 @@ "value": "Active Scanning - T1595" }, { - "description": "Adversaries may compromise accounts with services that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating accounts (i.e. [Establish Accounts](https://attack.mitre.org/techniques/T1585)), adversaries may compromise existing accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. \n\nA variety of methods exist for compromising accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps).(Citation: AnonHBGary) Prior to compromising accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.\n\nPersonas may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, etc.). Compromised accounts may require additional development, this could include filling out or modifying profile information, further developing social networks, or incorporating photos.\n\nAdversaries may directly leverage compromised email accounts for [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).", + "description": "Adversaries may compromise accounts with services that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating accounts (i.e. [Establish Accounts](https://attack.mitre.org/techniques/T1585)), adversaries may compromise existing accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. \n\nA variety of methods exist for compromising accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, brute forcing credentials (ex: password reuse from breach credential dumps), or paying employees, suppliers or business partners for access to credentials.(Citation: AnonHBGary)(Citation: Microsoft DEV-0537) Prior to compromising accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.\n\nPersonas may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, etc.). Compromised accounts may require additional development, this could include filling out or modifying profile information, further developing social networks, or incorporating photos.\n\nAdversaries may directly leverage compromised email accounts for [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).", "meta": { "external_id": "T1586", "kill_chain": [ @@ -26747,7 +27099,8 @@ ], "refs": [ "https://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/", - "https://attack.mitre.org/techniques/T1586" + "https://attack.mitre.org/techniques/T1586", + "https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" ] }, "uuid": "81033c3b-16a4-46e4-8fed-9b030dd03c4a", @@ -26912,7 +27265,6 @@ "https://arxiv.org/abs/1809.05681", "https://attack.mitre.org/techniques/T1557", "https://blog.netlab.360.com/ttint-an-iot-remote-control-trojan-spread-through-2-0-day-vulnerabilities/", - "https://capec.mitre.org/data/definitions/94.html", "https://securelist.com/ad-blocker-with-miner-included/101105/", "https://tlseminar.github.io/downgrade-attacks/", "https://www.praetorian.com/blog/man-in-the-middle-tls-ssl-protocol-downgrade-attack/", @@ -27135,7 +27487,6 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1021/004", - "https://capec.mitre.org/data/definitions/555.html", "https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins" ] }, @@ -27168,7 +27519,6 @@ "refs": [ "http://lists.openstack.org/pipermail/openstack/2013-December/004138.html", "https://attack.mitre.org/techniques/T1021/005", - "https://capec.mitre.org/data/definitions/555.html", "https://datatracker.ietf.org/doc/html/rfc6143#section-7.2.2", "https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/grd-settings.c#L207", "https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/org.gnome.desktop.remote-desktop.gschema.xml.in", @@ -27268,7 +27618,6 @@ "refs": [ "http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf", "https://attack.mitre.org/techniques/T1056/001", - "https://capec.mitre.org/data/definitions/568.html", "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954" ] }, @@ -27300,13 +27649,13 @@ ], "refs": [ "http://www.malwarearchaeology.com/s/Windows-PowerShell-Logging-Cheat-Sheet-ver-June-2016-v2.pdf", - "http://www.sixdub.net/?p=367", "https://attack.mitre.org/techniques/T1059/001", "https://blogs.msdn.microsoft.com/kebab/2014/04/28/executing-powershell-scripts-from-c/", "https://github.com/jaredhaight/PSAttack", "https://powershellmagazine.com/2014/07/16/investigating-powershell-attacks/", - "https://silentbreaksecurity.com/powershell-jobs-without-powershell-exe/", "https://technet.microsoft.com/en-us/scriptcenter/dd742419.aspx", + "https://web.archive.org/web/20160327101330/http://www.sixdub.net/?p=367", + "https://web.archive.org/web/20190508170150/https://silentbreaksecurity.com/powershell-jobs-without-powershell-exe/", "https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html" ] }, @@ -27377,7 +27726,6 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1027/003", - "https://capec.mitre.org/data/definitions/636.html", "https://en.wikipedia.org/wiki/Duqu", "https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/" ] @@ -27500,12 +27848,7 @@ "https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf" ] }, - "related": [ - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "type": "subtechnique-of" - } - ], + "related": [], "uuid": "8faedf87-dceb-4c35-b2a2-7286f59a3bc3", "value": "Launchd - T1053.004" }, @@ -28018,18 +28361,17 @@ "https://attack.mitre.org/techniques/T1583/001", "https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html", "https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html", - "https://capec.mitre.org/data/definitions/630.html", "https://krebsonsecurity.com/2018/11/that-domain-you-forgot-to-renew-yeah-its-now-stealing-credit-cards/", "https://threatconnect.com/blog/infrastructure-research-hunting/", "https://us-cert.cisa.gov/ncas/alerts/aa20-258a", "https://us-cert.cisa.gov/ncas/tips/ST05-016", + "https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf", + "https://web.archive.org/web/20171223000420/https://www.riskiq.com/blog/labs/lazarus-group-cryptocurrency/", + "https://web.archive.org/web/20220527112908/https://www.riskiq.com/blog/labs/ukraine-malware-infrastructure/", "https://www.blackhillsinfosec.com/bypass-web-proxy-filtering/", "https://www.cobaltstrike.com/blog/high-reputation-redirectors-and-domain-fronting/", - "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf", "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", "https://www.mdsec.co.uk/2017/07/categorisation-is-not-a-security-boundary/", - "https://www.riskiq.com/blog/labs/lazarus-group-cryptocurrency/", - "https://www.riskiq.com/blog/labs/ukraine-malware-infrastructure/", "https://www.zdnet.com/article/paypal-alert-beware-the-paypai-scam-5000109103/" ] }, @@ -28043,7 +28385,7 @@ "value": "Domains - T1583.001" }, { - "description": "Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps.(Citation: Krebs DNS Hijack 2019)\n\nSubdomain hijacking can occur when organizations have DNS entries that point to non-existent or deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.(Citation: Microsoft Sub Takeover 2020)", + "description": "Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps.(Citation: Krebs DNS Hijack 2019)\n\nSubdomain hijacking can occur when organizations have DNS entries that point to non-existent or deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.(Citation: Microsoft Sub Takeover 2020)\n\nAdversaries who compromise a domain may also engage in domain shadowing by creating malicious subdomains under their control while keeping any existing DNS records. As service will not be disrupted, the malicious subdomains may go unnoticed for long periods of time.(Citation: Palo Alto Unit 42 Domain Shadowing 2022)", "meta": { "external_id": "T1584.001", "kill_chain": [ @@ -28061,6 +28403,7 @@ "https://attack.mitre.org/techniques/T1584/001", "https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover", "https://krebsonsecurity.com/2019/02/a-deep-dive-on-the-recent-widespread-dns-hijacking-attacks/", + "https://unit42.paloaltonetworks.com/domain-shadowing/", "https://www.icann.org/groups/ssac/documents/sac-007-en" ] }, @@ -28231,7 +28574,7 @@ "value": "Malware - T1588.001" }, { - "description": "Adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts.\n\nAdversaries may gather credentials from potential victims in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect website authentication cookies from visitors.(Citation: ATT ScanBox) Credential information may also be exposed to adversaries via leaks to online or other accessible data sets (ex: [Search Engines](https://attack.mitre.org/techniques/T1593/002), breach dumps, code repositories, etc.).(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Adversaries may also purchase credentials from dark web or other black-markets. Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).", + "description": "Adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts.\n\nAdversaries may gather credentials from potential victims in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then add malicious content designed to collect website authentication cookies from visitors.(Citation: ATT ScanBox) Credential information may also be exposed to adversaries via leaks to online or other accessible data sets (ex: [Search Engines](https://attack.mitre.org/techniques/T1593/002), breach dumps, code repositories, etc.).(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Adversaries may also purchase credentials from dark web or other black-markets. Finally, where multi-factor authentication (MFA) based on out-of-band communications is in use, adversaries may compromise a service provider to gain access to MFA codes and one-time passwords (OTP).(Citation: Okta Scatter Swine 2022)\n\nGathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)). ", "meta": { "external_id": "T1589.001", "kill_chain": [ @@ -28246,6 +28589,7 @@ "https://github.com/dxa4481/truffleHog", "https://github.com/michenriksen/gitrob", "https://labs.detectify.com/2016/04/28/slack-bot-token-leakage-exposing-business-critical-information/", + "https://sec.okta.com/scatterswine", "https://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/", "https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#242c479d3196", "https://www.theregister.com/2015/02/28/uber_subpoenas_github_for_hacker_details/", @@ -28307,7 +28651,6 @@ "refs": [ "http://www.symantec.com/connect/blogs/are-mbr-infections-back-fashion", "https://attack.mitre.org/techniques/T1542/003", - "https://capec.mitre.org/data/definitions/552.html", "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf" ] }, @@ -28459,7 +28802,7 @@ "value": "Tool - T1588.002" }, { - "description": "Adversaries may buy, lease, or rent physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of compromising a third-party [Server](https://attack.mitre.org/techniques/T1584/004) or renting a [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may opt to configure and run their own servers in support of operations.\n\nAdversaries may only need a lightweight setup if most of their activities will take place using online infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems.(Citation: NYTStuxnet)", + "description": "Adversaries may buy, lease, or rent physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Adversaries may use web servers to support support watering hole operations, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), or email servers to support [Phishing](https://attack.mitre.org/techniques/T1566) operations. Instead of compromising a third-party [Server](https://attack.mitre.org/techniques/T1584/004) or renting a [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may opt to configure and run their own servers in support of operations.\n\nAdversaries may only need a lightweight setup if most of their activities will take place using online infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems.(Citation: NYTStuxnet)", "meta": { "external_id": "T1583.004", "kill_chain": [ @@ -28534,7 +28877,6 @@ "https://adsecurity.org/?p=2293", "https://attack.mitre.org/techniques/T1558/003", "https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/", - "https://capec.mitre.org/data/definitions/509.html", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1", "https://msdn.microsoft.com/library/ms677949.aspx", "https://redsiege.com/kerberoast-slides", @@ -28581,7 +28923,38 @@ "value": "Serverless - T1583.007" }, { - "description": "Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a [Server](https://attack.mitre.org/techniques/T1583/004) or [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may compromise third-party servers in support of operations.\n\nAdversaries may also compromise web servers to support watering hole operations, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).", + "description": "Adversaries may purchase online advertisements that can be abused to distribute malware to victims. Ads can be purchased to plant as well as favorably position artifacts in specific locations online, such as prominently placed within search engine results. These ads may make it more difficult for users to distinguish between actual search results and advertisements.(Citation: spamhaus-malvertising) Purchased ads may also target specific audiences using the advertising network’s capabilities, potentially further taking advantage of the trust inherently given to search engines and popular websites. \n\nAdversaries may purchase ads and other resources to help distribute artifacts containing malicious code to victims. Purchased ads may attempt to impersonate or spoof well-known brands. For example, these spoofed ads may trick victims into clicking the ad which could then send them to a malicious domain that may be a clone of official websites containing trojanized versions of the advertised software.(Citation: Masquerads-Guardio)(Citation: FBI-search) Adversary’s efforts to create malicious domains and purchase advertisements may also be automated at scale to better resist cleanup efforts.(Citation: sentinelone-malvertising) \n\nMalvertising may be used to support [Drive-by Target](https://attack.mitre.org/techniques/T1608/004) and [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), potentially requiring limited interaction from the user if the ad contains code/exploits that infect the target system's web browser.(Citation: BBC-malvertising)\n\nAdversaries may also employ several techniques to evade detection by the advertising network. For example, adversaries may dynamically route ad clicks to send automated crawler/policy enforcer traffic to benign sites while validating potential targets then sending victims referred from real ad clicks to malicious pages. This infection vector may therefore remain hidden from the ad network as well as any visitor not reaching the malicious sites with a valid identifier from clicking on the advertisement.(Citation: Masquerads-Guardio) Other tricks, such as intentional typos to avoid brand reputation monitoring, may also be used to evade automated detection.(Citation: spamhaus-malvertising) ", + "meta": { + "external_id": "T1583.008", + "kill_chain": [ + "mitre-attack:resource-development" + ], + "mitre_data_sources": [ + "Internet Scan: Response Content" + ], + "mitre_platforms": [ + "PRE" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1583/008", + "https://labs.guard.io/masquerads-googles-ad-words-massively-abused-by-threat-actors-targeting-organizations-gpus-42ae73ee8a1e", + "https://www.bbc.com/news/technology-12891182", + "https://www.ic3.gov/Media/Y2022/PSA221221", + "https://www.sentinelone.com/blog/breaking-down-the-seo-poisoning-attack-how-attackers-are-hijacking-search-results/", + "https://www.spamhaus.com/resource-center/a-surge-of-malvertising-across-google-ads-is-distributing-dangerous-malware/" + ] + }, + "related": [ + { + "dest-uuid": "0458aab9-ad42-4eac-9e22-706a95bafee2", + "type": "subtechnique-of" + } + ], + "uuid": "155207c0-7f53-4f13-a06b-0a9907ef5096", + "value": "Malvertising - T1583.008" + }, + { + "description": "Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a [Server](https://attack.mitre.org/techniques/T1583/004) or [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may compromise third-party servers in support of operations.\n\nAdversaries may also compromise web servers to support watering hole operations, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), or email servers to support [Phishing](https://attack.mitre.org/techniques/T1566) operations.", "meta": { "external_id": "T1584.004", "kill_chain": [ @@ -29141,7 +29514,6 @@ "refs": [ "http://www.blackhat.com/docs/asia-14/materials/Tsai/WP-Asia-14-Tsai-You-Cant-See-Me-A-Mac-OS-X-Rootkit-Uses-The-Tricks-You-Havent-Known-Yet.pdf", "https://attack.mitre.org/techniques/T1014", - "https://capec.mitre.org/data/definitions/552.html", "https://en.wikipedia.org/wiki/Rootkit", "https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/", "https://www.symantec.com/avcenter/reference/windows.rootkit.overview.pdf" @@ -29324,7 +29696,6 @@ "refs": [ "http://pages.endgame.com/rs/627-YBU-612/images/EndgameJournal_The%20Masquerade%20Ball_Pages_R2.pdf", "https://attack.mitre.org/techniques/T1036", - "https://capec.mitre.org/data/definitions/177.html", "https://lolbas-project.github.io/", "https://twitter.com/ItsReallyNick/status/1055321652777619457" ] @@ -29893,7 +30264,7 @@ "value": "DNSCalc - T1324" }, { - "description": "Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.\n\nAdversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source.", + "description": "Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.\n\nAdversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof) the identity of the sender which can be used to fool both the human recipient as well as automated security tools.(Citation: cyberproof-double-bounce) \n\nVictims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools onto their computer (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: Unit42 Luna Moth)", "meta": { "external_id": "T1566", "kill_chain": [ @@ -29915,9 +30286,15 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1566", - "https://capec.mitre.org/data/definitions/98.html", + "https://blog.cyberproof.com/blog/double-bounced-attacks-with-email-spoofing-2022-trends", + "https://blog.sygnia.co/luna-moth-false-subscription-scams", "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide", - "https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf" + "https://unit42.paloaltonetworks.com/examining-vba-initiated-infostealer-campaign/", + "https://unit42.paloaltonetworks.com/luna-moth-callback-phishing/", + "https://www.cisa.gov/uscert/ncas/alerts/aa23-025a", + "https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf", + "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/", + "https://www.proofpoint.com/us/threat-reference/email-spoofing" ] }, "uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", @@ -29953,5 +30330,5 @@ "value": "Keychain - T1579" } ], - "version": 24 + "version": 25 } diff --git a/clusters/mitre-course-of-action.json b/clusters/mitre-course-of-action.json index e78f3c3..9434f17 100644 --- a/clusters/mitre-course-of-action.json +++ b/clusters/mitre-course-of-action.json @@ -22,15 +22,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "8b36d944-f274-4d46-9acd-dbba6927ce7a", "value": "Registry Run Keys / Startup Folder Mitigation - T1060" }, @@ -43,15 +35,7 @@ "https://attack.mitre.org/mitigations/T1041" ] }, - "related": [ - { - "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "92c28497-2820-445e-9f3e-a03dd77dc0c8", "value": "Exfiltration Over Command and Control Channel Mitigation - T1041" }, @@ -65,15 +49,7 @@ "https://www.techrepublic.com/blog/data-center/configuring-wireless-settings-via-group-policy/" ] }, - "related": [ - { - "dest-uuid": "51ea26b1-ff1e-4faa-b1a0-1114cd298c87", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "a98be93b-a75b-4dd4-8a72-4dfd0b5e25bb", "value": "Exfiltration Over Other Network Medium Mitigation - T1011" }, @@ -100,13 +76,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "0dbf5f1b-a560-4d51-ac1b-d70caab3e1f0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "tags": [ @@ -135,13 +104,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "215190a9-9f02-4e83-bb5f-e0589965a302", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "232a7e42-cd6e-4902-8fe9-2960f529dd4d", "tags": [ @@ -149,13 +111,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "2892b9ee-ca9f-4723-b332-0dc6e843a8ae", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", "tags": [ @@ -205,6 +160,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "4a5b7ade-8bb5-4853-84ed-23f262002665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", "tags": [ @@ -219,13 +181,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5", "tags": [ @@ -275,13 +230,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "6a3be63a-64c5-4678-a036-03ff8fc35300", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "6b57dc31-b814-4a03-8706-28bc20d739c4", "tags": [ @@ -303,13 +251,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21", "tags": [ @@ -318,7 +259,7 @@ "type": "mitigates" }, { - "dest-uuid": "7d6f590f-544b-45b4-9a42-e0805f342af3", + "dest-uuid": "7b50a1d3-4ca7-45d1-989d-a6503f04bfe1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -345,13 +286,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "808e6329-ca91-4b87-ac2d-8eadc5f8f327", "tags": [ @@ -394,13 +328,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "a127c32c-cbb0-4f9d-be07-881a792408ec", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "a3e1e6c5-9c74-4fc0-a16c-a9d228c17829", "tags": [ @@ -429,20 +356,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "c1b11bf7-c68e-4fbf-a95b-28efbe7953bb", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "c3bce4f4-9795-46c6-976e-8676300bbc39", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "c48a67ee-b657-45c1-91bf-6cdbe27205f8", "tags": [ @@ -485,13 +398,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "d376668f-b208-42de-b1f5-fdfe0ad4b753", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "d456de47-a16f-4e46-8980-e67478a12dcb", "tags": [ @@ -555,27 +461,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "f792d02f-813d-402b-86a5-ab98cb391d3b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", "tags": [ @@ -624,6 +509,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "19bf235b-8620-4997-b5b4-94e0659ed7c3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "28abec6c-4443-4b03-8206-07f2e264a6b4", "tags": [ @@ -632,14 +524,14 @@ "type": "mitigates" }, { - "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", + "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" }, { - "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -673,20 +565,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "804c042c-cfe6-449e-bc1a-ba0a998a70db", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "cabe189c-a0e3-4965-a473-dcff00f17213", "tags": [ @@ -739,15 +617,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "d9727aee-48b8-4fdb-89e2-4c49746ba4dd", "value": "Data from Network Shared Drive Mitigation - T1039" }, @@ -760,15 +630,7 @@ "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf" ] }, - "related": [ - { - "dest-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "0bc3ce00-83bc-4a92-a042-79ffbc6af259", "value": "Windows Management Instrumentation Event Subscription Mitigation - T1084" }, @@ -781,15 +643,7 @@ "https://attack.mitre.org/mitigations/T1094" ] }, - "related": [ - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "f3d0c735-330f-43c2-8e8e-51bcfa51e8c3", "value": "Custom Command and Control Protocol Mitigation - T1094" }, @@ -805,15 +659,7 @@ "https://attack.mitre.org/mitigations/T1183" ] }, - "related": [ - { - "dest-uuid": "62166220-e498-410f-a90a-19d4339d4e99", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "33f76731-b840-446f-bee0-53687dad24d9", "value": "Image File Execution Options Injection Mitigation - T1183" }, @@ -826,15 +672,7 @@ "https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf" ] }, - "related": [ - { - "dest-uuid": "72b5ef57-325c-411b-93ca-a3ca6fa17e31", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "ef273807-c465-4728-9cee-5823422f42ee", "value": "SIP and Trust Provider Hijacking Mitigation - T1198" }, @@ -847,15 +685,7 @@ "https://attack.mitre.org/mitigations/T1095" ] }, - "related": [ - { - "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "399d9038-b100-43ef-b28d-a5065106b935", "value": "Standard Non-Application Layer Protocol Mitigation - T1095" }, @@ -872,15 +702,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "d01f473f-3cdc-4867-9e55-1de9cf1986f0", "value": "Deobfuscate/Decode Files or Information Mitigation - T1140" }, @@ -969,15 +791,7 @@ "https://attack.mitre.org/mitigations/T1030" ] }, - "related": [ - { - "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "ba06d68a-4891-4eb5-b634-152e05ec60ee", "value": "Data Transfer Size Limits Mitigation - T1030" }, @@ -994,15 +808,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "7ee0879d-ce4f-4f54-a96b-c532dfb98ffd", "value": "Data from Local System Mitigation - T1005" }, @@ -1019,15 +825,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "0c8ab3eb-df48-4b9c-ace7-beacaac81cc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "902286b2-96cc-4dd7-931f-e7340c9961da", "value": "File System Logical Offsets Mitigation - T1006" }, @@ -1051,29 +849,7 @@ "https://attack.mitre.org/mitigations/T1070" ] }, - "related": [ - { - "dest-uuid": "2bce5b30-7014-4a5d-ade7-12913fe6ac36", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "6cac62ce-550b-4793-8ee6-6a1b8836edb0", "value": "Indicator Removal on Host Mitigation - T1070" }, @@ -1088,15 +864,7 @@ "https://en.wikipedia.org/wiki/Control-flow_integrity" ] }, - "related": [ - { - "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "14b63e6b-7531-4476-9e60-02cc5db48b62", "value": "Exploitation of Remote Services Mitigation - T1210" }, @@ -1113,15 +881,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "684feec3-f9ba-4049-9d8f-52d52f3e0e40", "value": "System Network Configuration Discovery Mitigation - T1016" }, @@ -1140,15 +900,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "effb83a0-ead1-4b36-b7f6-b7bdf9c4616e", "value": "Replication Through Removable Media Mitigation - T1091" }, @@ -1161,13 +913,6 @@ ] }, "related": [ - { - "dest-uuid": "01df3350-ce05-4bdf-bdf8-0a919a66d4a8", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "03259939-0b57-482f-8eb5-87c0e0d54334", "tags": [ @@ -1182,13 +927,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "0bf78622-e8d2-41da-a857-731472d61a92", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", "tags": [ @@ -1203,13 +941,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "0fff2797-19cb-41ea-a5f1-8a9303b8158e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", "tags": [ @@ -1252,13 +983,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "2ba5aa71-9d15-4b22-b726-56af06d9ad2f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "2bce5b30-7014-4a5d-ade7-12913fe6ac36", "tags": [ @@ -1266,13 +990,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "3298ce88-1628-43b1-87d9-0b5336b193d7", "tags": [ @@ -1371,13 +1088,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2", "tags": [ @@ -1420,13 +1130,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "6a5848a8-6201-4a2c-8a6a-ca5af8c6f3df", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "6b57dc31-b814-4a03-8706-28bc20d739c4", "tags": [ @@ -1434,20 +1137,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "723e3a2b-ca0d-4daa-ada8-82ea35d3733a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "72b5ef57-325c-411b-93ca-a3ca6fa17e31", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "74d2a63f-3c7b-4852-92da-02d8fbab16da", "tags": [ @@ -1462,13 +1151,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "804c042c-cfe6-449e-bc1a-ba0a998a70db", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", "tags": [ @@ -1477,14 +1159,7 @@ "type": "mitigates" }, { - "dest-uuid": "8df54627-376c-487c-a09c-7d2b5620f56e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "9e80ddfb-ce32-4961-a778-ca6a10cfae72", + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1497,13 +1172,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "aa8bfbc9-78dc-41a4-a03b-7453e0fdccda", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ @@ -1525,13 +1193,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "b63a34e8-0a61-4c97-a23b-bf8a2ed812e2", "tags": [ @@ -1539,13 +1200,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", "tags": [ @@ -1567,20 +1221,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "c1b11bf7-c68e-4fbf-a95b-28efbe7953bb", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "c4ad009b-6e13-4419-8d21-918a1652de02", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "c63a348e-ffc2-486a-b9d9-d7f11ec54d99", "tags": [ @@ -1588,13 +1228,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "ca205a36-c1ad-488b-aa6c-ab34bdd3a36b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", "tags": [ @@ -1623,13 +1256,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "d3046a90-580c-4004-8208-66915bc29830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", "tags": [ @@ -1637,13 +1263,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "dce31a00-1e90-4655-b0f9-e2e71a748a87", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", "tags": [ @@ -1672,20 +1291,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", "tags": [ @@ -1716,15 +1321,7 @@ "https://en.wikipedia.org/wiki/Control-flow_integrity" ] }, - "related": [ - { - "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "f2dcee22-c275-405e-87fd-48630a19dfba", "value": "Exploitation for Client Execution Mitigation - T1203" }, @@ -1742,22 +1339,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "68c96494-1a50-403e-8844-69a6af278c68", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "98034fef-d9fb-4667-8dc4-2eab6231724c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "d7c49196-b40e-42bc-8eed-b803113692ed", "value": "Change Default File Association Mitigation - T1042" }, @@ -1774,15 +1356,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "39706d54-0d06-4a25-816a-78cc43455100", "value": "Data from Removable Media Mitigation - T1025" }, @@ -1796,15 +1370,7 @@ "https://technet.microsoft.com/en-us/library/cc772540(v=ws.10).aspx" ] }, - "related": [ - { - "dest-uuid": "e6415f09-df0e-48de-9aba-928c902b7549", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "e547ed6a-f1ca-40df-8613-2ce27927f145", "value": "Exfiltration Over Physical Medium Mitigation - T1052" }, @@ -1818,15 +1384,7 @@ "https://technet.microsoft.com/en-us/library/cc772540(v=ws.10).aspx" ] }, - "related": [ - { - "dest-uuid": "64196062-5210-42c3-9a02-563a0d1797ef", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "b8d57b16-d8e2-428c-a645-1083795b3445", "value": "Communication Through Removable Media Mitigation - T1092" }, @@ -1843,15 +1401,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "2ace01f8-67c8-43eb-b7b1-a7b9f1fe67e1", "value": "File and Directory Discovery Mitigation - T1083" }, @@ -1869,15 +1419,7 @@ "https://github.com/mattifestation/PowerSploit" ] }, - "related": [ - { - "dest-uuid": "46944654-fcc1-4f63-9dad-628102376586", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "96913243-2b5e-4483-a65c-bb152ddd2f04", "value": "DLL Search Order Hijacking Mitigation - T1038" }, @@ -1894,15 +1436,7 @@ "https://github.com/mattifestation/PowerSploit" ] }, - "related": [ - { - "dest-uuid": "0ca7beef-9bbc-4e35-97cf-437384ddce6a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "1022138b-497c-40e6-b53a-13351cbd4090", "value": "File System Permissions Weakness Mitigation - T1044" }, @@ -1919,15 +1453,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "c1676218-c16a-41c9-8f7a-023779916e39", "value": "System Network Connections Discovery Mitigation - T1049" }, @@ -1942,15 +1468,7 @@ "https://attack.mitre.org/mitigations/T1058" ] }, - "related": [ - { - "dest-uuid": "39a130e1-6ab7-434a-8bd2-418e7d9d6427", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "9378f139-10ef-4e4b-b679-2255a0818902", "value": "Service Registry Permissions Weakness Mitigation - T1058" }, @@ -1967,15 +1485,7 @@ "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm" ] }, - "related": [ - { - "dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "4b998a71-7b8f-4dcc-8f3f-277f2e740271", "value": "Indicator Removal from Tools Mitigation - T1066" }, @@ -1990,15 +1500,7 @@ "https://en.wikipedia.org/wiki/Control-flow_integrity" ] }, - "related": [ - { - "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "92e6d080-ca3f-4f95-bc45-172a32c4e502", "value": "Exploitation for Privilege Escalation Mitigation - T1068" }, @@ -2011,15 +1513,7 @@ "https://github.com/hfiref0x/UACME" ] }, - "related": [ - { - "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "beb45abb-11e8-4aef-9778-1f9ac249784f", "value": "Bypass User Account Control Mitigation - T1088" }, @@ -2034,15 +1528,7 @@ "https://en.wikipedia.org/wiki/Control-flow_integrity" ] }, - "related": [ - { - "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "37a3f3f5-76e6-43fe-b935-f1f494c95725", "value": "Exploitation for Defense Evasion Mitigation - T1211" }, @@ -2059,15 +1545,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "52f3d5a6-8a0f-4f82-977e-750abf90d0b0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "cba5667e-e3c6-44a4-811c-266dbc00e440", "value": "Extra Window Memory Injection Mitigation - T1181" }, @@ -2082,15 +1560,7 @@ "https://en.wikipedia.org/wiki/Control-flow_integrity" ] }, - "related": [ - { - "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "06160d81-62be-46e5-aa37-4b9c645ffa31", "value": "Exploitation for Credential Access Mitigation - T1212" }, @@ -2107,15 +1577,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "ff5d862a-ae6b-4833-8c15-e235d654d28e", "value": "Component Object Model Hijacking Mitigation - T1122" }, @@ -2127,15 +1589,7 @@ "https://attack.mitre.org/mitigations/T1213" ] }, - "related": [ - { - "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "13cad982-35e3-4340-9095-7124b653df4b", "value": "Data from Information Repositories Mitigation - T1213" }, @@ -2150,15 +1604,7 @@ "https://patchwork.kernel.org/patch/8754821/" ] }, - "related": [ - { - "dest-uuid": "6be14413-578e-46c1-8304-310762b3ecd5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "44155d14-ca75-4fdf-b033-ab3d732e2884", "value": "Kernel Modules and Extensions Mitigation - T1215" }, @@ -2175,22 +1621,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "a750a9f6-0bde-4bb3-9aae-1e2786e9780c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "e7eab98d-ae11-4491-bd28-a53ba875865a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "94e95eeb-7cdb-4bd7-afba-f32fda303dbb", "value": "Network Share Connection Removal Mitigation - T1126" }, @@ -2202,15 +1633,7 @@ "https://attack.mitre.org/mitigations/T1216" ] }, - "related": [ - { - "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "51048ba0-a5aa-41e7-bf5d-993cd217dfb2", "value": "Signed Script Proxy Execution Mitigation - T1216" }, @@ -2222,15 +1645,7 @@ "https://attack.mitre.org/mitigations/T1129" ] }, - "related": [ - { - "dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "cfd2cd3b-93e7-4b3e-ab46-f8bcafdbdfcf", "value": "Execution through Module Load Mitigation - T1129" }, @@ -2247,15 +1662,7 @@ "https://technet.microsoft.com/library/cc771387.aspx" ] }, - "related": [ - { - "dest-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "910482b1-6749-4934-abcb-3e34d58294fc", "value": "Distributed Component Object Model Mitigation - T1175" }, @@ -2267,15 +1674,7 @@ "https://attack.mitre.org/mitigations/T1185" ] }, - "related": [ - { - "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "94f6b4f5-b528-4f50-91d5-f66457c2f8f7", "value": "Man in the Browser Mitigation - T1185" }, @@ -2287,15 +1686,7 @@ "https://attack.mitre.org/mitigations/T1158" ] }, - "related": [ - { - "dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "84d633a4-dd93-40ca-8510-40238c021931", "value": "Hidden Files and Directories Mitigation - T1158" }, @@ -2313,15 +1704,7 @@ "https://www.ready.gov/business/implementation/IT" ] }, - "related": [ - { - "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "429a5c0c-e132-45c0-a4aa-c1f736c92a1c", "value": "Data Encrypted for Impact Mitigation - T1486" }, @@ -2334,15 +1717,7 @@ "https://attack.mitre.org/mitigations/T1498" ] }, - "related": [ - { - "dest-uuid": "d74c4a7e-ffbf-432f-9365-7ebf1f787cab", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "654addf1-47ab-410a-8578-e1a0dc2a49b8", "value": "Network Denial of Service Mitigation - T1498" }, @@ -2355,43 +1730,7 @@ "https://attack.mitre.org/mitigations/T1499" ] }, - "related": [ - { - "dest-uuid": "0df05477-c572-4ed6-88a9-47c581f548f7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "18cffc21-3260-437e-80e4-4ab8bf2ba5e9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "2bee5ffb-7a7a-4119-b1f2-158151b19ac0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "38eb0c22-6caf-46ce-8869-5964bd735858", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "c675646d-e204-4aa8-978d-e3d6d65885c4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "82c21600-ccb6-4232-8c04-ef3792b56628", "value": "Endpoint Denial of Service Mitigation - T1499" }, @@ -2403,15 +1742,7 @@ "https://attack.mitre.org/mitigations/T1190" ] }, - "related": [ - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "65da1eb6-d35d-4853-b280-98a76c0aef53", "value": "Exploit Public-Facing Application Mitigation - T1190" }, @@ -2428,15 +1759,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "dd43c543-bb85-4a6f-aa6e-160d90d06a49", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "e8d22ec6-2236-48de-954b-974d17492782", "value": "Two-Factor Authentication Interception Mitigation - T1111" }, @@ -2448,15 +1771,7 @@ "https://attack.mitre.org/mitigations/T1156" ] }, - "related": [ - { - "dest-uuid": "01df3350-ce05-4bdf-bdf8-0a919a66d4a8", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "4f170666-7edb-4489-85c2-9affa28a72e0", "value": ".bash_profile and .bashrc Mitigation - T1156" }, @@ -2473,15 +1788,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "16f144e4-c780-4ed2-98b4-55d14e2dfa44", "value": "System Owner/User Discovery Mitigation - T1033" }, @@ -2498,15 +1805,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "25d5e1d8-c6fb-4735-bc57-115a21222f4b", "value": "Application Window Discovery Mitigation - T1010" }, @@ -2568,6 +1867,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "208884f1-7b83-4473-ac22-4e1cf6c41471", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "232a7e42-cd6e-4902-8fe9-2960f529dd4d", "tags": [ @@ -2631,6 +1937,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ @@ -2771,6 +2084,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "tags": [ @@ -2806,13 +2126,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "tags": [ @@ -2842,15 +2155,7 @@ "https://attack.mitre.org/mitigations/T1004" ] }, - "related": [ - { - "dest-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "313c8b20-4d49-40c1-9ac0-4c573aca28f3", "value": "Winlogon Helper DLL Mitigation - T1004" }, @@ -2867,15 +2172,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "cf7b3a06-8b42-4c33-bbe9-012120027925", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "ae56a49d-5281-45c5-ab95-70a1439c338e", "value": "Compile After Delivery Mitigation - T1500" }, @@ -2923,13 +2220,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "2204c371-6100-4ae0-82f3-25c07c29772a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "233fe2c0-cb41-4765-b454-e0087597fbce", "tags": [ @@ -3136,15 +2426,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "d8787791-d22e-45bb-a9a8-251d8d0a1ff2", "value": "System Service Discovery Mitigation - T1007" }, @@ -3161,15 +2443,7 @@ "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm" ] }, - "related": [ - { - "dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "f0a42cad-9b1f-44da-a672-718f18381018", "value": "Taint Shared Content Mitigation - T1080" }, @@ -3183,15 +2457,7 @@ "https://technet.microsoft.com/en-us/library/dn408187.aspx" ] }, - "related": [ - { - "dest-uuid": "6c174520-beea-43d9-aac6-28fb77f3e446", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "9e57c770-5a39-49a2-bb91-253ba629e3ac", "value": "Security Support Provider Mitigation - T1101" }, @@ -3208,15 +2474,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "1881da33-fdf2-4eea-afd0-e04caf9c000f", "value": "Peripheral Device Discovery Mitigation - T1120" }, @@ -3229,15 +2487,7 @@ "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements" ] }, - "related": [ - { - "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "49961e75-b493-423a-9ec7-ac2d6f55384a", "value": "Password Policy Discovery Mitigation - T1201" }, @@ -3251,15 +2501,7 @@ "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec" ] }, - "related": [ - { - "dest-uuid": "d519cfd5-f3a8-43a9-a846-ed0bb40672b1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "23061b40-a7b6-454f-8950-95d5ff80331c", "value": "Install Root Certificate Mitigation - T1130" }, @@ -3275,15 +2517,7 @@ "https://github.com/mattifestation/PowerSploit" ] }, - "related": [ - { - "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "fe0aeb41-1a51-4152-8467-628256ea6adf", "value": "Modify Existing Service Mitigation - T1031" }, @@ -3296,15 +2530,7 @@ "https://attack.mitre.org/mitigations/T1105" ] }, - "related": [ - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "cdecc44a-1dbf-4c1f-881c-f21e3f47272a", "value": "Remote File Copy Mitigation - T1105" }, @@ -3321,15 +2547,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "a6525aec-acc4-47fe-92f9-b9b4de4b9228", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "aaa92b37-f96c-4a0a-859c-b1cb6faeb13d", "value": "Graphical User Interface Mitigation - T1061" }, @@ -3341,15 +2559,7 @@ "https://attack.mitre.org/mitigations/T1017" ] }, - "related": [ - { - "dest-uuid": "327f3cc5-eea1-42d4-a6cd-ed34b7ce8f61", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "c88151a5-fe3f-4773-8147-d801587065a4", "value": "Application Deployment Software Mitigation - T1017" }, @@ -3362,22 +2572,7 @@ "https://attack.mitre.org/mitigations/T1081" ] }, - "related": [ - { - "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "0472af99-f25c-4abe-9fce-010fa3450e72", "value": "Credentials in Files Mitigation - T1081" }, @@ -3394,15 +2589,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "9a902722-cecd-4fbe-a6c9-49333aa0f8c2", "value": "Remote System Discovery Mitigation - T1018" }, @@ -3420,15 +2607,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "1e614ba5-2fc5-4464-b512-2ceafb14d76d", "value": "Indirect Command Execution Mitigation - T1202" }, @@ -3440,15 +2619,7 @@ "https://attack.mitre.org/mitigations/T1220" ] }, - "related": [ - { - "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "7708ac15-4beb-4863-a1a5-da2d63fb8a3c", "value": "XSL Script Processing Mitigation - T1220" }, @@ -3461,15 +2632,7 @@ "https://attack.mitre.org/mitigations/T1032" ] }, - "related": [ - { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "a766ce73-5583-48f3-b7c0-0bb43c6ef8c7", "value": "Standard Cryptographic Protocol Mitigation - T1032" }, @@ -3482,15 +2645,7 @@ "https://attack.mitre.org/mitigations/T1024" ] }, - "related": [ - { - "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "a569295c-a093-4db4-9fb4-7105edef85ad", "value": "Custom Cryptographic Protocol Mitigation - T1024" }, @@ -3507,15 +2662,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "c620e3a1-fff5-424f-abea-d2b0f3616f67", "value": "System Information Discovery Mitigation - T1082" }, @@ -3528,15 +2675,7 @@ "https://attack.mitre.org/mitigations/T1028" ] }, - "related": [ - { - "dest-uuid": "c3bce4f4-9795-46c6-976e-8676300bbc39", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "3e9f8875-d2f7-4380-a578-84393bd3b025", "value": "Windows Remote Management Mitigation - T1028" }, @@ -3566,15 +2705,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "bd2554b8-634f-4434-a986-9b49c29da2ae", "value": "Security Software Discovery Mitigation - T1063" }, @@ -3591,15 +2722,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "d256cb63-b021-4b4a-bb6d-1b42eea179a3", "value": "Network Service Scanning Mitigation - T1046" }, @@ -3647,20 +2770,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", "tags": [ @@ -3703,13 +2812,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", "tags": [ @@ -3735,15 +2837,7 @@ "https://www.ready.gov/business/implementation/IT" ] }, - "related": [ - { - "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "bb25b897-bfc7-4128-839d-52e9764dbfa6", "value": "Inhibit System Recovery Mitigation - T1490" }, @@ -3756,15 +2850,7 @@ "https://attack.mitre.org/mitigations/T1065" ] }, - "related": [ - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "a0d8db1d-a731-4428-8209-c07175f4b1fe", "value": "Uncommonly Used Port Mitigation - T1065" }, @@ -3777,15 +2863,7 @@ "https://github.com/iadgov/Secure-Host-Baseline/blob/master/Windows/Group%20Policy%20Templates/en-US/SecGuide.adml" ] }, - "related": [ - { - "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "bcee7b05-89a6-41a5-b7aa-fce4da7ede9e", "value": "Pass the Hash Mitigation - T1075" }, @@ -3799,15 +2877,7 @@ "https://technet.microsoft.com/en-us/library/cc754272(v=ws.11).aspx" ] }, - "related": [ - { - "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "53b3b027-bed3-480c-9101-1247047d0fe6", "value": "Remote Desktop Protocol Mitigation - T1076" }, @@ -3827,15 +2897,7 @@ "https://www.symantec.com/connect/articles/what-you-need-know-about-alternate-data-streams-windows-your-data-secure-can-you-restore" ] }, - "related": [ - { - "dest-uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "ac008435-af58-4f77-988a-c9b96c5920f5", "value": "NTFS File Attributes Mitigation - T1096" }, @@ -3852,15 +2914,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "dd9a85ad-6a92-4986-a215-b01d0ce7b987", "value": "Permission Groups Discovery Mitigation - T1069" }, @@ -3877,15 +2931,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "308855d1-078b-47ad-8d2a-8f9b2713ffb5", "value": "Windows Admin Shares Mitigation - T1077" }, @@ -3904,15 +2950,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "3a476d83-43eb-4fad-9b75-b1febd834e3d", "value": "Pass the Ticket Mitigation - T1097" }, @@ -3924,15 +2962,7 @@ "https://attack.mitre.org/mitigations/T1089" ] }, - "related": [ - { - "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "388606d3-f38f-45bf-885d-a9dc9df3c8a8", "value": "Disabling Security Tools Mitigation - T1089" }, @@ -3944,15 +2974,7 @@ "https://attack.mitre.org/mitigations/T1151" ] }, - "related": [ - { - "dest-uuid": "e2907cea-4b43-4ed7-a570-0fdf0fbeea00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "02f0f92a-0a51-4c94-9bda-6437b9a93f22", "value": "Space after Filename Mitigation - T1151" }, @@ -3964,22 +2986,7 @@ "https://attack.mitre.org/mitigations/T1214" ] }, - "related": [ - { - "dest-uuid": "2edd9d6a-5674-4326-a600-ba56de467286", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "341e222a-a6e3-4f6f-b69c-831d792b1580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "4490fee2-5c70-4db3-8db5-8d88767dbd55", "value": "Credentials in Registry Mitigation - T1214" }, @@ -3996,15 +3003,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "82d8e990-c901-4aed-8596-cc002e7eb307", "value": "System Time Discovery Mitigation - T1124" }, @@ -4021,15 +3020,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "1c0b39f9-a0c5-42b2-abd8-dc8f1eb74e67", "value": "Browser Bookmark Discovery Mitigation - T1217" }, @@ -4044,15 +3035,7 @@ "https://attack.mitre.org/mitigations/T1128" ] }, - "related": [ - { - "dest-uuid": "bb0e0cb5-f3e4-4118-a4cb-6bf13bfbc9f2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "624d063d-cda8-4616-b4e4-54c04e427aec", "value": "Netsh Helper DLL Mitigation - T1128" }, @@ -4064,15 +3047,7 @@ "https://attack.mitre.org/mitigations/T1219" ] }, - "related": [ - { - "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "af093bc8-7b59-4e2a-9da8-8e839b4c50c6", "value": "Remote Access Tools Mitigation - T1219" }, @@ -4084,15 +3059,7 @@ "https://attack.mitre.org/mitigations/T1133" ] }, - "related": [ - { - "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "d4fd04e0-d1a4-4b5a-a5bb-16683cdbcce2", "value": "External Remote Services Mitigation - T1133" }, @@ -4106,15 +3073,7 @@ "https://docs.microsoft.com/windows/device-security/security-policy-settings/replace-a-process-level-token" ] }, - "related": [ - { - "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "c61fee9f-16fb-4f8c-bbf0-869093fcd4a6", "value": "Access Token Manipulation Mitigation - T1134" }, @@ -4131,15 +3090,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "1f34230d-b6ae-4dc7-8599-78c18820bd21", "value": "Network Share Discovery Mitigation - T1135" }, @@ -4158,15 +3109,7 @@ "https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-dde-feature-in-word-to-prevent-further-malware-attacks/" ] }, - "related": [ - { - "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "80c91478-ac87-434f-bee7-11f37aec4d74", "value": "Dynamic Data Exchange Mitigation - T1173" }, @@ -4179,22 +3122,7 @@ "https://attack.mitre.org/mitigations/T1146" ] }, - "related": [ - { - "dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "d3046a90-580c-4004-8208-66915bc29830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "3e7018e9-7389-48e7-9208-0bdbcbba9483", "value": "Clear Command History Mitigation - T1146" }, @@ -4207,15 +3135,7 @@ "https://msdn.microsoft.com/library/windows/desktop/ms721766.aspx" ] }, - "related": [ - { - "dest-uuid": "b8c5c9dd-a662-479d-9428-ae745872537c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "00d7d21b-69d6-4797-88a2-c86f3fc97651", "value": "Password Filter DLL Mitigation - T1174" }, @@ -4227,15 +3147,7 @@ "https://attack.mitre.org/mitigations/T1194" ] }, - "related": [ - { - "dest-uuid": "d3df754e-997b-4cf9-97d4-70feb3120847", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "c861bcb1-946f-450d-ab75-d4e3c1103a56", "value": "Spearphishing via Service Mitigation - T1194" }, @@ -4250,15 +3162,7 @@ "https://www.mitre.org/sites/default/files/publications/se-guide-book-interactive.pdf" ] }, - "related": [ - { - "dest-uuid": "3f18edba-28f4-4bb9-82c3-8aa60dcac5f7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "97d8eadb-0459-4c1d-bf1a-e053bd75df61", "value": "Supply Chain Compromise Mitigation - T1195" }, @@ -4270,15 +3174,7 @@ "https://attack.mitre.org/mitigations/T1166" ] }, - "related": [ - { - "dest-uuid": "c0df6533-30ee-4a4a-9c6d-17af5abdf0b2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "073cc04d-ac46-4f5a-85d7-83a91ecd6a19", "value": "Setuid and Setgid Mitigation - T1166" }, @@ -4290,15 +3186,7 @@ "https://attack.mitre.org/mitigations/T1168" ] }, - "related": [ - { - "dest-uuid": "c0a384a4-9a25-40e1-97b6-458388474bc8", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "c47a9b55-8f61-4b82-b833-1db6242c754e", "value": "Local Job Scheduling Mitigation - T1168" }, @@ -4314,15 +3202,7 @@ "https://msdn.microsoft.com/library/windows/desktop/dn742497.aspx" ] }, - "related": [ - { - "dest-uuid": "8df54627-376c-487c-a09c-7d2b5620f56e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "3a41b366-cfd6-4af2-a6e7-3c6e3c4ebcef", "value": "Control Panel Items Mitigation - T1196" }, @@ -4335,15 +3215,7 @@ "https://live.paloaltonetworks.com/t5/Ignite-2016-Blog/Breakout-Recap-Cybersecurity-Best-Practices-Part-1-Preventing/ba-p/75913" ] }, - "related": [ - { - "dest-uuid": "d21a2069-23d5-4043-ad6d-64f6b644cb1a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "08e02f67-ea09-4f77-a70b-414963c29fc2", "value": "Compiled HTML File Mitigation - T1223" }, @@ -4356,15 +3228,7 @@ "https://attack.mitre.org/mitigations/T1482" ] }, - "related": [ - { - "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "159b4ee4-8fa1-44a5-b095-2973f3c7e25e", "value": "Domain Trust Discovery Mitigation - T1482" }, @@ -4377,15 +3241,7 @@ "https://www.ready.gov/business/implementation/IT" ] }, - "related": [ - { - "dest-uuid": "0bf78622-e8d2-41da-a857-731472d61a92", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "e9362d25-4427-446b-99e8-b8f0c3b86615", "value": "Stored Data Manipulation Mitigation - T1492" }, @@ -4401,22 +3257,7 @@ "https://umbrella.cisco.com/blog/2015/02/18/at-high-noon-algorithms-do-battle/" ] }, - "related": [ - { - "dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "54456690-84de-4538-9101-643e26437e09", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "3bd2cf87-1ceb-4317-9aee-3e7dc713261b", "value": "Domain Generation Algorithms Mitigation - T1483" }, @@ -4428,15 +3269,7 @@ "https://attack.mitre.org/mitigations/T1493" ] }, - "related": [ - { - "dest-uuid": "cc1e737c-236c-4e3b-83ba-32039a626ef8", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "245075bc-f992-4d89-af8c-834c53d403f4", "value": "Transmitted Data Manipulation Mitigation - T1493" }, @@ -4453,15 +3286,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "ca205a36-c1ad-488b-aa6c-ab34bdd3a36b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "337172b1-b003-4034-8a3f-1d89a71da628", "value": "Runtime Data Manipulation Mitigation - T1494" }, @@ -4477,15 +3302,7 @@ "https://docs.microsoft.com/en-us/previous-versions/system-center/operations-manager-2005/cc180803(v=technet.10)" ] }, - "related": [ - { - "dest-uuid": "0dbf5f1b-a560-4d51-ac1b-d70caab3e1f0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "54246e2e-683f-4bf2-be4c-d7d5a60e7d22", "value": "LLMNR/NBT-NS Poisoning Mitigation - T1171" }, @@ -4512,20 +3329,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "27960489-4e7f-461d-a62a-f5c0cb521e4a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "tags": [ @@ -4547,20 +3350,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "54456690-84de-4538-9101-643e26437e09", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ @@ -4624,6 +3413,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "ba04e672-da86-4e69-aa15-0eca5db25f43", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "tags": [ @@ -4638,20 +3434,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "d21a2069-23d5-4043-ad6d-64f6b644cb1a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "d3df754e-997b-4cf9-97d4-70feb3120847", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "tags": [ @@ -4707,15 +3489,7 @@ "https://attack.mitre.org/mitigations/T1104" ] }, - "related": [ - { - "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "514e7371-a344-4de7-8ec3-3aa42b801d52", "value": "Multi-Stage Channels Mitigation - T1104" }, @@ -4727,15 +3501,7 @@ "https://attack.mitre.org/mitigations/T1072" ] }, - "related": [ - { - "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "160af6af-e733-4b6a-a04a-71c620ac0930", "value": "Third-party Software Mitigation - T1072" }, @@ -4747,15 +3513,7 @@ "https://attack.mitre.org/mitigations/T1073" ] }, - "related": [ - { - "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "7a14d974-f3d9-4e4e-9b7d-980385762908", "value": "DLL Side-Loading Mitigation - T1073" }, @@ -4768,15 +3526,7 @@ "https://support.apple.com/en-us/HT204005" ] }, - "related": [ - { - "dest-uuid": "6a3be63a-64c5-4678-a036-03ff8fc35300", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "61d02387-351a-453e-a575-160a9abc3e04", "value": "Re-opened Applications Mitigation - T1164" }, @@ -4792,15 +3542,7 @@ "https://technet.microsoft.com/library/cc835085.aspx" ] }, - "related": [ - { - "dest-uuid": "1df0326d-2fbc-4d08-a16b-48365f1e742d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "b91c2f9e-c1a0-44df-95f0-9e7c9d1d5e55", "value": "SID-History Injection Mitigation - T1178" }, @@ -4812,15 +3554,7 @@ "https://attack.mitre.org/mitigations/T1188" ] }, - "related": [ - { - "dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "752db800-ea54-4e7a-b4c1-2a0292350ea7", "value": "Multi-hop Proxy Mitigation - T1188" }, @@ -4836,15 +3570,7 @@ "https://en.wikipedia.org/wiki/Control-flow_integrity" ] }, - "related": [ - { - "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "7a4d0054-53cd-476f-88af-955dddc80ee0", "value": "Drive-by Compromise Mitigation - T1189" }, @@ -4857,15 +3583,7 @@ "https://attack.mitre.org/mitigations/T1001" ] }, - "related": [ - { - "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "d0fcf37a-b6c4-4745-9c43-4fcdb8bfc88e", "value": "Data Obfuscation Mitigation - T1001" }, @@ -4878,15 +3596,7 @@ "https://www.us-cert.gov/ncas/alerts/TA15-314A" ] }, - "related": [ - { - "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "bcc91b8c-f104-4710-964e-1d5409666736", "value": "Web Shell Mitigation - T1100" }, @@ -4903,15 +3613,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "2497ac92-e751-4391-82c6-1b86e34d0294", "value": "Automated Exfiltration Mitigation - T1020" }, @@ -4924,15 +3626,7 @@ "https://en.wikipedia.org/wiki/IEEE_802.1X" ] }, - "related": [ - { - "dest-uuid": "d40239b3-05ff-46d8-9bdd-b46d13463ef9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "54e8722d-2faf-4b1b-93b6-6cbf9551669f", "value": "Hardware Additions Mitigation - T1200" }, @@ -4949,15 +3643,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "28adf6fd-ab6c-4553-9aa7-cef18a191f33", "value": "Data Compressed Mitigation - T1002" }, @@ -4981,15 +3667,7 @@ "https://technet.microsoft.com/library/jj865668.aspx" ] }, - "related": [ - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "aeff5887-8f9e-48d5-a523-9b395e2ce80a", "value": "Credential Dumping Mitigation - T1003" }, @@ -5068,15 +3746,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "46b7ef91-4e1d-43c5-a2eb-00fa9444f6f4", "value": "Network Sniffing Mitigation - T1040" }, @@ -5093,15 +3763,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "b7b2c89c-09c1-4b71-ae7c-000ec2893aab", "value": "New Service Mitigation - T1050" }, @@ -5114,15 +3776,7 @@ "https://attack.mitre.org/mitigations/T1008" ] }, - "related": [ - { - "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "515f6584-fa98-44fe-a4e8-e428c7188514", "value": "Fallback Channels Mitigation - T1008" }, @@ -5139,15 +3793,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "519630c5-f03f-4882-825c-3af924935817", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "16a8ac85-a06f-460f-ad22-910167bd7332", "value": "Binary Padding Mitigation - T1009" }, @@ -5182,15 +3828,7 @@ "https://pages.nist.gov/800-63-3/sp800-63b.html" ] }, - "related": [ - { - "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "4a99fecc-680b-448e-8fe7-8144c60d272c", "value": "Brute Force Mitigation - T1110" }, @@ -5207,15 +3845,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "0640214c-95af-4c04-a574-2a1ba6dda00b", "value": "Query Registry Mitigation - T1012" }, @@ -5228,15 +3858,7 @@ "https://attack.mitre.org/mitigations/T1102" ] }, - "related": [ - { - "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "4689b9fb-dca4-473e-831b-34717ad50c97", "value": "Web Service Mitigation - T1102" }, @@ -5376,15 +3998,7 @@ "https://attack.mitre.org/mitigations/T1103" ] }, - "related": [ - { - "dest-uuid": "317fefa6-46c7-4062-adb6-2008cf6bcb41", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "10571bf2-8073-4edf-a71c-23bad225532e", "value": "AppInit DLLs Mitigation - T1103" }, @@ -5460,13 +4074,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "tags": [ @@ -5474,20 +4081,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "428ca9f8-0e33-442a-be87-f869cb4cf73e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", "tags": [ @@ -5509,13 +4102,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "54456690-84de-4538-9101-643e26437e09", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b", "tags": [ @@ -5544,20 +4130,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "tags": [ @@ -5614,13 +4186,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "99709758-2b96-48f2-a68a-ad7fbd828091", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", "tags": [ @@ -5684,13 +4249,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "tags": [ @@ -5733,13 +4291,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "cabe189c-a0e3-4965-a473-dcff00f17213", "tags": [ @@ -5824,13 +4375,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", "tags": [ @@ -5865,15 +4409,7 @@ "https://attack.mitre.org/mitigations/T1013" ] }, - "related": [ - { - "dest-uuid": "1f47e2fd-fa77-4f2f-88ee-e85df308f125", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "1c6bc7f3-d517-4971-aed4-8f939090846b", "value": "Port Monitors Mitigation - T1013" }, @@ -5907,13 +4443,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "0bf78622-e8d2-41da-a857-731472d61a92", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", "tags": [ @@ -5935,13 +4464,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "27960489-4e7f-461d-a62a-f5c0cb521e4a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "2bce5b30-7014-4a5d-ade7-12913fe6ac36", "tags": [ @@ -5998,13 +4520,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf", "tags": [ @@ -6054,13 +4569,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "b39d03cb-7b98-41c4-a878-c40c1a913dc0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a", "tags": [ @@ -6075,13 +4583,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "cc1e737c-236c-4e3b-83ba-32039a626ef8", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "d0613359-5781-4fd2-b5be-c269270be1f6", "tags": [ @@ -6144,13 +4645,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "1df0326d-2fbc-4d08-a16b-48365f1e742d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "1f9c2bae-b441-4f66-a8af-b65946ee72f2", "tags": [ @@ -6215,7 +4709,7 @@ "type": "mitigates" }, { - "dest-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c", + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6229,7 +4723,7 @@ "type": "mitigates" }, { - "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6261,15 +4755,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "c085476e-1964-4d7f-86e1-d8657a7741e8", "value": "Accessibility Features Mitigation - T1015" }, @@ -6293,15 +4779,7 @@ "https://attack.mitre.org/mitigations/T1501" ] }, - "related": [ - { - "dest-uuid": "0fff2797-19cb-41ea-a5f1-8a9303b8158e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "83130e62-bca6-4a81-bd4b-8e233bd49db6", "value": "Systemd Service Mitigation - T1501" }, @@ -6315,15 +4793,7 @@ "https://www.acunetix.com/websitesecurity/webserver-security/" ] }, - "related": [ - { - "dest-uuid": "804c042c-cfe6-449e-bc1a-ba0a998a70db", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "43b366a4-b5ff-4d4e-8a3b-f09a9d2faff5", "value": "Shared Webroot Mitigation - T1051" }, @@ -6335,22 +4805,7 @@ "https://attack.mitre.org/mitigations/T1160" ] }, - "related": [ - { - "dest-uuid": "8faedf87-dceb-4c35-b2a2-7286f59a3bc3", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "e99ec083-abdd-48de-ad87-4dbf6f8ba2a4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "402e92cd-5608-4f4b-9a34-a2c962e4bcd7", "value": "Launch Daemon Mitigation - T1160" }, @@ -6367,22 +4822,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "34efb2fd-4dc2-40d4-a564-0c147c85034d", "value": "File Deletion Mitigation - T1107" }, @@ -6423,20 +4863,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "0ca7beef-9bbc-4e35-97cf-437384ddce6a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "0fff2797-19cb-41ea-a5f1-8a9303b8158e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", "tags": [ @@ -6458,13 +4884,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "18d4ab39-12ed-4a16-9fdb-ae311bba4a0f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "1f9c2bae-b441-4f66-a8af-b65946ee72f2", "tags": [ @@ -6500,13 +4919,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "2ba5aa71-9d15-4b22-b726-56af06d9ad2f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "2db31dcd-54da-405d-acef-b9129b816ed6", "tags": [ @@ -6528,13 +4940,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", "tags": [ @@ -6563,13 +4968,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", "tags": [ @@ -6584,13 +4982,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", "tags": [ @@ -6598,13 +4989,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "tags": [ @@ -6612,13 +4996,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "53bfc8bf-8f76-4cd7-8958-49a884ddb3ee", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", "tags": [ @@ -6675,13 +5052,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", "tags": [ @@ -6696,13 +5066,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "6a5848a8-6201-4a2c-8a6a-ca5af8c6f3df", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "6b57dc31-b814-4a03-8706-28bc20d739c4", "tags": [ @@ -6760,7 +5123,7 @@ "type": "mitigates" }, { - "dest-uuid": "804c042c-cfe6-449e-bc1a-ba0a998a70db", + "dest-uuid": "7c46b364-8496-4234-8a56-f7e6727e21e1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6822,13 +5185,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "8faedf87-dceb-4c35-b2a2-7286f59a3bc3", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", "tags": [ @@ -6850,13 +5206,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd", "tags": [ @@ -6879,14 +5228,14 @@ "type": "mitigates" }, { - "dest-uuid": "a1b52199-c8c5-438a-9ded-656f1d0888c6", + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" }, { - "dest-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c", + "dest-uuid": "a1b52199-c8c5-438a-9ded-656f1d0888c6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6906,13 +5255,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "aa8bfbc9-78dc-41a4-a03b-7453e0fdccda", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ @@ -6948,27 +5290,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "c0a384a4-9a25-40e1-97b6-458388474bc8", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "c4ad009b-6e13-4419-8d21-918a1652de02", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", "tags": [ @@ -7032,13 +5353,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "dd901512-6e37-4155-943b-453e3777b125", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", "tags": [ @@ -7081,20 +5395,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "e99ec083-abdd-48de-ad87-4dbf6f8ba2a4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "tags": [ @@ -7137,6 +5437,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "f8ef3a62-3f44-40a4-abca-761ab235c436", "tags": [ @@ -7169,15 +5476,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "f9b3e5d9-7454-4b7d-bce6-27620e19924e", "value": "Redundant Access Mitigation - T1108" }, @@ -7189,22 +5488,7 @@ "https://attack.mitre.org/mitigations/T1109" ] }, - "related": [ - { - "dest-uuid": "10d5f3b7-6be6-4da5-9a77-0f1e2bbfcc44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "791481f8-e96a-41be-b089-a088763083d4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "676975b9-7e8e-463d-a31e-4ed2ecbfed81", "value": "Component Firmware Mitigation - T1109" }, @@ -7217,22 +5501,7 @@ "https://attack.mitre.org/mitigations/T1019" ] }, - "related": [ - { - "dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "6856ddd6-2df3-4379-8b87-284603c189c3", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "25e53928-6f33-49b7-baee-8180578286f6", "value": "System Firmware Mitigation - T1019" }, @@ -7290,15 +5559,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "2a8de25c-f743-4348-b101-3ee33ab5871b", "value": "Data Encrypted Mitigation - T1022" }, @@ -7316,15 +5577,7 @@ "https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2015-06-25/finding/V-26482" ] }, - "related": [ - { - "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "a13e35cc-8c90-4d77-a965-5461042c1612", "value": "Shortcut Modification Mitigation - T1023" }, @@ -7336,15 +5589,7 @@ "https://attack.mitre.org/mitigations/T1204" ] }, - "related": [ - { - "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "548bf7ad-e19c-4d74-84bf-84ac4e57f505", "value": "User Execution Mitigation - T1204" }, @@ -7392,13 +5637,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "39a130e1-6ab7-434a-8bd2-418e7d9d6427", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", "tags": [ @@ -7449,7 +5687,7 @@ "type": "mitigates" }, { - "dest-uuid": "72b5ef57-325c-411b-93ca-a3ca6fa17e31", + "dest-uuid": "90c4a591-d02d-490b-92aa-619d9701ac04", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7484,14 +5722,14 @@ "type": "mitigates" }, { - "dest-uuid": "dce31a00-1e90-4655-b0f9-e2e71a748a87", + "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" }, { - "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7517,13 +5755,6 @@ ] }, "related": [ - { - "dest-uuid": "0ca7beef-9bbc-4e35-97cf-437384ddce6a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "tags": [ @@ -7552,13 +5783,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "7c93aa74-4bc0-4a9e-90ea-f25f86301566", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd", "tags": [ @@ -7573,27 +5797,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "c1b11bf7-c68e-4fbf-a95b-28efbe7953bb", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e", "tags": [ @@ -7628,13 +5831,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "52d40641-c480-4ad5-81a3-c80ccaddf82d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ @@ -7642,13 +5838,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "6c174520-beea-43d9-aac6-28fb77f3e446", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "b8cfed42-6a8a-4989-ad72-541af74475ec", "tags": [ @@ -7689,15 +5878,7 @@ "https://attack.mitre.org/mitigations/T1205" ] }, - "related": [ - { - "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "f6b7c116-0821-4eb7-9b24-62bd09b3e575", "value": "Port Knocking Mitigation - T1205" }, @@ -7724,13 +5905,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", "tags": [ @@ -7752,13 +5926,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "0fff2797-19cb-41ea-a5f1-8a9303b8158e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "1126cab1-c700-412f-a510-61f4937bb096", "tags": [ @@ -7815,13 +5982,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "2169ba87-1146-4fc7-a118-12b72251db7e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "24769ab5-14bd-4f4e-a752-cfb185da53ee", "tags": [ @@ -7850,13 +6010,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "2edd9d6a-5674-4326-a600-ba56de467286", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64", "tags": [ @@ -7871,13 +6024,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "327f3cc5-eea1-42d4-a6cd-ed34b7ce8f61", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "341e222a-a6e3-4f6f-b69c-831d792b1580", "tags": [ @@ -7991,14 +6137,14 @@ "type": "mitigates" }, { - "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "dest-uuid": "54ca26f3-c172-4231-93e5-ccebcac2161f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" }, { - "dest-uuid": "54ca26f3-c172-4231-93e5-ccebcac2161f", + "dest-uuid": "55bb4471-ff1f-43b4-88c1-c9384ec47abf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8060,13 +6206,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "6856ddd6-2df3-4379-8b87-284603c189c3", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", "tags": [ @@ -8088,13 +6227,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "6be14413-578e-46c1-8304-310762b3ecd5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ @@ -8116,13 +6248,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "7b211ac6-c815-4189-93a9-ab415deca926", "tags": [ @@ -8151,13 +6276,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "804c042c-cfe6-449e-bc1a-ba0a998a70db", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "818302b2-d640-477b-bf88-873120ce85c4", "tags": [ @@ -8172,6 +6290,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "8861073d-d1b8-4941-82ce-dce621d398f0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", "tags": [ @@ -8221,13 +6346,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "9e80ddfb-ce32-4961-a778-ca6a10cfae72", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "a009cb25-4801-4116-9105-80a91cf15c1b", "tags": [ @@ -8249,13 +6367,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "a542bac9-7bc1-4da7-9a09-96f69e23cc21", "tags": [ @@ -8284,13 +6395,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "b39d03cb-7b98-41c4-a878-c40c1a913dc0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "b46a801b-fd98-491c-a25a-bca25d6e3001", "tags": [ @@ -8305,34 +6409,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "c1b11bf7-c68e-4fbf-a95b-28efbe7953bb", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "c3bce4f4-9795-46c6-976e-8676300bbc39", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", "tags": [ @@ -8340,13 +6416,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4", "tags": [ @@ -8396,6 +6465,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "d94b3ae9-8059-4989-8e9f-ea0f601f80a7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", "tags": [ @@ -8438,13 +6514,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "ea016b56-ae0e-47fe-967a-cc0ad51af67f", "tags": [ @@ -8508,20 +6577,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", "tags": [ @@ -8570,13 +6625,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" - }, - { - "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" } ], "uuid": "9bb9e696-bff8-4ae1-9454-961fc7d91d5f", @@ -8591,15 +6639,7 @@ "https://attack.mitre.org/mitigations/T1026" ] }, - "related": [ - { - "dest-uuid": "99709758-2b96-48f2-a68a-ad7fbd828091", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "da987565-27b6-4b31-bbcd-74b909847116", "value": "Multiband Communication Mitigation - T1026" }, @@ -8611,15 +6651,7 @@ "https://attack.mitre.org/mitigations/T1206" ] }, - "related": [ - { - "dest-uuid": "2169ba87-1146-4fc7-a118-12b72251db7e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "dbf0186e-722d-4a0a-af6a-b3460f162f84", "value": "Sudo Caching Mitigation - T1206" }, @@ -8639,13 +6671,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "086952c4-5b90-4185-b573-02bad8e11953", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ @@ -8681,13 +6706,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "2169ba87-1146-4fc7-a118-12b72251db7e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "tags": [ @@ -8744,20 +6762,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "44dca04b-808d-46ca-b25f-d85236d4b9f8", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "51ea26b1-ff1e-4faa-b1a0-1114cd298c87", "tags": [ @@ -8857,7 +6861,7 @@ "type": "mitigates" }, { - "dest-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3", + "dest-uuid": "90c4a591-d02d-490b-92aa-619d9701ac04", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8877,20 +6881,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "b8c5c9dd-a662-479d-9428-ae745872537c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "c0df6533-30ee-4a4a-9c6d-17af5abdf0b2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "c615231b-f253-4f58-9d47-d5b4cbdb6839", "tags": [ @@ -8905,20 +6895,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "ce73ea43-8e77-47ba-9c11-5e9c9c58b9ff", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "d519cfd5-f3a8-43a9-a846-ed0bb40672b1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "e0033c16-a07e-48aa-8204-7c3ca669998c", "tags": [ @@ -8974,13 +6950,6 @@ ] }, "related": [ - { - "dest-uuid": "0bf78622-e8d2-41da-a857-731472d61a92", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "1cfcb312-b8d7-47a4-b560-4b16cc677292", "tags": [ @@ -9074,15 +7043,7 @@ "https://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings" ] }, - "related": [ - { - "dest-uuid": "dce31a00-1e90-4655-b0f9-e2e71a748a87", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "a1482e43-f3ff-4fbd-94de-ad1244738166", "value": "Time Providers Mitigation - T1209" }, @@ -9095,15 +7056,7 @@ "https://attack.mitre.org/mitigations/T1029" ] }, - "related": [ - { - "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "1c0711c8-2a73-48a1-893d-ff88bcd23824", "value": "Scheduled Transfer Mitigation - T1029" }, @@ -9123,13 +7076,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "0fff2797-19cb-41ea-a5f1-8a9303b8158e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", "tags": [ @@ -9199,13 +7145,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "6e6845c2-347a-4a6f-a2d1-b74a18ebd352", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "ae7f3575-0a5e-427e-991b-fe03ad44c754", "tags": [ @@ -9301,15 +7240,7 @@ "https://skanthak.homepage.t-online.de/sentinel.html" ] }, - "related": [ - { - "dest-uuid": "c4ad009b-6e13-4419-8d21-918a1652de02", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "e0703d4f-3972-424a-8277-84004817e024", "value": "Path Interception Mitigation - T1034" }, @@ -9326,15 +7257,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "d5dce4b9-f1fa-4c03-aff9-ce177246cb64", "value": "Service Execution Mitigation - T1035" }, @@ -9354,15 +7277,7 @@ "https://technet.microsoft.com/library/jj852168.aspx" ] }, - "related": [ - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "f2cb6ce2-188d-4162-8feb-594f949b13dd", "value": "Scheduled Task Mitigation - T1053" }, @@ -9403,12 +7318,26 @@ ], "type": "mitigates" }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "b2d03cea-aec1-45ca-9744-9ee583c1e1cc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" } ], "uuid": "f9f9e6ef-bc0a-41ad-ba11-0924e5e84c4c", @@ -9458,13 +7387,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "0dbf5f1b-a560-4d51-ac1b-d70caab3e1f0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "0df05477-c572-4ed6-88a9-47c581f548f7", "tags": [ @@ -9493,13 +7415,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "1c2fd73a-e634-44ed-b1b5-9e7cf7404e9f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "2bee5ffb-7a7a-4119-b1f2-158151b19ac0", "tags": [ @@ -9605,13 +7520,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "808e6329-ca91-4b87-ac2d-8eadc5f8f327", "tags": [ @@ -9717,13 +7625,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "tags": [ @@ -9746,15 +7647,7 @@ "https://attack.mitre.org/mitigations/T1037" ] }, - "related": [ - { - "dest-uuid": "03259939-0b57-482f-8eb5-87c0e0d54334", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "9ab7de33-99b2-4d8d-8cf3-182fa0015cc2", "value": "Logon Scripts Mitigation - T1037" }, @@ -9767,13 +7660,6 @@ ] }, "related": [ - { - "dest-uuid": "086952c4-5b90-4185-b573-02bad8e11953", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a", "tags": [ @@ -9787,13 +7673,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" - }, - { - "dest-uuid": "d3046a90-580c-4004-8208-66915bc29830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" } ], "uuid": "609191bf-7d06-40e4-b1f8-9e11eb3ff8a6", @@ -9812,15 +7691,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "7c39ebbf-244e-4d1c-b0ac-b282453ece43", "value": "Process Hollowing Mitigation - T1093" }, @@ -9840,20 +7711,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "46944654-fcc1-4f63-9dad-628102376586", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "6e6845c2-347a-4a6f-a2d1-b74a18ebd352", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", "tags": [ @@ -9881,15 +7738,7 @@ "https://docs.microsoft.com/windows/desktop/etw/event-tracing-portal" ] }, - "related": [ - { - "dest-uuid": "6a5848a8-6201-4a2c-8a6a-ca5af8c6f3df", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "ec42d8be-f762-4127-80f4-f079ea6d7135", "value": "Indicator Blocking Mitigation - T1054" }, @@ -9906,15 +7755,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "c95c8b5c-b431-43c9-9557-f494805e2502", "value": "Software Packing Mitigation - T1045" }, @@ -9926,15 +7767,7 @@ "https://attack.mitre.org/mitigations/T1074" ] }, - "related": [ - { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "4320b080-9ae9-4541-9b8b-bcd0961dbbbd", "value": "Data Staged Mitigation - T1074" }, @@ -9946,15 +7779,7 @@ "https://attack.mitre.org/mitigations/T1480" ] }, - "related": [ - { - "dest-uuid": "853c4192-4311-43e1-bfbb-b11b14911852", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "c61e2da1-f51f-424c-b152-dc930d4f2e70", "value": "Environmental Keying Mitigation - T1480" }, @@ -10075,15 +7900,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "f6469191-1814-4dbe-a081-2a6daf83a10b", "value": "Process Discovery Mitigation - T1057" }, @@ -10101,15 +7918,7 @@ "https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-CC-000077" ] }, - "related": [ - { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "5c49bc54-9929-48ca-b581-7018219b5a97", "value": "Account Discovery Mitigation - T1087" }, @@ -10125,15 +7934,7 @@ "https://www.us-cert.gov/ncas/alerts/TA13-175A" ] }, - "related": [ - { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "d45f03a8-790a-4f90-b956-cd7e5b8886bf", "value": "Valid Accounts Mitigation - T1078" }, @@ -10146,15 +7947,7 @@ "https://attack.mitre.org/mitigations/T1079" ] }, - "related": [ - { - "dest-uuid": "428ca9f8-0e33-442a-be87-f869cb4cf73e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "24478001-2eb3-4b06-a02e-96b3d61d27ec", "value": "Multilayer Encryption Mitigation - T1079" }, @@ -10171,15 +7964,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "ed202147-4026-4330-b5bd-1e8dfa8cf7cc", "value": "Modify Registry Mitigation - T1112" }, @@ -10193,15 +7978,7 @@ "https://technet.microsoft.com/en-us/library/dn408187.aspx" ] }, - "related": [ - { - "dest-uuid": "52d40641-c480-4ad5-81a3-c80ccaddf82d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "943d370b-2054-44df-8be2-ab4139bde1c5", "value": "Authentication Package Mitigation - T1131" }, @@ -10218,15 +7995,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "51b37302-b844-4c08-ac98-ae6955ed1f55", "value": "Screen Capture Mitigation - T1113" }, @@ -10243,15 +8012,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "383caaa3-c46a-4f61-b2e3-653eb132f0e7", "value": "Email Collection Mitigation - T1114" }, @@ -10263,15 +8024,7 @@ "https://attack.mitre.org/mitigations/T1141" ] }, - "related": [ - { - "dest-uuid": "91ce1ede-107f-4d8b-bf4c-735e8789c94b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "8a61f6b9-6b7a-4cf2-8e08-f1e26434f6df", "value": "Input Prompt Mitigation - T1141" }, @@ -10288,15 +8041,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "19edfa02-1a5f-47e4-ad82-3288f57f64cf", "value": "Clipboard Data Mitigation - T1115" }, @@ -10308,15 +8053,7 @@ "https://attack.mitre.org/mitigations/T1161" ] }, - "related": [ - { - "dest-uuid": "04ef4356-8926-45e2-9441-634b6f3dcecb", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "77fd4d73-6b79-4593-82e7-e4a439cc7604", "value": "LC_LOAD_DYLIB Addition Mitigation - T1161" }, @@ -10331,15 +8068,7 @@ "https://technet.microsoft.com/en-us/library/cc733026.aspx" ] }, - "related": [ - { - "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "82fbc58b-171d-4a2d-9a20-c6b2a716bd08", "value": "Code Signing Mitigation - T1116" }, @@ -10356,15 +8085,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "8bd1ae32-a686-48f4-a6f8-470287f76152", "value": "Automated Collection Mitigation - T1119" }, @@ -10378,15 +8099,7 @@ "https://support.office.com/article/enable-or-disable-macros-in-office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6" ] }, - "related": [ - { - "dest-uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "c7e49501-6021-414f-bfa1-94519d8ec314", "value": "Template Injection Mitigation - T1221" }, @@ -10403,15 +8116,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "16dd03c6-0dfb-4d77-89cd-9ff3ee6e533d", "value": "Audio Capture Mitigation - T1123" }, @@ -10424,15 +8129,7 @@ "https://attack.mitre.org/mitigations/T1132" ] }, - "related": [ - { - "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "fcbe8424-eb3e-4794-b76d-e743f5a49b8b", "value": "Data Encoding Mitigation - T1132" }, @@ -10449,15 +8146,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "d9f4b5fa-2a39-4bdf-b40a-ea998933cd6d", "value": "Video Capture Mitigation - T1125" }, @@ -10484,15 +8173,7 @@ "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html" ] }, - "related": [ - { - "dest-uuid": "1ce03c65-5946-4ac9-9d4d-66db87e024bd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "62ae52c9-7197-4f5b-be1d-10d2e1df2c96", "value": "Domain Fronting Mitigation - T1172" }, @@ -10507,15 +8188,7 @@ "https://attack.mitre.org/mitigations/T1182" ] }, - "related": [ - { - "dest-uuid": "4bf5845d-a814-4490-bc5c-ccdee6043025", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "95c29444-49f9-49f7-8b20-bcd68d8fcaa6", "value": "AppCert DLLs Mitigation - T1182" }, @@ -10527,15 +8200,7 @@ "https://attack.mitre.org/mitigations/T1192" ] }, - "related": [ - { - "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "ad7f983d-d5a8-4fce-a38c-b68eda61bf4e", "value": "Spearphishing Link Mitigation - T1192" }, @@ -10547,15 +8212,7 @@ "https://attack.mitre.org/mitigations/T1143" ] }, - "related": [ - { - "dest-uuid": "04ee0cb7-dac3-4c6c-9387-4c6aa096f4cf", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "fae44eea-caa7-42b7-a2e2-0c815ba81b9a", "value": "Hidden Window Mitigation - T1143" }, @@ -10567,15 +8224,7 @@ "https://attack.mitre.org/mitigations/T1136" ] }, - "related": [ - { - "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "9a5b7194-88e0-4579-b82f-e3c27b8cca80", "value": "Create Account Mitigation - T1136" }, @@ -10587,15 +8236,7 @@ "https://attack.mitre.org/mitigations/T1138" ] }, - "related": [ - { - "dest-uuid": "7c93aa74-4bc0-4a9e-90ea-f25f86301566", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "cfc2d2fc-14ff-495f-bd99-585be47b804f", "value": "Application Shimming Mitigation - T1138" }, @@ -10607,15 +8248,7 @@ "https://attack.mitre.org/mitigations/T1193" ] }, - "related": [ - { - "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "8f6b5ca6-263a-4ea9-98f3-afd2a3cd8119", "value": "Spearphishing Attachment Mitigation - T1193" }, @@ -10627,22 +8260,7 @@ "https://attack.mitre.org/mitigations/T1139" ] }, - "related": [ - { - "dest-uuid": "44dca04b-808d-46ca-b25f-d85236d4b9f8", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "8187bd2a-866f-4457-9009-86b0ddedffa3", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "ace4daee-f914-4707-be75-843f16da2edf", "value": "Bash History Mitigation - T1139" }, @@ -10654,15 +8272,7 @@ "https://attack.mitre.org/mitigations/T1144" ] }, - "related": [ - { - "dest-uuid": "6fb6408c-0db3-41d9-a3a1-a32e5f16454e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "1a7f5bd3-f6ee-4bd7-b949-2f3632ad6158", "value": "Gatekeeper Bypass Mitigation - T1144" }, @@ -10674,22 +8284,7 @@ "https://attack.mitre.org/mitigations/T1145" ] }, - "related": [ - { - "dest-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "f27ef4f2-71fe-48b6-b7f4-02dcac14320e", "value": "Private Keys Mitigation - T1145" }, @@ -10701,15 +8296,7 @@ "https://attack.mitre.org/mitigations/T1147" ] }, - "related": [ - { - "dest-uuid": "ce73ea43-8e77-47ba-9c11-5e9c9c58b9ff", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "12cba7de-0a22-4a56-b51e-c514c67c3b43", "value": "Hidden Users Mitigation - T1147" }, @@ -10722,15 +8309,7 @@ "https://www.symantec.com/connect/articles/ssh-and-ssh-agent" ] }, - "related": [ - { - "dest-uuid": "c1b11bf7-c68e-4fbf-a95b-28efbe7953bb", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "41cff8e9-fd05-408e-b3d5-d98c54c20bcf", "value": "SSH Hijacking Mitigation - T1184" }, @@ -10742,15 +8321,7 @@ "https://attack.mitre.org/mitigations/T1149" ] }, - "related": [ - { - "dest-uuid": "a0a189c8-d3bd-4991-bf6f-153d185ee373", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "6e7db820-9735-4545-bc64-039bc4ce354b", "value": "LC_MAIN Hijacking Mitigation - T1149" }, @@ -10762,15 +8333,7 @@ "https://attack.mitre.org/mitigations/T1165" ] }, - "related": [ - { - "dest-uuid": "2ba5aa71-9d15-4b22-b726-56af06d9ad2f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "94927849-03e3-4a07-8f4c-9ee21b626719", "value": "Startup Items Mitigation - T1165" }, @@ -10782,15 +8345,7 @@ "https://attack.mitre.org/mitigations/T1157" ] }, - "related": [ - { - "dest-uuid": "aa8bfbc9-78dc-41a4-a03b-7453e0fdccda", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "dc43c2fe-355e-4a79-9570-3267b0992784", "value": "Dylib Hijacking Mitigation - T1157" }, @@ -10802,15 +8357,7 @@ "https://attack.mitre.org/mitigations/T1159" ] }, - "related": [ - { - "dest-uuid": "dd901512-6e37-4155-943b-453e3777b125", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "121b2863-5b97-4538-acb3-f8aae070ec13", "value": "Launch Agent Mitigation - T1159" }, @@ -10823,15 +8370,7 @@ "https://attack.mitre.org/mitigations/T1176" ] }, - "related": [ - { - "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "b52f41b9-ccf6-4da7-a6c0-167eeb71fbd8", "value": "Browser Extensions Mitigation - T1176" }, @@ -10848,15 +8387,7 @@ "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm" ] }, - "related": [ - { - "dest-uuid": "c1a452f3-6499-4c12-b7e9-a6a0a102af76", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "34d6a2ef-370e-4d21-a34b-6208b7c78f31", "value": "Process Doppelgänging Mitigation - T1186" }, @@ -10872,15 +8403,7 @@ "https://technet.microsoft.com/library/dn408187.aspx" ] }, - "related": [ - { - "dest-uuid": "6e6845c2-347a-4a6f-a2d1-b74a18ebd352", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "7a6e5ca3-562f-4185-a323-f3b62b5b2e6b", "value": "LSASS Driver Mitigation - T1177" }, @@ -10894,15 +8417,7 @@ "https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices" ] }, - "related": [ - { - "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "7009ba4d-83d4-4851-9fbb-e09e28497765", "value": "Forced Authentication Mitigation - T1187" }, @@ -10917,15 +8432,7 @@ "https://www.symantec.com/connect/blogs/malware-update-windows-update" ] }, - "related": [ - { - "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "cb825b86-3f3b-4686-ba99-44878f5d3173", "value": "BITS Jobs Mitigation - T1197" }, @@ -10937,15 +8444,7 @@ "https://attack.mitre.org/mitigations/T1199" ] }, - "related": [ - { - "dest-uuid": "9fa07bef-9c81-421e-a8e5-ad4366c5a925", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "797312d4-8a84-4daf-9c56-57da4133c322", "value": "Trusted Relationship Mitigation - T1199" }, @@ -10957,15 +8456,7 @@ "https://attack.mitre.org/mitigations/T1495" ] }, - "related": [ - { - "dest-uuid": "f5bb433e-bdf6-4781-84bc-35e97e43be89", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "70886857-0f19-4caa-b081-548354a8a994", "value": "Firmware Corruption Mitigation - T1495" }, @@ -10982,15 +8473,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "46acc565-11aa-40ba-b629-33ba0ab9b07b", "value": "Resource Hijacking Mitigation - T1496" }, @@ -11008,29 +8491,7 @@ "https://www.ready.gov/business/implementation/IT" ] }, - "related": [ - { - "dest-uuid": "2e114e45-2c50-404c-804a-3af9564d240e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "b82f7d37-b826-4ec9-9391-8e121c78aed7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "0b3ee33e-430b-476f-9525-72d120c90f8d", "value": "Data Destruction Mitigation - T1488" }, @@ -11042,15 +8503,7 @@ "https://attack.mitre.org/mitigations/T1489" ] }, - "related": [ - { - "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "417fed8c-bd76-48b5-90a2-a88882a95241", "value": "Service Stop Mitigation - T1489" }, @@ -11126,13 +8579,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "327f3cc5-eea1-42d4-a6cd-ed34b7ce8f61", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "3298ce88-1628-43b1-87d9-0b5336b193d7", "tags": [ @@ -11147,13 +8593,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", "tags": [ @@ -11196,6 +8635,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "8861073d-d1b8-4941-82ce-dce621d398f0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", "tags": [ @@ -11369,15 +8815,7 @@ "https://attack.mitre.org/mitigations/T1163" ] }, - "related": [ - { - "dest-uuid": "18d4ab39-12ed-4a16-9fdb-ae311bba4a0f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "c3cf2312-3aab-4aaf-86e6-ab3505430482", "value": "Rc.common Mitigation - T1163" }, @@ -11390,20 +8828,6 @@ ] }, "related": [ - { - "dest-uuid": "1ce03c65-5946-4ac9-9d4d-66db87e024bd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "tags": [ @@ -11444,15 +8868,7 @@ "https://attack.mitre.org/mitigations/T1121" ] }, - "related": [ - { - "dest-uuid": "215190a9-9f02-4e83-bb5f-e0589965a302", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "a90da496-b460-47e8-92e7-cc36eb00bd9a", "value": "Regsvcs/Regasm Mitigation - T1121" }, @@ -11659,13 +9075,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "327f3cc5-eea1-42d4-a6cd-ed34b7ce8f61", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490", "tags": [ @@ -11680,13 +9089,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "52759bf1-fe12-4052-ace6-c5b0cf7dd7fd", "tags": [ @@ -11701,13 +9103,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5", "tags": [ @@ -11750,13 +9145,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "79a4052e-1a89-4b09-aea6-51f1d11fe19c", "tags": [ @@ -11771,13 +9159,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "804c042c-cfe6-449e-bc1a-ba0a998a70db", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", "tags": [ @@ -11855,27 +9236,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "c3bce4f4-9795-46c6-976e-8676300bbc39", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "ca205a36-c1ad-488b-aa6c-ab34bdd3a36b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "e0033c16-a07e-48aa-8204-7c3ca669998c", "tags": [ @@ -11911,13 +9271,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "f8ef3a62-3f44-40a4-abca-761ab235c436", "tags": [ @@ -11985,20 +9338,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", "tags": [ @@ -12340,13 +9679,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "2204c371-6100-4ae0-82f3-25c07c29772a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "22379609-a99f-4a01-bd7e-70f3e105859d", "tags": [ @@ -12490,15 +9822,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "95ddb356-7ba0-4bd9-a889-247262b8946f", "value": "Rootkit Mitigation - T1014" }, @@ -12560,20 +9884,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "317fefa6-46c7-4062-adb6-2008cf6bcb41", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "327f3cc5-eea1-42d4-a6cd-ed34b7ce8f61", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8", "tags": [ @@ -12623,13 +9933,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "6856ddd6-2df3-4379-8b87-284603c189c3", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "791481f8-e96a-41be-b089-a088763083d4", "tags": [ @@ -12637,13 +9940,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "7c93aa74-4bc0-4a9e-90ea-f25f86301566", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "7f0ca133-88c4-40c6-a62f-b3083a7fbc2e", "tags": [ @@ -12693,13 +9989,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "tags": [ @@ -12721,20 +10010,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", "tags": [ @@ -12844,15 +10119,7 @@ "https://attack.mitre.org/mitigations/T1170" ] }, - "related": [ - { - "dest-uuid": "a127c32c-cbb0-4f9d-be07-881a792408ec", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "d2dce10b-3562-4d61-b2f5-7c6384b038e2", "value": "Mshta Mitigation - T1170" }, @@ -12914,13 +10181,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "tags": [ @@ -12977,20 +10237,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "6a3be63a-64c5-4678-a036-03ff8fc35300", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", "tags": [ @@ -13033,13 +10279,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "91ce1ede-107f-4d8b-bf4c-735e8789c94b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", "tags": [ @@ -13054,6 +10293,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "9664ad0e-789e-40ac-82e2-d7b17fbe8fb3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "a2029942-0a85-4947-b23c-ca434698171d", "tags": [ @@ -13082,13 +10328,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", "tags": [ @@ -13124,13 +10363,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "d3df754e-997b-4cf9-97d4-70feb3120847", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534", "tags": [ @@ -13200,15 +10432,7 @@ "https://technet.microsoft.com/library/cc938799.aspx" ] }, - "related": [ - { - "dest-uuid": "2892b9ee-ca9f-4723-b332-0dc6e843a8ae", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "9da16278-c6c5-4410-8a6b-9c16ce8005b3", "value": "Screensaver Mitigation - T1180" }, @@ -13221,15 +10445,7 @@ "https://github.com/iadgov/Secure-Host-Baseline/tree/master/EMET" ] }, - "related": [ - { - "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "8c918d8a-11c5-4ffd-af10-e74bc06bdfae", "value": "Rundll32 Mitigation - T1085" }, @@ -13241,15 +10457,7 @@ "https://attack.mitre.org/mitigations/T1062" ] }, - "related": [ - { - "dest-uuid": "4be89c7c-ace6-4876-9377-c8d54cef3d63", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "2c3ce852-06a2-40ee-8fe6-086f6402a739", "value": "Hypervisor Mitigation - T1062" }, @@ -13261,15 +10469,7 @@ "https://attack.mitre.org/mitigations/T1207" ] }, - "related": [ - { - "dest-uuid": "564998d8-ab3e-4123-93fb-eccaa6b9714a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "b70627f7-3b43-4c6f-8fc0-c918c41f8f72", "value": "DCShadow Mitigation - T1207" }, @@ -13324,13 +10524,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "2edd9d6a-5674-4326-a600-ba56de467286", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "3120b9fa-23b8-4500-ae73-09494f607b7d", "tags": [ @@ -13380,13 +10573,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "4579d9c9-d5b9-45e0-9848-0104637b579f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "4d2a5b3e-340d-4600-9123-309dd63c9bf8", "tags": [ @@ -13408,13 +10594,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "tags": [ @@ -13478,20 +10657,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "9e09ddb2-1746-4448-9cad-7f8b41777d6d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "tags": [ @@ -13520,13 +10685,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "b39d03cb-7b98-41c4-a878-c40c1a913dc0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", "tags": [ @@ -13548,27 +10706,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "c1b11bf7-c68e-4fbf-a95b-28efbe7953bb", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4", "tags": [ @@ -13652,13 +10789,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" - }, - { - "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" } ], "uuid": "90c218c3-fbf8-4830-98a7-e8cfb7eaa485", @@ -13673,15 +10803,7 @@ "https://attack.mitre.org/mitigations/T1208" ] }, - "related": [ - { - "dest-uuid": "b39d03cb-7b98-41c4-a878-c40c1a913dc0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "a3e12b04-8598-4909-8855-2c97c1e7d549", "value": "Kerberoasting Mitigation - T1208" }, @@ -13715,13 +10837,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "2e114e45-2c50-404c-804a-3af9564d240e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "5909f20f-3c39-4795-be06-ef1ea40d350b", "tags": [ @@ -13743,13 +10858,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "b82f7d37-b826-4ec9-9391-8e121c78aed7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", "tags": [ @@ -13788,15 +10896,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "45e7f570-6a0b-4095-bf02-4bca05da6bae", "value": "Masquerading Mitigation - T1036" }, @@ -13816,20 +10916,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "04ee0cb7-dac3-4c6c-9387-4c6aa096f4cf", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "04ef4356-8926-45e2-9441-634b6f3dcecb", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "09cd431f-eaf4-4d2a-acaf-2a7acfe7ed58", "tags": [ @@ -13858,13 +10944,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "101c3a64-9ba5-46c9-b573-5c501053cbca", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "10ff21b9-5a01-4268-a1b5-3b55015f1847", "tags": [ @@ -13887,14 +10966,7 @@ "type": "mitigates" }, { - "dest-uuid": "1ce03c65-5946-4ac9-9d4d-66db87e024bd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "215190a9-9f02-4e83-bb5f-e0589965a302", + "dest-uuid": "208884f1-7b83-4473-ac22-4e1cf6c41471", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -13914,13 +10986,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "2892b9ee-ca9f-4723-b332-0dc6e843a8ae", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "2cd950a6-16c4-404a-aa01-044322395107", "tags": [ @@ -13935,13 +11000,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "317fefa6-46c7-4062-adb6-2008cf6bcb41", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "31a0a2ac-c67c-4a7e-b9ed-6a96477d4e8e", "tags": [ @@ -13998,13 +11056,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "46944654-fcc1-4f63-9dad-628102376586", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "4a5b7ade-8bb5-4853-84ed-23f262002665", "tags": [ @@ -14012,13 +11063,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "4bf5845d-a814-4490-bc5c-ccdee6043025", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", "tags": [ @@ -14034,14 +11078,14 @@ "type": "mitigates" }, { - "dest-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79", + "dest-uuid": "543fceb5-cb92-40cb-aacf-6913d4db58bc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" }, { - "dest-uuid": "543fceb5-cb92-40cb-aacf-6913d4db58bc", + "dest-uuid": "55bb4471-ff1f-43b4-88c1-c9384ec47abf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -14075,13 +11119,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "6be14413-578e-46c1-8304-310762b3ecd5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "6e3bd510-6b33-41a4-af80-2d80f3ee0071", "tags": [ @@ -14089,13 +11126,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "6fb6408c-0db3-41d9-a3a1-a32e5f16454e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", "tags": [ @@ -14103,13 +11133,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "72b5ef57-325c-411b-93ca-a3ca6fa17e31", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ @@ -14131,13 +11154,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "7d6f590f-544b-45b4-9a42-e0805f342af3", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "7e7c2fba-7cca-486c-9582-4c1bb2851961", "tags": [ @@ -14173,13 +11189,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "8df54627-376c-487c-a09c-7d2b5620f56e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -14187,20 +11196,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "a127c32c-cbb0-4f9d-be07-881a792408ec", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "a1b52199-c8c5-438a-9ded-656f1d0888c6", "tags": [ @@ -14271,6 +11266,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "bef8aaee-961d-4359-a308-4c2182bcedff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", "tags": [ @@ -14285,13 +11287,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "c4ad009b-6e13-4419-8d21-918a1652de02", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "c92e3d68-2349-49e4-a341-7edca2deff96", "tags": [ @@ -14334,13 +11329,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "d21a2069-23d5-4043-ad6d-64f6b644cb1a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "tags": [ @@ -14362,13 +11350,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "f792d02f-813d-402b-86a5-ab98cb391d3b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", "tags": [ @@ -14487,20 +11468,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "6a5848a8-6201-4a2c-8a6a-ca5af8c6f3df", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "723e3a2b-ca0d-4daa-ada8-82ea35d3733a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "74d2a63f-3c7b-4852-92da-02d8fbab16da", "tags": [ @@ -14557,13 +11524,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "c5e31fb5-fcbd-48a4-af8c-5a6ed5b932e5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "c615231b-f253-4f58-9d47-d5b4cbdb6839", "tags": [ @@ -14578,13 +11538,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "d519cfd5-f3a8-43a9-a846-ed0bb40672b1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a", "tags": [ @@ -14592,13 +11545,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "ee7ff928-801c-4f34-8a99-3df965e581a5", "tags": [ @@ -14619,13 +11565,6 @@ ] }, "related": [ - { - "dest-uuid": "04ef4356-8926-45e2-9441-634b6f3dcecb", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", "tags": [ @@ -14661,13 +11600,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "327f3cc5-eea1-42d4-a6cd-ed34b7ce8f61", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", "tags": [ @@ -14696,27 +11628,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "5ad95aaa-49c1-4784-821d-2e83f47b079b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "6e6845c2-347a-4a6f-a2d1-b74a18ebd352", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "723e3a2b-ca0d-4daa-ada8-82ea35d3733a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ @@ -14738,13 +11649,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "a0a189c8-d3bd-4991-bf6f-153d185ee373", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "ae7f3575-0a5e-427e-991b-fe03ad44c754", "tags": [ @@ -14787,13 +11691,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "f9e9365a-9ca2-4d9c-8e7c-050d73d1101a", "tags": [ @@ -14821,13 +11718,6 @@ ] }, "related": [ - { - "dest-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada", "tags": [ @@ -14863,13 +11753,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "6856ddd6-2df3-4379-8b87-284603c189c3", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "7f0ca133-88c4-40c6-a62f-b3083a7fbc2e", "tags": [ @@ -14926,15 +11809,7 @@ "https://cloudblogs.microsoft.com/microsoftsecure/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/" ] }, - "related": [ - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "57019a80-8523-46b6-be7d-f763a15a2cc6", "value": "Scripting Mitigation - T1064" }, @@ -14948,22 +11823,7 @@ "https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process" ] }, - "related": [ - { - "dest-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "1b7b1806-7746-41a1-a35d-e48dae25ddba", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "96150c35-466f-4f0a-97a9-ae87ee27f751", "value": "Bootkit Mitigation - T1067" }, @@ -14976,15 +11836,7 @@ "https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/" ] }, - "related": [ - { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "d0415180-51e9-40ce-b57c-c332b0b441f2", "value": "PowerShell Mitigation - T1086" }, @@ -15001,22 +11853,7 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [ - { - "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "5c167af7-c2cb-42c8-ae67-3fb275bf8488", "value": "Timestomp Mitigation - T1099" }, @@ -15029,15 +11866,7 @@ "https://github.com/iadgov/Secure-Host-Baseline/tree/master/EMET" ] }, - "related": [ - { - "dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "12c13879-b7bd-4bc5-8def-aacec386d432", "value": "Regsvr32 Mitigation - T1117" }, @@ -15049,15 +11878,7 @@ "https://attack.mitre.org/mitigations/T1118" ] }, - "related": [ - { - "dest-uuid": "f792d02f-813d-402b-86a5-ab98cb391d3b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "ec418d1b-4963-439f-b055-f914737ef362", "value": "InstallUtil Mitigation - T1118" }, @@ -15070,15 +11891,7 @@ "https://msitpros.com/?p=3960" ] }, - "related": [ - { - "dest-uuid": "7d6f590f-544b-45b4-9a42-e0805f342af3", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "91816292-3686-4a6e-83c4-4c08513b9b57", "value": "CMSTP Mitigation - T1191" }, @@ -15090,15 +11903,7 @@ "https://attack.mitre.org/mitigations/T1142" ] }, - "related": [ - { - "dest-uuid": "9e09ddb2-1746-4448-9cad-7f8b41777d6d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "56648de3-8947-4559-90c4-eda10acc0f5a", "value": "Keychain Mitigation - T1142" }, @@ -15110,15 +11915,7 @@ "https://attack.mitre.org/mitigations/T1152" ] }, - "related": [ - { - "dest-uuid": "53bfc8bf-8f76-4cd7-8958-49a884ddb3ee", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "e333cf16-5bfa-453e-8e6a-3a4c63d6bfcc", "value": "Launchctl Mitigation - T1152" }, @@ -15130,15 +11927,7 @@ "https://attack.mitre.org/mitigations/T1153" ] }, - "related": [ - { - "dest-uuid": "45d84c8b-c1e2-474d-a14d-69b5de0a2bc0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "5391ece4-8866-415d-9b5e-8dc5944f612a", "value": "Source Mitigation - T1153" }, @@ -15150,15 +11939,7 @@ "https://attack.mitre.org/mitigations/T1154" ] }, - "related": [ - { - "dest-uuid": "b53dbcc6-147d-48bb-9df4-bcb8bb808ff6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "809b79cd-be78-4597-88d1-5496d1d9993a", "value": "Trap Mitigation - T1154" }, @@ -15171,15 +11952,7 @@ "https://attack.mitre.org/mitigations/T1148" ] }, - "related": [ - { - "dest-uuid": "086952c4-5b90-4185-b573-02bad8e11953", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "03c0c586-50ed-45a7-95f4-f496d7eb5330", "value": "HISTCONTROL Mitigation - T1148" }, @@ -15192,29 +11965,7 @@ "https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/" ] }, - "related": [ - { - "dest-uuid": "0cfe31a7-81fc-472c-bc45-e2808d1066a3", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "5909f20f-3c39-4795-be06-ef1ea40d350b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "8c41090b-aa47-4331-986b-8c9a51a91103", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "5d8507c4-603e-4fe1-8a4a-b8241f58734b", "value": "Defacement Mitigation - T1491" }, @@ -15227,15 +11978,7 @@ "https://www.engadget.com/2013/10/23/applescript-and-automator-gain-new-features-in-os-x-mavericks/" ] }, - "related": [ - { - "dest-uuid": "5ad95aaa-49c1-4784-821d-2e83f47b079b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "1e4ef2c7-ee96-4484-9baa-3b5777561301", "value": "AppleScript Mitigation - T1155" }, @@ -15247,15 +11990,7 @@ "https://attack.mitre.org/mitigations/T1169" ] }, - "related": [ - { - "dest-uuid": "9e80ddfb-ce32-4961-a778-ca6a10cfae72", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "23bff3ce-021c-4e7a-9aee-60fd40bc7c6c", "value": "Sudo Mitigation - T1169" }, @@ -15267,15 +12002,7 @@ "https://attack.mitre.org/mitigations/T1179" ] }, - "related": [ - { - "dest-uuid": "66f73398-8394-4711-85e5-34c8540b22a5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], + "related": [], "uuid": "7aee8ea0-0baa-4232-b379-5d9ce98352cf", "value": "Hooking Mitigation - T1179" }, @@ -15337,6 +12064,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "155207c0-7f53-4f13-a06b-0a9907ef5096", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "166de1c6-2814-4fe5-8438-4e80f76b169f", "tags": [ @@ -15771,6 +12505,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "d21bb61f-08ad-4dc1-b001-81ca6cb79954", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "db8f5003-3b20-48f0-9b76-123e44208120", "tags": [ @@ -15868,6 +12609,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "208884f1-7b83-4473-ac22-4e1cf6c41471", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "tags": [ @@ -15876,21 +12624,7 @@ "type": "mitigates" }, { - "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "6be14413-578e-46c1-8304-310762b3ecd5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -15939,7 +12673,7 @@ "type": "mitigates" }, { - "dest-uuid": "d3df754e-997b-4cf9-97d4-70feb3120847", + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -16112,7 +12846,7 @@ "type": "mitigates" }, { - "dest-uuid": "04ef4356-8926-45e2-9441-634b6f3dcecb", + "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -16132,13 +12866,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "0ca7beef-9bbc-4e35-97cf-437384ddce6a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "0cf55441-b176-4332-89e7-2c4c7799d0ff", "tags": [ @@ -16188,13 +12915,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "27960489-4e7f-461d-a62a-f5c0cb521e4a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "28abec6c-4443-4b03-8206-07f2e264a6b4", "tags": [ @@ -16223,13 +12943,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "2edd9d6a-5674-4326-a600-ba56de467286", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "tags": [ @@ -16286,6 +12999,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", "tags": [ @@ -16294,7 +13014,7 @@ "type": "mitigates" }, { - "dest-uuid": "46944654-fcc1-4f63-9dad-628102376586", + "dest-uuid": "438c967d-3996-4870-bfc2-3954752a1927", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -16315,7 +13035,7 @@ "type": "mitigates" }, { - "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -16342,13 +13062,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba", "tags": [ @@ -16377,13 +13090,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", "tags": [ @@ -16490,7 +13196,7 @@ "type": "mitigates" }, { - "dest-uuid": "8faedf87-dceb-4c35-b2a2-7286f59a3bc3", + "dest-uuid": "90c4a591-d02d-490b-92aa-619d9701ac04", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -16503,6 +13209,13 @@ ], "type": "mitigates" }, + { + "dest-uuid": "9664ad0e-789e-40ac-82e2-d7b17fbe8fb3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd", "tags": [ @@ -16539,7 +13252,7 @@ "type": "mitigates" }, { - "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -16559,13 +13272,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", "tags": [ @@ -16573,20 +13279,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "c4ad009b-6e13-4419-8d21-918a1652de02", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "tags": [ @@ -16683,5 +13375,5 @@ "value": "Audit - M1047" } ], - "version": 25 + "version": 26 } diff --git a/clusters/mitre-intrusion-set.json b/clusters/mitre-intrusion-set.json index 50e43f1..da49cea 100644 --- a/clusters/mitre-intrusion-set.json +++ b/clusters/mitre-intrusion-set.json @@ -395,6 +395,13 @@ ], "type": "uses" }, + { + "dest-uuid": "40f5caa0-4cb7-4117-89fc-d421bb493df3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "41868330-6ee2-4d0f-b743-9f2294c3c9b6", "tags": [ @@ -752,6 +759,13 @@ ], "type": "uses" }, + { + "dest-uuid": "e7cbc1de-1f79-48ee-abfd-da1241c65a15", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", "tags": [ @@ -1449,13 +1463,13 @@ "https://blog.morphisec.com/cobalt-gang-2.0", "https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html", "https://crowdstrike.lookbookhq.com/global-threat-report-2018-web/cs-2018-global-threat-report", + "https://web.archive.org/web/20190508170147/https://www.riskiq.com/blog/labs/cobalt-group-spear-phishing-russian-banks/", + "https://web.archive.org/web/20190508170630/https://www.riskiq.com/blog/labs/cobalt-strike/", "https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain", "https://www.group-ib.com/blog/cobalt", "https://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target", "https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-2017-eng.pdf", "https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-Snatch-eng.pdf", - "https://www.riskiq.com/blog/labs/cobalt-group-spear-phishing-russian-banks/", - "https://www.riskiq.com/blog/labs/cobalt-strike/", "https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish" ], "synonyms": [ @@ -1613,13 +1627,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "tags": [ @@ -1669,6 +1676,13 @@ ], "type": "uses" }, + { + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "tags": [ @@ -2224,13 +2238,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47", "tags": [ @@ -2273,6 +2280,13 @@ ], "type": "uses" }, + { + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "tags": [ @@ -2515,6 +2529,13 @@ ], "type": "uses" }, + { + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "tags": [ @@ -3750,11 +3771,11 @@ "meta": { "external_id": "G0032", "refs": [ - "https://adversary.crowdstrike.com/en-US/adversary/labyrinth-chollima/", "https://attack.mitre.org/groups/G0032", "https://blogs.microsoft.com/on-the-issues/2017/12/19/microsoft-facebook-disrupt-zinc-malware-attack-protect-customers-internet-ongoing-cyberthreats/", "https://home.treasury.gov/news/press-releases/sm774", "https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", + "https://web.archive.org/web/20210723190317/https://adversary.crowdstrike.com/en-US/adversary/labyrinth-chollima/", "https://www.secureworks.com/about/press/media-alert-secureworks-discovers-north-korean-cyber-threat-group-lazarus-spearphishing", "https://www.us-cert.gov/ncas/alerts/TA17-164A", "https://www.us-cert.gov/ncas/analysis-reports/AR19-100A" @@ -3818,13 +3839,6 @@ ], "type": "uses" }, - { - "dest-uuid": "0715560d-4299-4e84-9e20-6e80ab57e4f2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "tags": [ @@ -3909,13 +3923,6 @@ ], "type": "uses" }, - { - "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "tags": [ @@ -3944,13 +3951,6 @@ ], "type": "uses" }, - { - "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "tags": [ @@ -4028,13 +4028,6 @@ ], "type": "uses" }, - { - "dest-uuid": "3ee16395-03f0-4690-a32e-69ce9ada0f9e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "3ffbdc1f-d2bf-41ab-91a2-c7b857e98079", "tags": [ @@ -4056,13 +4049,6 @@ ], "type": "uses" }, - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "454fe82d-6fd2-4ac6-91ab-28a33fe01369", "tags": [ @@ -4119,13 +4105,6 @@ ], "type": "uses" }, - { - "dest-uuid": "506f6f49-7045-4156-9007-7474cb44ad6d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "tags": [ @@ -4147,13 +4126,6 @@ ], "type": "uses" }, - { - "dest-uuid": "60c4b628-4807-4b0b-bbf5-fdac8643c337", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "65013dd2-bc61-43e3-afb5-a14c4fa7437a", "tags": [ @@ -4315,13 +4287,6 @@ ], "type": "uses" }, - { - "dest-uuid": "99709758-2b96-48f2-a68a-ad7fbd828091", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "9b325b06-35a1-457d-be46-a4ecc0b7ff0c", "tags": [ @@ -4336,13 +4301,6 @@ ], "type": "uses" }, - { - "dest-uuid": "9e7452df-5144-4b6e-b04a-b66dd4016747", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "tags": [ @@ -4385,13 +4343,6 @@ ], "type": "uses" }, - { - "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "aad11e34-02ca-4220-91cd-2ed420af4db3", "tags": [ @@ -4434,20 +4385,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "bbe5b322-e2af-4a5e-9625-a4e62bf84ed3", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "bd0536d7-b081-43ae-a773-cfb057c5b988", "tags": [ @@ -4476,13 +4413,6 @@ ], "type": "uses" }, - { - "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "c11ac61d-50f4-444f-85d8-6f006067f0de", "tags": [ @@ -4490,13 +4420,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc", "tags": [ @@ -4511,20 +4434,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "cc723aff-ec88-40e3-a224-5af9fd983cc4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "tags": [ @@ -4553,20 +4462,6 @@ ], "type": "uses" }, - { - "dest-uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "tags": [ @@ -4616,13 +4511,6 @@ ], "type": "uses" }, - { - "dest-uuid": "e7cbc1de-1f79-48ee-abfd-da1241c65a15", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "e928333f-f3df-4039-9b8b-556c2add0e42", "tags": [ @@ -4644,13 +4532,6 @@ ], "type": "uses" }, - { - "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "tags": [ @@ -4658,13 +4539,6 @@ ], "type": "uses" }, - { - "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "tags": [ @@ -4707,13 +4581,6 @@ ], "type": "uses" }, - { - "dest-uuid": "f9cc4d06-775f-4ee1-b401-4e2cc0da30ba", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "fb640c43-aa6b-431e-a961-a279010424ac", "tags": [ @@ -4983,6 +4850,7 @@ "https://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/", "https://www.justice.gov/opa/page/file/1098481/download", "https://www.justice.gov/opa/press-release/file/1328521/download", + "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/", "https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory", "https://www.secureworks.com/research/threat-profiles/iron-viking" ], @@ -4993,7 +4861,8 @@ "IRON VIKING", "BlackEnergy (Group)", "Quedagh", - "Voodoo Bear" + "Voodoo Bear", + "IRIDIUM" ] }, "related": [ @@ -5088,6 +4957,13 @@ ], "type": "uses" }, + { + "dest-uuid": "1da748a5-875d-4212-9222-b4c23ab861be", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", "tags": [ @@ -5109,6 +4985,13 @@ ], "type": "uses" }, + { + "dest-uuid": "26c87906-d750-42c5-946c-d4162c73fc7b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "2b5aa86b-a0df-4382-848d-30abea443327", "tags": [ @@ -5214,13 +5097,6 @@ ], "type": "uses" }, - { - "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "tags": [ @@ -5284,13 +5160,6 @@ ], "type": "uses" }, - { - "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "69f897fd-12a9-4c89-ad6a-46d2f3c38262", "tags": [ @@ -5299,14 +5168,14 @@ "type": "uses" }, { - "dest-uuid": "6ee2dc99-91ad-4534-a7d8-a649358c331f", + "dest-uuid": "6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "dest-uuid": "6ee2dc99-91ad-4534-a7d8-a649358c331f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5354,6 +5223,13 @@ ], "type": "uses" }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "tags": [ @@ -5389,13 +5265,6 @@ ], "type": "uses" }, - { - "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "tags": [ @@ -5452,6 +5321,13 @@ ], "type": "uses" }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "baf60e1a-afe5-4d31-830f-1b1ba2351884", "tags": [ @@ -5501,13 +5377,6 @@ ], "type": "uses" }, - { - "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", "tags": [ @@ -5516,14 +5385,14 @@ "type": "uses" }, { - "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5543,13 +5412,6 @@ ], "type": "uses" }, - { - "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "e221eb77-1502-4129-af1d-fe1ad55e7ec6", "tags": [ @@ -5585,6 +5447,13 @@ ], "type": "uses" }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "tags": [ @@ -5599,13 +5468,6 @@ ], "type": "similar" }, - { - "dest-uuid": "f9e9365a-9ca2-4d9c-8e7c-050d73d1101a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "tags": [ @@ -5758,12 +5620,12 @@ "meta": { "external_id": "G0044", "refs": [ - "http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf", "http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates", "https://401trg.github.io/pages/burning-umbrella.html", "https://attack.mitre.org/groups/G0044", "https://securelist.com/games-are-over/70991/", - "https://securelist.com/winnti-more-than-just-a-game/37029/" + "https://securelist.com/winnti-more-than-just-a-game/37029/", + "https://web.archive.org/web/20150412223949/http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf" ], "synonyms": [ "Winnti Group", @@ -6193,6 +6055,13 @@ ], "type": "uses" }, + { + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "d52291b4-bb23-45a8-aef0-3dc7e986ba15", "tags": [ @@ -6329,6 +6198,20 @@ ], "type": "uses" }, + { + "dest-uuid": "0dda99f0-4701-48ca-9774-8504922e92d3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", "tags": [ @@ -6357,6 +6240,13 @@ ], "type": "uses" }, + { + "dest-uuid": "26c87906-d750-42c5-946c-d4162c73fc7b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", "tags": [ @@ -6434,6 +6324,13 @@ ], "type": "uses" }, + { + "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "40f5caa0-4cb7-4117-89fc-d421bb493df3", "tags": [ @@ -6455,6 +6352,20 @@ ], "type": "uses" }, + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "5282dd9a-d26d-4e16-88b7-7c0f4553daf4", "tags": [ @@ -6497,6 +6408,13 @@ ], "type": "uses" }, + { + "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", "tags": [ @@ -6532,6 +6450,20 @@ ], "type": "uses" }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "7acb15b6-fe2c-4319-b136-6ab36ff0b2d4", "tags": [ @@ -6546,6 +6478,13 @@ ], "type": "uses" }, + { + "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "tags": [ @@ -6553,6 +6492,13 @@ ], "type": "uses" }, + { + "dest-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810", "tags": [ @@ -6595,6 +6541,13 @@ ], "type": "similar" }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "tags": [ @@ -6644,6 +6597,27 @@ ], "type": "uses" }, + { + "dest-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48", "tags": [ @@ -6651,6 +6625,13 @@ ], "type": "similar" }, + { + "dest-uuid": "baf60e1a-afe5-4d31-830f-1b1ba2351884", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "bc76d0a4-db11-4551-9ac4-01a469cfb161", "tags": [ @@ -6666,7 +6647,14 @@ "type": "uses" }, { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6693,6 +6681,13 @@ ], "type": "uses" }, + { + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "d56c99fa-4710-472c-81a6-41b7a84ea4be", "tags": [ @@ -6728,6 +6723,20 @@ ], "type": "uses" }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148", "tags": [ @@ -6756,6 +6765,13 @@ ], "type": "uses" }, + { + "dest-uuid": "ed730f20-0e44-48b9-85f8-0e2adeb76867", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "tags": [ @@ -6815,89 +6831,12 @@ ] }, "related": [ - { - "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "0ec2f388-bf0f-4b5c-97b1-fc736d26c25f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "revoked-by" - }, - { - "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "7a0d4c09-dfe7-4fa2-965a-1a0e42fedd70", @@ -7014,13 +6953,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "tags": [ @@ -7404,17 +7336,19 @@ "value": "Tonto Team - G0131" }, { - "description": "[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is a financially motivated threat group active since at least 2019 that operates the [REvil](https://attack.mitre.org/software/S0496) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)", + "description": "[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is a financially motivated threat group active since at least 2018 that operates the [REvil](https://attack.mitre.org/software/S0496) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments. By early 2020, [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) started capitalizing on the new trend of stealing data and further extorting the victim to pay for their data to not get publicly leaked.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)(Citation: CrowdStrike Evolution of Pinchy Spider July 2021)", "meta": { "external_id": "G0115", "refs": [ "https://attack.mitre.org/groups/G0115", + "https://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/", "https://www.secureworks.com/blog/revil-the-gandcrab-connection", "https://www.secureworks.com/research/revil-sodinokibi-ransomware", "https://www.secureworks.com/research/threat-profiles/gold-southfield" ], "synonyms": [ - "GOLD SOUTHFIELD" + "GOLD SOUTHFIELD", + "Pinchy Spider" ] }, "related": [ @@ -7482,14 +7416,14 @@ "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "bd369cd9-abb8-41ce-b5bb-fff23ee86c00", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "bd369cd9-abb8-41ce-b5bb-fff23ee86c00", + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7801,6 +7735,13 @@ ], "type": "uses" }, + { + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "tags": [ @@ -8344,6 +8285,13 @@ ], "type": "uses" }, + { + "dest-uuid": "2d3f5b3c-54ca-4f4d-bb1f-849346d31230", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "tags": [ @@ -8684,6 +8632,9 @@ "refs": [ "https://attack.mitre.org/groups/G0143", "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/" + ], + "synonyms": [ + "Aquatic Panda" ] }, "related": [ @@ -8764,13 +8715,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "tags": [ @@ -8785,6 +8729,13 @@ ], "type": "uses" }, + { + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "tags": [ @@ -8832,6 +8783,13 @@ ] }, "related": [ + { + "dest-uuid": "084517bc-b8e7-5c86-a218-3f19e1379f3e", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "tags": [ @@ -8964,13 +8922,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "084517bc-b8e7-5c86-a218-3f19e1379f3e", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" } ], "uuid": "e44e0985-bc65-4a8f-b578-211c858128e3", @@ -9114,6 +9065,13 @@ ], "type": "uses" }, + { + "dest-uuid": "3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "5282dd9a-d26d-4e16-88b7-7c0f4553daf4", "tags": [ @@ -9205,6 +9163,13 @@ ], "type": "uses" }, + { + "dest-uuid": "9664ad0e-789e-40ac-82e2-d7b17fbe8fb3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "9fa07bef-9c81-421e-a8e5-ad4366c5a925", "tags": [ @@ -9518,13 +9483,6 @@ ], "type": "uses" }, - { - "dest-uuid": "93ae2edf-a598-4d2d-acd7-bcae0c021923", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -9567,13 +9525,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "tags": [ @@ -10208,11 +10159,11 @@ "external_id": "G0001", "refs": [ "http://blogs.cisco.com/security/talos/threat-spotlight-group-72", - "http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf", - "http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf", "https://attack.mitre.org/groups/G0001", "https://securelist.com/games-are-over/70991/", - "https://securelist.com/winnti-more-than-just-a-game/37029/" + "https://securelist.com/winnti-more-than-just-a-game/37029/", + "https://web.archive.org/web/20150412223949/http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf", + "https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf" ], "synonyms": [ "Axiom", @@ -10633,6 +10584,13 @@ ], "type": "uses" }, + { + "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "tags": [ @@ -11060,13 +11018,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", "tags": [ @@ -11172,6 +11123,13 @@ ], "type": "uses" }, + { + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "tags": [ @@ -11316,6 +11274,13 @@ ], "type": "uses" }, + { + "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "tags": [ @@ -11722,6 +11687,13 @@ ], "type": "similar" }, + { + "dest-uuid": "ad1a6df6-2251-5e47-a245-8693c1ace8fb", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "tags": [ @@ -11799,13 +11771,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "tags": [ @@ -11820,6 +11785,13 @@ ], "type": "uses" }, + { + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "tags": [ @@ -11932,13 +11904,6 @@ ], "type": "uses" }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "tags": [ @@ -11952,13 +11917,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "ad1a6df6-2251-5e47-a245-8693c1ace8fb", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" } ], "uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", @@ -12263,6 +12221,13 @@ ], "type": "uses" }, + { + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "tags": [ @@ -12597,6 +12562,13 @@ ], "type": "uses" }, + { + "dest-uuid": "3d9f700c-5eb5-5d36-a6e7-47b55f2844cd", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b", "tags": [ @@ -13191,13 +13163,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "3d9f700c-5eb5-5d36-a6e7-47b55f2844cd", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" } ], "uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", @@ -13216,13 +13181,6 @@ ] }, "related": [ - { - "dest-uuid": "10d5f3b7-6be6-4da5-9a77-0f1e2bbfcc44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "tags": [ @@ -13962,6 +13920,13 @@ ], "type": "uses" }, + { + "dest-uuid": "231a81cd-4e24-590b-b084-1a4715b30d67", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "232a7e42-cd6e-4902-8fe9-2960f529dd4d", "tags": [ @@ -13983,6 +13948,13 @@ ], "type": "uses" }, + { + "dest-uuid": "2d3f5b3c-54ca-4f4d-bb1f-849346d31230", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "tags": [ @@ -14109,13 +14081,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "tags": [ @@ -14158,6 +14123,13 @@ ], "type": "uses" }, + { + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "tags": [ @@ -14241,13 +14213,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "231a81cd-4e24-590b-b084-1a4715b30d67", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" } ], "uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", @@ -14342,6 +14307,13 @@ ], "type": "uses" }, + { + "dest-uuid": "a4aba29f-fb91-50d9-bdf9-2b184922a200", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "tags": [ @@ -14369,13 +14341,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "a4aba29f-fb91-50d9-bdf9-2b184922a200", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" } ], "uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", @@ -14762,13 +14727,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47", "tags": [ @@ -14804,6 +14762,13 @@ ], "type": "uses" }, + { + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "tags": [ @@ -15215,7 +15180,7 @@ "value": "APT18 - G0026" }, { - "description": "[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April 2021) They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. [APT29](https://attack.mitre.org/groups/G0016) reportedly compromised the Democratic National Committee starting in the summer of 2015.(Citation: F-Secure The Dukes)(Citation: GRIZZLY STEPPE JAR)(Citation: Crowdstrike DNC June 2016)(Citation: UK Gov UK Exposes Russia SolarWinds April 2021)\n\nIn April 2021, the US and UK governments attributed the SolarWinds supply chain compromise cyber operation to the SVR; public statements included citations to [APT29](https://attack.mitre.org/groups/G0016), Cozy Bear, and The Dukes.(Citation: NSA Joint Advisory SVR SolarWinds April 2021)(Citation: UK NSCS Russia SolarWinds April 2021) Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. Industry reporting referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, and Dark Halo.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: MSTIC NOBELIUM Mar 2021)(Citation: CrowdStrike SUNSPOT Implant January 2021)(Citation: Volexity SolarWinds)(Citation: Cybersecurity Advisory SVR TTP May 2021)", + "description": "[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April 2021) They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. [APT29](https://attack.mitre.org/groups/G0016) reportedly compromised the Democratic National Committee starting in the summer of 2015.(Citation: F-Secure The Dukes)(Citation: GRIZZLY STEPPE JAR)(Citation: Crowdstrike DNC June 2016)(Citation: UK Gov UK Exposes Russia SolarWinds April 2021)\n\nIn April 2021, the US and UK governments attributed the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024) to the SVR; public statements included citations to [APT29](https://attack.mitre.org/groups/G0016), Cozy Bear, and The Dukes.(Citation: NSA Joint Advisory SVR SolarWinds April 2021)(Citation: UK NSCS Russia SolarWinds April 2021) Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: MSTIC NOBELIUM Mar 2021)(Citation: CrowdStrike SUNSPOT Implant January 2021)(Citation: Volexity SolarWinds)(Citation: Cybersecurity Advisory SVR TTP May 2021)(Citation: Unit 42 SolarStorm December 2020)", "meta": { "external_id": "G0016", "refs": [ @@ -15224,6 +15189,7 @@ "https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/", "https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF", "https://msrc-blog.microsoft.com/2021/06/25/new-nobelium-activity/", + "https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline/", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/", "https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/", @@ -15239,6 +15205,8 @@ "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf", "https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf", "https://www.ncsc.gov.uk/news/uk-and-us-call-out-russia-for-solarwinds-compromise", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html", "https://www.secureworks.com/research/threat-profiles/iron-ritual", "https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf", "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", @@ -15257,7 +15225,9 @@ "YTTRIUM", "The Dukes", "Cozy Bear", - "CozyDuke" + "CozyDuke", + "SolarStorm", + "Blue Kitsune" ] }, "related": [ @@ -15275,13 +15245,6 @@ ], "type": "uses" }, - { - "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ @@ -15296,13 +15259,6 @@ ], "type": "uses" }, - { - "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "066b057c-944e-4cfc-b654-e3dfba04b926", "tags": [ @@ -15311,14 +15267,14 @@ "type": "uses" }, { - "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -15338,20 +15294,6 @@ ], "type": "uses" }, - { - "dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "199463de-d9be-46d6-bb41-07234c1dd5a6", "tags": [ @@ -15373,13 +15315,6 @@ ], "type": "uses" }, - { - "dest-uuid": "1f9c2bae-b441-4f66-a8af-b65946ee72f2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", "tags": [ @@ -15387,13 +15322,6 @@ ], "type": "uses" }, - { - "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "tags": [ @@ -15401,13 +15329,6 @@ ], "type": "uses" }, - { - "dest-uuid": "24769ab5-14bd-4f4e-a752-cfb185da53ee", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", "tags": [ @@ -15415,13 +15336,6 @@ ], "type": "uses" }, - { - "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "tags": [ @@ -15443,13 +15357,6 @@ ], "type": "uses" }, - { - "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "tags": [ @@ -15478,13 +15385,6 @@ ], "type": "uses" }, - { - "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "32f49626-87f4-4d6c-8f59-a0dca953fe26", "tags": [ @@ -15492,20 +15392,6 @@ ], "type": "uses" }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "359b00ad-9425-420b-bba5-6de8d600cbc0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "3a4197ae-ec63-4162-907b-9a073d1157e4", "tags": [ @@ -15514,14 +15400,7 @@ "type": "uses" }, { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "dest-uuid": "3d52e51e-f6db-4719-813c-48002a99f43a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -15548,34 +15427,6 @@ ], "type": "uses" }, - { - "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "40f5caa0-4cb7-4117-89fc-d421bb493df3", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "438c967d-3996-4870-bfc2-3954752a1927", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "47124daf-44be-4530-9c63-038bc64318dd", "tags": [ @@ -15583,20 +15434,6 @@ ], "type": "uses" }, - { - "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "4efc3e00-72f2-466a-ab7c-8a7dc6603b19", "tags": [ @@ -15604,27 +15441,6 @@ ], "type": "uses" }, - { - "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "54a01db0-9fab-4d5f-8209-53cef8425f4a", "tags": [ @@ -15647,7 +15463,7 @@ "type": "uses" }, { - "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "dest-uuid": "55bb4471-ff1f-43b4-88c1-c9384ec47abf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -15688,20 +15504,6 @@ ], "type": "uses" }, - { - "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "65370d0b-3bd4-4653-8cf9-daf56f6be830", "tags": [ @@ -15744,27 +15546,6 @@ ], "type": "uses" }, - { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7b211ac6-c815-4189-93a9-ab415deca926", "tags": [ @@ -15772,27 +15553,6 @@ ], "type": "uses" }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7de1f7ac-5d0c-4c9c-8873-627202205331", "tags": [ @@ -15829,7 +15589,7 @@ "type": "uses" }, { - "dest-uuid": "861b8fd2-57f3-4ee1-ab5d-c19c3b8c7a4a", + "dest-uuid": "8861073d-d1b8-4941-82ce-dce621d398f0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -15842,20 +15602,6 @@ ], "type": "uses" }, - { - "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", "tags": [ @@ -15863,13 +15609,6 @@ ], "type": "uses" }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", "tags": [ @@ -16017,13 +15756,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a", "tags": [ @@ -16052,20 +15784,6 @@ ], "type": "uses" }, - { - "dest-uuid": "bc76d0a4-db11-4551-9ac4-01a469cfb161", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "bd369cd9-abb8-41ce-b5bb-fff23ee86c00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "bdad6f3b-de88-42fa-9295-d29b5271808e", "tags": [ @@ -16073,13 +15791,6 @@ ], "type": "uses" }, - { - "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "tags": [ @@ -16094,13 +15805,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "c26f1c05-b861-4970-94dc-2f7f921a3074", "tags": [ @@ -16108,20 +15812,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "ca9d3402-ada3-484d-876a-d717bd6e05f2", "tags": [ @@ -16143,27 +15833,6 @@ ], "type": "uses" }, - { - "dest-uuid": "cff94884-3b1c-4987-a70b-6d5643c621c3", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "d4dc46e3-5ba5-45b9-8204-010867cacfcb", "tags": [ @@ -16185,6 +15854,13 @@ ], "type": "uses" }, + { + "dest-uuid": "d94b3ae9-8059-4989-8e9f-ea0f601f80a7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "tags": [ @@ -16192,20 +15868,6 @@ ], "type": "uses" }, - { - "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "e33e4603-afab-402d-b2a1-248d435b5fe0", "tags": [ @@ -16213,13 +15875,6 @@ ], "type": "uses" }, - { - "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ @@ -16241,13 +15896,6 @@ ], "type": "uses" }, - { - "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68", "tags": [ @@ -16255,13 +15903,6 @@ ], "type": "uses" }, - { - "dest-uuid": "eec23884-3fa1-4d8a-ac50-6f104d51e235", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "tags": [ @@ -16269,13 +15910,6 @@ ], "type": "uses" }, - { - "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ @@ -16283,20 +15917,6 @@ ], "type": "uses" }, - { - "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f59508a6-3615-47c3-b493-6676e1a39a87", "tags": [ @@ -16311,27 +15931,6 @@ ], "type": "uses" }, - { - "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f9cc4d06-775f-4ee1-b401-4e2cc0da30ba", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "tags": [ @@ -17289,6 +16888,13 @@ ], "type": "uses" }, + { + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "tags": [ @@ -17386,9 +16992,9 @@ "external_id": "G0096", "refs": [ "https://attack.mitre.org/groups/G0096", - "https://blog.group-ib.com/colunmtk_apt41", - "https://content.fireeye.com/apt-41/rpt-apt41", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://www.group-ib.com/blog/colunmtk-apt41/", + "https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf" ], "synonyms": [ "APT41", @@ -17557,6 +17163,13 @@ ], "type": "uses" }, + { + "dest-uuid": "38952eac-cb1b-4a71-bad2-ee8223a1c8fe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a", "tags": [ @@ -17662,6 +17275,13 @@ ], "type": "uses" }, + { + "dest-uuid": "6c575670-d14c-4c7f-9b9d-fd1b363e255d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ @@ -17767,6 +17387,13 @@ ], "type": "uses" }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "tags": [ @@ -18120,13 +17747,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "c8655260-9f4b-44e3-85e1-6538a5f6e4f4", "tags": [ @@ -18141,6 +17761,13 @@ ], "type": "uses" }, + { + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "d906e6f7-434c-44c0-b51a-ed50af8f7945", "tags": [ @@ -18219,6 +17846,13 @@ ] }, "related": [ + { + "dest-uuid": "24ce266c-1860-5e04-a107-48d1d39f8ebf", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", "tags": [ @@ -18253,13 +17887,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "24ce266c-1860-5e04-a107-48d1d39f8ebf", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" } ], "uuid": "277d2f87-2ae5-4730-a3aa-50c1fdff9656", @@ -18457,15 +18084,7 @@ "Taidoor" ] }, - "related": [ - { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - } - ], + "related": [], "uuid": "59140a2e-d117-4206-9b2c-2a8662bd9d46", "value": "Taidoor - G0015" }, @@ -18475,8 +18094,8 @@ "external_id": "G0061", "refs": [ "https://attack.mitre.org/groups/G0061", - "https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html", - "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html" + "https://web.archive.org/web/20170923102302/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", + "https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html" ], "synonyms": [ "FIN8" @@ -18658,13 +18277,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "tags": [ @@ -18693,6 +18305,13 @@ ], "type": "uses" }, + { + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "tags": [ @@ -19771,14 +19390,14 @@ "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20127,13 +19746,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "c9703cd3-141c-43a0-a926-380082be5d04", "tags": [ @@ -20567,6 +20179,13 @@ ], "type": "uses" }, + { + "dest-uuid": "e6f4af06-fbb5-5471-82ae-b0bdb4d446ce", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "e928333f-f3df-4039-9b8b-556c2add0e42", "tags": [ @@ -20587,13 +20206,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "e6f4af06-fbb5-5471-82ae-b0bdb4d446ce", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" } ], "uuid": "00f67a77-86a4-4adf-be26-1a54fc713340", @@ -21108,13 +20720,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "cb69b20d-56d0-41ab-8440-4a4b251614d4", "tags": [ @@ -21257,13 +20862,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "tags": [ @@ -22145,6 +21743,13 @@ ], "type": "uses" }, + { + "dest-uuid": "96c3508e-f5f9-52b4-9d1e-b246d68f643d", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "tags": [ @@ -22243,26 +21848,12 @@ ], "type": "uses" }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "96c3508e-f5f9-52b4-9d1e-b246d68f643d", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" } ], "uuid": "4a2ce82e-1a74-468a-a6fb-bbead541383c", @@ -22526,13 +22117,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "tags": [ @@ -22575,6 +22159,13 @@ ], "type": "uses" }, + { + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "tags": [ @@ -23691,7 +23282,7 @@ "refs": [ "https://attack.mitre.org/groups/G0085", "https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html", - "https://www.fireeye.com/current-threats/threat-intelligence-reports/rpt-fin4.html", + "https://www.mandiant.com/sites/default/files/2021-09/rpt-fin4.pdf", "https://www2.fireeye.com/WBNR-14Q4NAMFIN4.html" ], "synonyms": [ @@ -23793,10 +23384,10 @@ "external_id": "G0045", "refs": [ "http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/", + "http://web.archive.org/web/20220810112638/https:/www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf", "https://attack.mitre.org/groups/G0045", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage", "https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf", - "https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf", "https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html", "https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html", "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf", @@ -24743,13 +24334,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "tags": [ @@ -24792,6 +24376,13 @@ ], "type": "uses" }, + { + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "tags": [ @@ -25002,7 +24593,7 @@ "https://blog.alyac.co.kr/attachment/cfile5.uf@99A0CD415CB67E210DCEB3.pdf", "https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/", "https://brica.de/alerts/alert/public/1255063/kimsuky-unveils-apt-campaign-smoke-screen-aimed-at-korea-and-america/", - "https://global.ahnlab.com/global/upload/download/techreport/[Analysis_Report]Operation%20Kabar%20Cobra.pdf", + "https://global.ahnlab.com/global/upload/download/techreport/%5BAnalysis_Report%5DOperation%20Kabar%20Cobra.pdf", "https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/", "https://threatconnect.com/blog/kimsuky-phishing-operations-putting-in-work/", "https://us-cert.cisa.gov/ncas/alerts/aa20-301a", @@ -25716,7 +25307,7 @@ "value": "Kimsuky - G0094" }, { - "description": "[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.(Citation: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Jan 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo Alto OilRig Oct 2016)(Citation: Unit 42 Playbook Dec 2017)(Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018)", + "description": "[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.(Citation: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Jan 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo Alto OilRig Oct 2016)(Citation: Unit42 OilRig Playbook 2023)(Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018)", "meta": { "external_id": "G0049", "refs": [ @@ -25726,6 +25317,7 @@ "http://www.clearskysec.com/oilrig/", "https://attack.mitre.org/groups/G0049", "https://pan-unit42.github.io/playbook_viewer/", + "https://pan-unit42.github.io/playbook_viewer/?pb=evasive-serpens", "https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/", "https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/", @@ -25737,7 +25329,8 @@ "COBALT GYPSY", "IRN2", "APT34", - "Helix Kitten" + "Helix Kitten", + "Evasive Serpens" ] }, "related": [ @@ -26280,13 +25873,6 @@ ], "type": "uses" }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "tags": [ @@ -27105,18 +26691,18 @@ "type": "uses" }, { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", + "dest-uuid": "d0b9840d-efe2-5200-89d1-2f1a37737e30", "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" + "estimative-language:likelihood-probability=\"likely\"" ], - "type": "uses" + "type": "similar" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", @@ -27145,13 +26731,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "d0b9840d-efe2-5200-89d1-2f1a37737e30", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" } ], "uuid": "38863958-a201-4ce1-9dbe-539b0b6804e0", @@ -27502,13 +27081,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "f9c06633-dcff-48a1-8588-759e7cec5694", @@ -27920,13 +27492,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "b76b2d94-60e4-4107-a903-4a3a7622fb3b", "tags": [ @@ -28004,6 +27569,13 @@ ], "type": "uses" }, + { + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "tags": [ @@ -28184,13 +27756,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a", "tags": [ @@ -28205,6 +27770,13 @@ ], "type": "uses" }, + { + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "tags": [ @@ -28505,453 +28077,12 @@ ] }, "related": [ - { - "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1f9c2bae-b441-4f66-a8af-b65946ee72f2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "24769ab5-14bd-4f4e-a752-cfb185da53ee", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "32f49626-87f4-4d6c-8f59-a0dca953fe26", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "359b00ad-9425-420b-bba5-6de8d600cbc0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "40f5caa0-4cb7-4117-89fc-d421bb493df3", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4efc3e00-72f2-466a-ab7c-8a7dc6603b19", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "5c747acd-47f0-4c5a-b9e5-213541fc01e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "861b8fd2-57f3-4ee1-ab5d-c19c3b8c7a4a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "revoked-by" - }, - { - "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "979adb5a-dc30-48f0-9e3d-9a26d866928c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "a7881f21-e978-4fe4-af56-92c9416a2616", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "a8839c95-029f-44cf-8f3d-a3cf2039e927", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "bd369cd9-abb8-41ce-b5bb-fff23ee86c00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "bf48e7f8-752c-4ce8-bf8f-748edacd8fa6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e74de37c-a829-446c-937d-56a44f0e9306", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f59508a6-3615-47c3-b493-6676e1a39a87", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f9cc4d06-775f-4ee1-b401-4e2cc0da30ba", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "dc5e2999-ca1a-47d4-8d12-a6984b138a1b", @@ -29051,13 +28182,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "tags": [ @@ -29079,6 +28203,13 @@ ], "type": "uses" }, + { + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "tags": [ @@ -29104,6 +28235,51 @@ "uuid": "94873029-f950-4268-9cfd-5032e15cb182", "value": "TA551 - G0127" }, + { + "description": "[CURIUM](https://attack.mitre.org/groups/G1012) is an Iranian threat group first reported in November 2021 that has invested in building a relationship with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note [CURIUM](https://attack.mitre.org/groups/G1012) has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.(Citation: Microsoft Iranian Threat Actor Trends November 2021)", + "meta": { + "external_id": "G1012", + "refs": [ + "https://attack.mitre.org/groups/G1012", + "https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021" + ], + "synonyms": [ + "CURIUM" + ] + }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b1ccd744-3f78-4a0e-9bb2-2002057f7928", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f6ad61ee-65f3-4bd0-a3f5-2f0accb36317", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "3ea7add5-5b8f-45d8-b1f1-905d2729d62a", + "value": "CURIUM - G1012" + }, { "description": "[Sidewinder](https://attack.mitre.org/groups/G0121) is a suspected Indian threat actor group that has been active since at least 2012. They have been observed targeting government, military, and business entities throughout Asia, primarily focusing on Pakistan, China, Nepal, and Afghanistan.(Citation: ATT Sidewinder January 2021)(Citation: Securelist APT Trends April 2018)(Citation: Cyble Sidewinder September 2020)", "meta": { @@ -29198,6 +28374,13 @@ ], "type": "uses" }, + { + "dest-uuid": "3dada716-34c3-506e-aa3a-1889bd975b4b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ @@ -29282,6 +28465,13 @@ ], "type": "uses" }, + { + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "tags": [ @@ -29330,13 +28520,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "3dada716-34c3-506e-aa3a-1889bd975b4b", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" } ], "uuid": "3fc023b2-c5cc-481d-9c3e-70141ae1a87e", @@ -29607,13 +28790,107 @@ "uuid": "afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "value": "Windshift - G0112" }, + { + "description": "[Metador](https://attack.mitre.org/groups/G1013) is a suspected cyber espionage group that was first reported in September 2022. [Metador](https://attack.mitre.org/groups/G1013) has targeted a limited number of telecommunication companies, internet service providers, and universities in the Middle East and Africa. Security researchers named the group [Metador](https://attack.mitre.org/groups/G1013) based on the \"I am meta\" string in one of the group's malware samples and the expectation of Spanish-language responses from C2 servers.(Citation: SentinelLabs Metador Sept 2022)", + "meta": { + "external_id": "G1013", + "refs": [ + "https://assets.sentinelone.com/sentinellabs22/metador#page=1", + "https://attack.mitre.org/groups/G1013" + ], + "synonyms": [ + "Metador" + ] + }, + "related": [ + { + "dest-uuid": "3be1fb7a-0f7e-415e-8e3a-74a80d596e68", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7807d3a4-a885-4639-a786-c1ed41484970", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "df350889-4de9-44e5-8cb3-888b8343e97c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "bfc5ddb3-4dfb-4278-8928-020e1b3feddd", + "value": "Metador - G1013" + }, { "description": "[Chimera](https://attack.mitre.org/groups/G0114) is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline industry.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)", "meta": { "external_id": "G0114", "refs": [ "https://attack.mitre.org/groups/G0114", - "https://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf", + "https://cycraft.com/download/CyCraft-Whitepaper-Chimera_V4.1.pdf", "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/" ], "synonyms": [ @@ -29908,13 +29185,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a", "tags": [ @@ -29985,6 +29255,13 @@ ], "type": "uses" }, + { + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "tags": [ @@ -30095,6 +29372,234 @@ "uuid": "99910207-1741-4da1-9b5d-537410186b51", "value": "Gelsemium - G0141" }, + { + "description": "[LuminousMoth](https://attack.mitre.org/groups/G1014) is a Chinese-speaking cyber espionage group that has been active since at least October 2020. [LuminousMoth](https://attack.mitre.org/groups/G1014) has targeted high-profile organizations, including government entities, in Myanmar, the Philippines, Thailand, and other parts of Southeast Asia. Some security researchers have concluded there is a connection between [LuminousMoth](https://attack.mitre.org/groups/G1014) and [Mustang Panda](https://attack.mitre.org/groups/G0129) based on similar targeting and TTPs, as well as network infrastructure overlaps.(Citation: Kaspersky LuminousMoth July 2021)(Citation: Bitdefender LuminousMoth July 2021)", + "meta": { + "external_id": "G1014", + "refs": [ + "https://attack.mitre.org/groups/G1014", + "https://securelist.com/apt-luminousmoth/103332/", + "https://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-exfiltration-and-persistence-revisited" + ], + "synonyms": [ + "LuminousMoth" + ] + }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "19401639-28d0-4c3c-adcc-bc2ba22f6421", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "31fe0ba2-62fd-4fd9-9293-4043d84f7fe9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ee16395-03f0-4690-a32e-69ce9ada0f9e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7807d3a4-a885-4639-a786-c1ed41484970", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "84ae8255-b4f4-4237-b5c5-e717405a9701", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a7881f21-e978-4fe4-af56-92c9416a2616", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cabe189c-a0e3-4965-a473-dcff00f17213", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "b7f627e2-0817-4cd5-8d50-e75f8aa85cc6", + "value": "LuminousMoth - G1014" + }, { "description": "[CostaRicto](https://attack.mitre.org/groups/G0132) is a suspected hacker-for-hire cyber espionage campaign that has targeted multiple industries worldwide since at least 2019. [CostaRicto](https://attack.mitre.org/groups/G0132)'s targets, a large portion of which are financial institutions, are scattered across Europe, the Americas, Asia, Australia, and Africa, with a large concentration in South Asia.(Citation: BlackBerry CostaRicto November 2020)", "meta": { @@ -30367,6 +29872,13 @@ ], "type": "uses" }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "tags": [ @@ -30388,6 +29900,13 @@ ], "type": "uses" }, + { + "dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "26c87906-d750-42c5-946c-d4162c73fc7b", "tags": [ @@ -30395,6 +29914,13 @@ ], "type": "uses" }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ @@ -30437,6 +29963,13 @@ ], "type": "uses" }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "7610cada-1499-41a4-b3dd-46467b68d177", "tags": [ @@ -30458,6 +29991,13 @@ ], "type": "uses" }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "88d31120-5bc7-4ce3-a9c0-7cf147be8e54", "tags": [ @@ -30465,6 +30005,13 @@ ], "type": "uses" }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "tags": [ @@ -30486,6 +30033,13 @@ ], "type": "uses" }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a", "tags": [ @@ -30507,6 +30061,13 @@ ], "type": "uses" }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "tags": [ @@ -30514,6 +30075,13 @@ ], "type": "uses" }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ @@ -30521,6 +30089,13 @@ ], "type": "uses" }, + { + "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", "tags": [ @@ -30804,6 +30379,13 @@ ], "type": "uses" }, + { + "dest-uuid": "2d3f5b3c-54ca-4f4d-bb1f-849346d31230", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ @@ -31213,7 +30795,7 @@ "meta": { "external_id": "G0138", "refs": [ - "http://download.ahnlab.com/global/brochure/[Analysis]Andariel_Group.pdf", + "http://download.ahnlab.com/global/brochure/%5BAnalysis%5DAndariel_Group.pdf", "http://www.issuemakerslab.com/research3/", "https://adversary.crowdstrike.com/en-US/adversary/silent-chollima/", "https://attack.mitre.org/groups/G0138", @@ -31525,6 +31107,13 @@ ], "type": "uses" }, + { + "dest-uuid": "55bb4471-ff1f-43b4-88c1-c9384ec47abf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "56e0d8b8-3e25-49dd-9050-3aa252f5aa92", "tags": [ @@ -31754,5 +31343,5 @@ "value": "TeamTNT - G0139" } ], - "version": 30 + "version": 31 } diff --git a/clusters/mitre-malware.json b/clusters/mitre-malware.json index 802bca1..523ed4a 100644 --- a/clusters/mitre-malware.json +++ b/clusters/mitre-malware.json @@ -35,13 +35,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "6856ddd6-2df3-4379-8b87-284603c189c3", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "4b62ab58-c23b-4704-9c15-edd568cd59f8", @@ -429,12 +422,12 @@ "Windows" ], "refs": [ - "http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf", "https://401trg.github.io/pages/burning-umbrella.html", "https://attack.mitre.org/software/S0141", "https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/", "https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a", - "https://securelist.com/winnti-more-than-just-a-game/37029/" + "https://securelist.com/winnti-more-than-just-a-game/37029/", + "https://web.archive.org/web/20150412223949/http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf" ], "synonyms": [ "Winnti for Windows" @@ -931,6 +924,13 @@ ] }, "related": [ + { + "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "tags": [ @@ -1121,9 +1121,9 @@ "macOS" ], "refs": [ - "http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf", "https://attack.mitre.org/software/S0032", "https://research.nccgroup.com/2018/04/17/decoding-network-data-from-a-gh0st-rat-variant/", + "https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf", "https://www.arbornetworks.com/blog/asert/musical-chairs-playing-tetris/", "https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html" ], @@ -1314,7 +1314,7 @@ "value": "gh0st RAT - S0032" }, { - "description": "[China Chopper](https://attack.mitre.org/software/S0020) is a [Web Shell](https://attack.mitre.org/techniques/T1505/003) hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server. (Citation: Lee 2013) It has been used by several threat groups. (Citation: Dell TG-3390) (Citation: FireEye Periscope March 2018)(Citation: CISA AA21-200A APT40 July 2021)", + "description": "[China Chopper](https://attack.mitre.org/software/S0020) is a [Web Shell](https://attack.mitre.org/techniques/T1505/003) hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server.(Citation: Lee 2013) It has been used by several threat groups.(Citation: Dell TG-3390)(Citation: FireEye Periscope March 2018)(Citation: CISA AA21-200A APT40 July 2021)(Citation: Rapid7 HAFNIUM Mar 2021)", "meta": { "external_id": "S0020", "mitre_platforms": [ @@ -1325,6 +1325,7 @@ "https://us-cert.cisa.gov/ncas/alerts/aa21-200a", "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html", "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", + "https://www.rapid7.com/blog/post/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/", "https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage" ], "synonyms": [ @@ -1538,6 +1539,192 @@ "uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56", "value": "Unknown Logger - S0130" }, + { + "description": "[Black Basta](https://attack.mitre.org/software/S1070) is ransomware written in C++ that has been offered within the ransomware-as-a-service (RaaS) model since at least April 2022; there are variants that target Windows and VMWare ESXi servers. [Black Basta](https://attack.mitre.org/software/S1070) operations have included the double extortion technique where in addition to demanding ransom for decrypting the files of targeted organizations the cyber actors also threaten to post sensitive information to a leak site if the ransom is not paid. [Black Basta](https://attack.mitre.org/software/S1070) affiliates have targeted multiple high-value organizations, with the largest number of victims based in the U.S. Based on similarities in TTPs, leak sites, payment sites, and negotiation tactics, security researchers assess the [Black Basta](https://attack.mitre.org/software/S1070) RaaS operators could include current or former members of the [Conti](https://attack.mitre.org/software/S0575) group.(Citation: Palo Alto Networks Black Basta August 2022)(Citation: Deep Instinct Black Basta August 2022)(Citation: Minerva Labs Black Basta May 2022)(Citation: Avertium Black Basta June 2022)(Citation: NCC Group Black Basta June 2022)(Citation: Cyble Black Basta May 2022)", + "meta": { + "external_id": "S1070", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1070", + "https://blog.cyble.com/2022/05/06/black-basta-ransomware/", + "https://minerva-labs.com/blog/new-black-basta-ransomware-hijacks-windows-fax-service/", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware", + "https://www.avertium.com/resources/threat-reports/in-depth-look-at-black-basta-ransomware", + "https://www.deepinstinct.com/blog/black-basta-ransomware-threat-emergence" + ], + "synonyms": [ + "Black Basta" + ] + }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "09b130a2-a77e-4af0-a361-f46f9aad1345", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "28170e17-8384-415c-8486-2e6b294cb803", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c41090b-aa47-4331-986b-8c9a51a91103", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e4dc8c01-417f-458d-9ee0-bb0617c1b391", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "8d242fb4-9033-4f13-8a88-4b9b4bcd9a53", + "value": "Black Basta - S1070" + }, { "description": "[Cherry Picker](https://attack.mitre.org/software/S0107) is a point of sale (PoS) memory scraper. (Citation: Trustwave Cherry Picker)", "meta": { @@ -1715,6 +1902,13 @@ ], "type": "uses" }, + { + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "tags": [ @@ -3357,13 +3551,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "tags": [ @@ -3836,13 +4023,6 @@ ], "type": "uses" }, - { - "dest-uuid": "99709758-2b96-48f2-a68a-ad7fbd828091", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", "tags": [ @@ -4176,6 +4356,229 @@ "uuid": "54895630-efd2-4608-9c24-319de972a9eb", "value": "Ragnar Locker - S0481" }, + { + "description": " [Woody RAT](https://attack.mitre.org/software/S1065) is a remote access trojan (RAT) that has been used since at least August 2021 against Russian organizations.(Citation: MalwareBytes WoodyRAT Aug 2022)", + "meta": { + "external_id": "S1065", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1065", + "https://www.malwarebytes.com/blog/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild" + ], + "synonyms": [ + "Woody RAT" + ] + }, + "related": [ + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "74d2a63f-3c7b-4852-92da-02d8fbab16da", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "3bc7e862-5610-4c02-9c48-15b2e2dc1ddb", + "value": "Woody RAT - S1065" + }, { "description": "[SYNful Knock](https://attack.mitre.org/software/S0519) is a stealthy modification of the operating system of network devices that can be used to maintain persistence within a victim's network and provide new capabilities to the adversary.(Citation: Mandiant - Synful Knock)(Citation: Cisco Synful Knock Evolution)", "meta": { @@ -5582,13 +5985,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "tags": [ @@ -6418,13 +6814,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", @@ -6516,13 +6905,6 @@ ], "type": "uses" }, - { - "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "tags": [ @@ -6551,6 +6933,13 @@ ], "type": "uses" }, + { + "dest-uuid": "d2c4e5ea-dbdf-4113-805a-b1e2a337fb33", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "tags": [ @@ -6923,6 +7312,160 @@ "uuid": "3161d76a-e2b2-4b97-9906-24909b735386", "value": "Aria-body - S0456" }, + { + "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) is an Android banking trojan that was first identified in August 2021 and has subsequently been found in a variety of applications, including banking, cryptocurrency wallet/exchange, and shopping apps. [S.O.V.A.](https://attack.mitre.org/software/S1062), which is Russian for \"owl\", contains features not commonly found in Android malware, such as session cookie theft.(Citation: threatfabric_sova_0921)(Citation: cleafy_sova_1122)", + "meta": { + "external_id": "S1062", + "mitre_platforms": [ + "Android" + ], + "refs": [ + "https://attack.mitre.org/software/S1062", + "https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly", + "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" + ], + "synonyms": [ + "S.O.V.A." + ] + }, + "related": [ + { + "dest-uuid": "08e22979-d320-48ed-8711-e7bf94aabb13", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0cdd66ad-26ac-4338-a764-4972a1e17ee3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "51636761-2e35-44bf-9e56-e337adf97174", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "74e6003f-c7f4-4047-983b-708cc19b96b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d1f1337e-aea7-454c-86bd-482a98ffaf62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d9e88203-2b5d-405f-a406-2933b1e3d7e4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dc01774a-d1c1-45fb-b506-0a5d1d6593d9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "4b53eb01-57d7-47b4-b078-22766b002b36", + "value": "S.O.V.A. - S1062" + }, { "description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) is Android malware that was delivered to activist groups via a spearphishing email with an attachment. (Citation: Kaspersky-WUC)", "meta": { @@ -7131,13 +7674,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "6856ddd6-2df3-4379-8b87-284603c189c3", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "c5e9cb46-aced-466c-85ea-7db5572ad9ec", @@ -8279,13 +8815,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "e170995d-4f61-4f17-b60e-04f9a06ee517", @@ -8463,13 +8992,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4", @@ -9109,8 +9631,8 @@ "Windows" ], "refs": [ - "http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf", "https://attack.mitre.org/software/S0009", + "https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf", "https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-1.html" ], "synonyms": [ @@ -9529,9 +10051,9 @@ "Linux" ], "refs": [ - "http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf", "https://attack.mitre.org/software/S0021", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2016/2016.02.29.Turbo_Campaign_Derusbi/TA_Fidelis_Turbo_1602_0.pdf", + "https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf", "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", "https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/" ], @@ -9680,13 +10202,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "94379dec-5c87-49db-b36e-66abc0b81344", @@ -9860,9 +10375,9 @@ "Windows" ], "refs": [ - "http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf", "https://attack.mitre.org/software/S0012", "https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf", + "https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf", "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf", "https://www.symantec.com/connect/blogs/life-mars-how-attackers-took-advantage-hope-alien-existance-new-darkmoon-campaign", "https://www.symantec.com/security_response/writeup.jsp?docid=2005-081910-3934-99" @@ -9973,13 +10488,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "tags": [ @@ -10434,8 +10942,8 @@ "http://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf", "http://labs.lastline.com/an-analysis-of-plugx", "http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/", - "http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf", "https://attack.mitre.org/software/S0013", + "https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf", "https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html", "https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage" ], @@ -10576,13 +11084,6 @@ ], "type": "uses" }, - { - "dest-uuid": "99709758-2b96-48f2-a68a-ad7fbd828091", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "tags": [ @@ -10660,13 +11161,6 @@ ], "type": "similar" }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", "tags": [ @@ -11477,6 +11971,13 @@ ] }, "related": [ + { + "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65", "tags": [ @@ -11881,6 +12382,271 @@ "uuid": "40a1b8ec-7295-416c-a6b1-68181d86f120", "value": "Hildegard - S0601" }, + { + "description": "[Mafalda](https://attack.mitre.org/software/S1060) is a flexible interactive implant that has been used by [Metador](https://attack.mitre.org/groups/G1013). Security researchers assess the [Mafalda](https://attack.mitre.org/software/S1060) name may be inspired by an Argentinian cartoon character that has been popular as a means of political commentary since the 1960s. (Citation: SentinelLabs Metador Sept 2022)", + "meta": { + "external_id": "S1060", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://assets.sentinelone.com/sentinellabs22/metador#page=1", + "https://attack.mitre.org/software/S1060" + ], + "synonyms": [ + "Mafalda" + ] + }, + "related": [ + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e4dc8c01-417f-458d-9ee0-bb0617c1b391", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "3be1fb7a-0f7e-415e-8e3a-74a80d596e68", + "value": "Mafalda - S1060" + }, { "description": "[SideTwist](https://attack.mitre.org/software/S0610) is a C-based backdoor that has been used by [OilRig](https://attack.mitre.org/groups/G0049) since at least 2021.(Citation: Check Point APT34 April 2021)", "meta": { @@ -12092,13 +12858,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "b8eb28e4-48a6-40ae-951a-328714f75eda", @@ -12596,7 +13355,7 @@ ], "refs": [ "https://attack.mitre.org/software/S0180", - "https://www.symantec.com/security-center/writeup/2014-081811-3237-99?tabid=2", + "https://web.archive.org/web/20181126143456/https://www.symantec.com/security-center/writeup/2014-081811-3237-99?tabid=2", "https://www.us-cert.gov/ncas/alerts/TA17-318B", "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-D_WHITE_S508C.PDF" ], @@ -12605,6 +13364,13 @@ ] }, "related": [ + { + "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "0a52e73b-d7e9-45ae-9bda-46568f753931", "tags": [ @@ -12724,13 +13490,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "tags": [ @@ -12751,13 +13510,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", @@ -13054,13 +13806,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0", @@ -13116,13 +13861,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "5bcd5511-6756-4824-a692-e8bb109364af", @@ -13222,7 +13960,7 @@ "refs": [ "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", "https://attack.mitre.org/software/S0023", - "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf", + "https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf", "https://www.justice.gov/file/1080281/download", "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government", "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" @@ -13244,6 +13982,13 @@ ], "type": "uses" }, + { + "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "tags": [ @@ -13445,11 +14190,11 @@ "Windows" ], "refs": [ - "http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf", "https://attack.mitre.org/software/S0203", "https://community.softwaregrp.com/t5/Security-Research/9002-RAT-a-second-building-on-the-left/ba-p/228686#.WosBVKjwZPZ", "https://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/", "https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf", + "https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf", "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf", "https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html", "https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html", @@ -14825,13 +15570,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "48523614-309e-43bf-a2b8-705c2b45d7b2", @@ -15579,13 +16317,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "47afe41c-4c08-485e-b062-c3bd209a1cce", @@ -15817,13 +16548,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "tags": [ @@ -15853,14 +16577,14 @@ "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -16520,13 +17244,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", @@ -17536,7 +18253,7 @@ "value": "Nebulae - S0630" }, { - "description": "[Stuxnet](https://attack.mitre.org/software/S0603) was the first publicly reported piece of malware to specifically target industrial control systems devices. [Stuxnet](https://attack.mitre.org/software/S0603) is a large and complex piece of malware that utilized multiple different behaviors including multiple zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.(Citation: Symantec W.32 Stuxnet Dossier)(Citation: CISA ICS Advisory ICSA-10-272-01)(Citation: ESET Stuxnet Under the Microscope)(Citation: Langer Stuxnet) [Stuxnet](https://attack.mitre.org/software/S0603) was discovered in 2010, with some components being used as early as November 2008.(Citation: Symantec W.32 Stuxnet Dossier)", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) was the first publicly reported piece of malware to specifically target industrial control systems devices. [Stuxnet](https://attack.mitre.org/software/S0603) is a large and complex piece of malware that utilized multiple different behaviors including multiple zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)(Citation: CISA ICS Advisory ICSA-10-272-01)(Citation: ESET Stuxnet Under the Microscope)(Citation: Langer Stuxnet) [Stuxnet](https://attack.mitre.org/software/S0603) was discovered in 2010, with some components being used as early as November 2008.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) ", "meta": { "external_id": "S0603", "mitre_platforms": [ @@ -17547,7 +18264,7 @@ "https://us-cert.cisa.gov/ics/advisories/ICSA-10-272-01", "https://www.esetnod32.ru/company/viruslab/analytics/doc/Stuxnet_Under_the_Microscope.pdf", "https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf", - "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf" + "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" ], "synonyms": [ "Stuxnet", @@ -18322,13 +19039,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "68dca94f-c11d-421e-9287-7c501108e18c", @@ -18468,13 +19178,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", @@ -18572,14 +19275,14 @@ "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -18855,7 +19558,7 @@ "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20986,13 +21689,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "tags": [ @@ -21007,6 +21703,13 @@ ], "type": "uses" }, + { + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "tags": [ @@ -21248,7 +21951,7 @@ "value": "RARSTONE - S0055" }, { - "description": "[TEARDROP](https://attack.mitre.org/software/S0560) is a memory-only dropper that was discovered on some victim machines during investigations related to the 2020 SolarWinds cyber intrusion. It was likely used by [APT29](https://attack.mitre.org/groups/G0016) since at least May 2020.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Microsoft Deep Dive Solorigate January 2021)", + "description": "[TEARDROP](https://attack.mitre.org/software/S0560) is a memory-only dropper that was discovered on some victim machines during investigations related to the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024). It was likely used by [APT29](https://attack.mitre.org/groups/G0016) since at least May 2020.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Microsoft Deep Dive Solorigate January 2021)", "meta": { "external_id": "S0560", "mitre_platforms": [ @@ -21529,6 +22232,13 @@ ], "type": "uses" }, + { + "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ @@ -21599,6 +22309,13 @@ ], "type": "uses" }, + { + "dest-uuid": "208884f1-7b83-4473-ac22-4e1cf6c41471", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "tags": [ @@ -21613,6 +22330,13 @@ ], "type": "uses" }, + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "tags": [ @@ -21697,13 +22421,6 @@ ], "type": "uses" }, - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ @@ -21795,6 +22512,13 @@ ], "type": "uses" }, + { + "dest-uuid": "7e7c2fba-7cca-486c-9582-4c1bb2851961", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ @@ -21900,6 +22624,20 @@ ], "type": "uses" }, + { + "dest-uuid": "d4dc46e3-5ba5-45b9-8204-010867cacfcb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "tags": [ @@ -21942,6 +22680,13 @@ ], "type": "uses" }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ @@ -21949,6 +22694,13 @@ ], "type": "uses" }, + { + "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "tags": [ @@ -23681,43 +24433,7 @@ "TRISIS" ] }, - "related": [ - { - "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - } - ], + "related": [], "uuid": "93ae2edf-a598-4d2d-acd7-bcae0c021923", "value": "TRITON - S0609" }, @@ -23848,13 +24564,6 @@ ], "type": "uses" }, - { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7", "tags": [ @@ -23883,13 +24592,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ @@ -24508,6 +25210,9 @@ "refs": [ "https://attack.mitre.org/software/S1012", "https://www.cybereason.com/blog/research/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage" + ], + "synonyms": [ + "PowerLess" ] }, "related": [ @@ -25052,15 +25757,107 @@ "value": "Prikormka - S0113" }, { - "description": "[YiSpecter](https://attack.mitre.org/software/S0311) iOS malware that affects both jailbroken and non-jailbroken iOS devices. It is also unique because it abuses private APIs in the iOS system to implement functionality. (Citation: PaloAlto-YiSpecter)", + "description": "[YiSpecter](https://attack.mitre.org/software/S0311) is a family of iOS and Android malware, first detected in November 2014, targeting users in mainland China and Taiwan. [YiSpecter](https://attack.mitre.org/software/S0311) abuses private APIs in iOS to infect both jailbroken and non-jailbroken devices.(Citation: paloalto_yispecter_1015)", "meta": { "external_id": "S0311", + "mitre_platforms": [ + "Android", + "iOS" + ], "refs": [ "https://attack.mitre.org/software/S0311", - "https://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" + "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" + ], + "synonyms": [ + "YiSpecter" ] }, - "related": [], + "related": [ + { + "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "670a4d75-103b-4b14-8a9e-4652fa795edd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d3bc5020-f6a2-41c0-8ccb-5e563101b60c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "fcb11f06-ce0e-490b-bcc1-04a1623579f0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "a15c9357-2be0-4836-beec-594f28b9b4a9", "value": "YiSpecter - S0311" }, @@ -25824,13 +26621,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2", @@ -25852,6 +26642,13 @@ ] }, "related": [ + { + "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "tags": [ @@ -25912,6 +26709,84 @@ "uuid": "47124daf-44be-4530-9c63-038bc64318dd", "value": "RegDuke - S0511" }, + { + "description": "[KEYPLUG](https://attack.mitre.org/software/S1051) is a modular backdoor written in C++, with Windows and Linux variants, that has been used by [APT41](https://attack.mitre.org/groups/G0096) since at least June 2021.(Citation: Mandiant APT41)", + "meta": { + "external_id": "S1051", + "mitre_platforms": [ + "Linux", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1051", + "https://www.mandiant.com/resources/apt41-us-state-governments" + ], + "synonyms": [ + "KEYPLUG", + "KEYPLUG.LINUX" + ] + }, + "related": [ + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "6c575670-d14c-4c7f-9b9d-fd1b363e255d", + "value": "KEYPLUG - S1051" + }, { "description": "[Milan](https://attack.mitre.org/software/S1015) is a backdoor implant based on [DanBot](https://attack.mitre.org/software/S1014) that was written in Visual C++ and .NET. [Milan](https://attack.mitre.org/software/S1015) has been used by [HEXANE](https://attack.mitre.org/groups/G1001) since at least June 2020.(Citation: ClearSky Siamesekitten August 2021)(Citation: Kaspersky Lyceum October 2021)", "meta": { @@ -26075,6 +26950,180 @@ "uuid": "aea6d6b8-d832-4c90-a1bb-f52c6684db6c", "value": "Milan - S1015" }, + { + "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) is mobile malware that was first seen in Google Play and other third-party stores in October 2021. It was discovered in 19 Android applications, of which at least 7 abused known Android exploits for obtaining root permissions. [AbstractEmu](https://attack.mitre.org/software/S1061) was observed primarily impacting users in the United States, however victims are believed to be across a total of 17 countries.(Citation: lookout_abstractemu_1021)", + "meta": { + "external_id": "S1061", + "mitre_platforms": [ + "Android" + ], + "refs": [ + "https://attack.mitre.org/software/S1061", + "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" + ], + "synonyms": [ + "AbstractEmu" + ] + }, + "related": [ + { + "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "27d18e87-8f32-4be1-b456-39b90454360f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2aa78dfd-cb6f-4c70-9408-137cfd96be49", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "693cdbff-ea73-49c6-ac3f-91e7285c31d1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9c049d7b-c92a-4733-9381-27e2bd2ccadc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "2aec175b-4429-4048-8e09-3ef6cbecfc64", + "value": "AbstractEmu - S1061" + }, { "description": "[XAgentOSX](https://attack.mitre.org/software/S0161) is a trojan that has been used by [APT28](https://attack.mitre.org/groups/G0007) on OS X and appears to be a port of their standard [CHOPSTICK](https://attack.mitre.org/software/S0023) or XAgent trojan. (Citation: XAgentOSX 2017)", "meta": { @@ -26936,13 +27985,6 @@ ], "type": "uses" }, - { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "tags": [ @@ -27143,6 +28185,34 @@ "uuid": "89c3dbf6-f281-41b7-be1d-a0e641014853", "value": "Concipit1248 - S0426" }, + { + "description": "[Industroyer2](https://attack.mitre.org/software/S1072) is a compiled and static piece of malware that has the ability to communicate over the IEC-104 protocol. It is similar to the IEC-104 module found in [Industroyer](https://attack.mitre.org/software/S0604). Security researchers assess that [Industroyer2](https://attack.mitre.org/software/S1072) was designed to cause impact to high-voltage electrical substations. The initial [Industroyer2](https://attack.mitre.org/software/S1072) sample was compiled on 03/23/2022 and scheduled to execute on 04/08/2022, however it was discovered before deploying, resulting in no impact.(Citation: Industroyer2 Blackhat ESET)", + "meta": { + "external_id": "S1072", + "mitre_platforms": [ + "Field Controller/RTU/PLC/IED", + "Engineering Workstation" + ], + "refs": [ + "https://attack.mitre.org/software/S1072", + "https://www.youtube.com/watch?v=xC9iM5wVedQ" + ], + "synonyms": [ + "Industroyer2" + ] + }, + "related": [ + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5", + "value": "Industroyer2 - S1072" + }, { "description": "[CORALDECK](https://attack.mitre.org/software/S0212) is an exfiltration tool used by [APT37](https://attack.mitre.org/groups/G0067). (Citation: FireEye APT37 Feb 2018)", "meta": { @@ -27313,14 +28383,14 @@ "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "b46a801b-fd98-491c-a25a-bca25d6e3001", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "b46a801b-fd98-491c-a25a-bca25d6e3001", + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -28487,7 +29557,7 @@ "refs": [ "https://attack.mitre.org/software/S0412", "https://blogs.cisco.com/security/talos/opening-zxshell", - "https://content.fireeye.com/apt-41/rpt-apt41" + "https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf" ], "synonyms": [ "ZxShell", @@ -28670,13 +29740,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "tags": [ @@ -28799,6 +29862,119 @@ "uuid": "3c02fb1f-cbdb-48f5-abaf-8c81d6e0c322", "value": "KARAE - S0215" }, + { + "description": "[DEADEYE](https://attack.mitre.org/software/S1052) is a malware launcher that has been used by [APT41](https://attack.mitre.org/groups/G0096) since at least May 2021. [DEADEYE](https://attack.mitre.org/software/S1052) has variants that can either embed a payload inside a compiled binary (DEADEYE.EMBED) or append it to the end of a file (DEADEYE.APPEND).(Citation: Mandiant APT41)", + "meta": { + "external_id": "S1052", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1052", + "https://www.mandiant.com/resources/apt41-us-state-governments" + ], + "synonyms": [ + "DEADEYE", + "DEADEYE.EMBED", + "DEADEYE.APPEND" + ] + }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "853c4192-4311-43e1-bfbb-b11b14911852", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "c46eb8e6-bf29-4696-8008-3ddb0b4ca470", + "value": "DEADEYE - S1052" + }, { "description": "[Amadey](https://attack.mitre.org/software/S1025) is a Trojan bot that has been used since at least October 2018.(Citation: Korean FSI TA505 2020)(Citation: BlackBerry Amadey 2020)", "meta": { @@ -29115,7 +30291,7 @@ ], "refs": [ "https://attack.mitre.org/software/S0152", - "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf" + "https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf" ], "synonyms": [ "EvilGrab" @@ -29236,6 +30412,13 @@ ], "type": "uses" }, + { + "dest-uuid": "215d9700-5881-48b8-8265-6449dbb7195d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "tags": [ @@ -29264,13 +30447,6 @@ ], "type": "uses" }, - { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "tags": [ @@ -29348,13 +30524,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "tags": [ @@ -29404,13 +30573,6 @@ ], "type": "uses" }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "tags": [ @@ -29598,13 +30760,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "tags": [ @@ -29660,13 +30815,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "a4f57468-fbd5-49e4-8476-52088220b92d", @@ -29697,6 +30845,13 @@ ], "type": "uses" }, + { + "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1", "tags": [ @@ -29802,6 +30957,13 @@ ], "type": "uses" }, + { + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "d9cc15f7-0880-4ae4-8df4-87c58338d6b8", "tags": [ @@ -30755,13 +31917,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29", @@ -32201,6 +33356,134 @@ "uuid": "a2282af0-f9dd-4373-9b92-eaf9e11e0c71", "value": "Final1stspy - S0355" }, + { + "description": "[AvosLocker](https://attack.mitre.org/software/S1053) is ransomware written in C++ that has been offered via the Ransomware-as-a-Service (RaaS) model. It was first observed in June 2021 and has been used against financial services, critical manufacturing, government facilities, and other critical infrastructure sectors in the United States. As of March 2022, [AvosLocker](https://attack.mitre.org/software/S1053) had also been used against organizations in Belgium, Canada, China, Germany, Saudi Arabia, Spain, Syria, Taiwan, Turkey, the United Arab Emirates, and the United Kingdom.(Citation: Malwarebytes AvosLocker Jul 2021)(Citation: Trend Micro AvosLocker Apr 2022)(Citation: Joint CSA AvosLocker Mar 2022)", + "meta": { + "external_id": "S1053", + "mitre_platforms": [ + "Linux", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1053", + "https://www.ic3.gov/Media/News/2022/220318.pdf", + "https://www.malwarebytes.com/blog/threat-intelligence/2021/07/avoslocker-enters-the-ransomware-scene-asks-for-partners", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker" + ], + "synonyms": [ + "AvosLocker" + ] + }, + "related": [ + { + "dest-uuid": "208884f1-7b83-4473-ac22-4e1cf6c41471", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "28170e17-8384-415c-8486-2e6b294cb803", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ea4c2f9c-9df1-477c-8c42-6da1118f2ac4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "0945a1a5-a79a-47c8-9079-10c16cdfcb5d", + "value": "AvosLocker - S1053" + }, { "description": "[Cannon](https://attack.mitre.org/software/S0351) is a Trojan with variants written in C# and Delphi. It was first observed in April 2018. (Citation: Unit42 Cannon Nov 2018)(Citation: Unit42 Sofacy Dec 2018)", "meta": { @@ -32274,13 +33557,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ @@ -32497,6 +33773,13 @@ ] }, "related": [ + { + "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ @@ -32799,7 +34082,7 @@ "https://attack.mitre.org/software/S0153", "https://twitter.com/ItsReallyNick/status/850105140589633536", "https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html", - "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf" + "https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf" ], "synonyms": [ "RedLeaves", @@ -32919,13 +34202,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "tags": [ @@ -32953,13 +34229,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", @@ -33116,6 +34385,13 @@ ], "type": "uses" }, + { + "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ @@ -33487,7 +34763,7 @@ "refs": [ "https://attack.mitre.org/software/S0137", "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/", - "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf", + "https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf", "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" ], "synonyms": [ @@ -33702,6 +34978,121 @@ "uuid": "f9854ba6-989d-43bf-828b-7240b8a65291", "value": "Marcher - S0317" }, + { + "description": "[Royal](https://attack.mitre.org/software/S1073) is ransomware that first appeared in early 2022; a version that also targets ESXi servers was later observed in February 2023. [Royal](https://attack.mitre.org/software/S1073) employs partial encryption and multiple threads to evade detection and speed encryption. [Royal](https://attack.mitre.org/software/S1073) has been used in attacks against multiple industries worldwide--including critical infrastructure. Security researchers have identified similarities in the encryption routines and TTPs used in [Royal](https://attack.mitre.org/software/S1073) and [Conti](https://attack.mitre.org/software/S0575) attacks and noted a possible connection between their operators.(Citation: Microsoft Royal ransomware November 2022)(Citation: Cybereason Royal December 2022)(Citation: Kroll Royal Deep Dive February 2023)(Citation: Trend Micro Royal Linux ESXi February 2023)(Citation: CISA Royal AA23-061A March 2023)", + "meta": { + "external_id": "S1073", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1073", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a", + "https://www.cybereason.com/blog/royal-ransomware-analysis", + "https://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive", + "https://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads/", + "https://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html" + ], + "synonyms": [ + "Royal" + ] + }, + "related": [ + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "802a874d-7463-4f2a-99e3-6a1f5a919a21", + "value": "Royal - S1073" + }, { "description": "[OLDBAIT](https://attack.mitre.org/software/S0138) is a credential harvester used by [APT28](https://attack.mitre.org/groups/G0007). (Citation: FireEye APT28) (Citation: FireEye APT28 January 2017)", "meta": { @@ -33711,7 +35102,7 @@ ], "refs": [ "https://attack.mitre.org/software/S0138", - "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf", + "https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf", "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" ], "synonyms": [ @@ -34631,7 +36022,7 @@ "https://attack.mitre.org/software/S0144", "https://twitter.com/ItsReallyNick/status/850105140589633536", "https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html", - "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf" + "https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf" ], "synonyms": [ "ChChes", @@ -35273,6 +36664,124 @@ "uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351", "value": "POWERSOURCE - S0145" }, + { + "description": "[Drinik](https://attack.mitre.org/software/S1054) is an evolving Android banking trojan that was observed targeting customers of around 27 banks in India in August 2021. Initially seen as an SMS stealer in 2016, [Drinik](https://attack.mitre.org/software/S1054) resurfaced as a banking trojan with more advanced capabilities included in subsequent versions between September 2021 and August 2022.(Citation: cyble_drinik_1022)", + "meta": { + "external_id": "S1054", + "mitre_platforms": [ + "Android" + ], + "refs": [ + "https://attack.mitre.org/software/S1054", + "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" + ], + "synonyms": [ + "Drinik" + ] + }, + "related": [ + { + "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2aa78dfd-cb6f-4c70-9408-137cfd96be49", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "d6e009b7-df5e-447a-bfd2-d5b77374edfe", + "value": "Drinik - S1054" + }, { "description": "[LoudMiner](https://attack.mitre.org/software/S0451) is a cryptocurrency miner which uses virtualization software to siphon system resources. The miner has been bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS.(Citation: ESET LoudMiner June 2019)", "meta": { @@ -35374,6 +36883,13 @@ ], "type": "uses" }, + { + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "tags": [ @@ -35841,6 +37357,194 @@ "uuid": "92b03a94-7147-4952-9d5a-b4d24da7487c", "value": "SDBbot - S0461" }, + { + "description": "[SVCReady](https://attack.mitre.org/software/S1064) is a loader that has been used since at least April 2022 in malicious spam campaigns. Security researchers have noted overlaps between [TA551](https://attack.mitre.org/groups/G0127) activity and [SVCReady](https://attack.mitre.org/software/S1064) distribution, including similarities in file names, lure images, and identical grammatical errors.(Citation: HP SVCReady Jun 2022)", + "meta": { + "external_id": "S1064", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1064", + "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/" + ], + "synonyms": [ + "SVCReady" + ] + }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "7230ded7-3b1a-4d6e-9735-d0ffd47af9f6", + "value": "SVCReady - S1064" + }, { "description": "[RDFSNIFFER](https://attack.mitre.org/software/S0416) is a module loaded by [BOOSTWRITE](https://attack.mitre.org/software/S0415) which allows an attacker to monitor and tamper with legitimate connections made via an application designed to provide visibility and system management capabilities to remote IT techs.(Citation: FireEye FIN7 Oct 2019)", "meta": { @@ -37089,13 +38793,6 @@ ], "type": "uses" }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", "tags": [ @@ -37344,13 +39041,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", @@ -37559,6 +39249,145 @@ "uuid": "20945359-3b39-4542-85ef-08ecb4e1c174", "value": "StrongPity - S0491" }, + { + "description": "[SharkBot](https://attack.mitre.org/software/S1055) is a banking malware, first discovered in October 2021, that tries to initiate money transfers directly from compromised devices by abusing Accessibility Services.(Citation: nccgroup_sharkbot_0322)", + "meta": { + "external_id": "S1055", + "mitre_platforms": [ + "Android" + ], + "refs": [ + "https://attack.mitre.org/software/S1055", + "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" + ], + "synonyms": [ + "SharkBot" + ] + }, + "related": [ + { + "dest-uuid": "0cdd66ad-26ac-4338-a764-4972a1e17ee3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "16d73b64-5681-4ea0-9af4-4ad86f7c96e8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb4387ab-7a51-468b-bf5f-a9a8612f0303", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d1f1337e-aea7-454c-86bd-482a98ffaf62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "fd211238-f767-4599-8c0d-9dca36624626", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "9cd72f5c-bec0-4f7e-bb6d-296937116291", + "value": "SharkBot - S1055" + }, { "description": "[WINDSHIELD](https://attack.mitre.org/software/S0155) is a signature backdoor used by [APT32](https://attack.mitre.org/groups/G0050). (Citation: FireEye APT32 May 2017)", "meta": { @@ -37603,13 +39432,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "98e8a977-3416-43aa-87fa-33e287e9c14c", @@ -38478,6 +40300,76 @@ "uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8", "value": "OSInfo - S0165" }, + { + "description": "[TianySpy](https://attack.mitre.org/software/S1056) is a mobile malware primarily spread by SMS phishing between September 30 and October 12, 2021. [TianySpy](https://attack.mitre.org/software/S1056) is believed to have targeted credentials associated with membership websites of major Japanese telecommunication services.(Citation: trendmicro_tianyspy_0122) ", + "meta": { + "external_id": "S1056", + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/software/S1056", + "https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html" + ], + "synonyms": [ + "TianySpy" + ] + }, + "related": [ + { + "dest-uuid": "29f1f56c-7b7a-4c14-9e39-59577ea2743c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3e091a89-a493-4a6c-8e88-d57be19bb98d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "fcb11f06-ce0e-490b-bcc1-04a1623579f0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6", + "value": "TianySpy - S1056" + }, { "description": "[SOUNDBITE](https://attack.mitre.org/software/S0157) is a signature backdoor used by [APT32](https://attack.mitre.org/groups/G0050). (Citation: FireEye APT32 May 2017)", "meta": { @@ -38556,6 +40448,13 @@ ] }, "related": [ + { + "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "tags": [ @@ -38735,13 +40634,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "f6ae7a52-f3b6-4525-9daf-640c083f006e", @@ -38763,6 +40655,13 @@ ] }, "related": [ + { + "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "tags": [ @@ -38830,6 +40729,89 @@ "uuid": "3d57dcc4-be99-4613-9482-d5218f5ec13e", "value": "PolyglotDuke - S0518" }, + { + "description": "[Prestige](https://attack.mitre.org/software/S1058) ransomware has been used by [Sandworm Team](https://attack.mitre.org/groups/G0034) since at least March 2022, including against transportation and related logistics industries in Ukraine and Poland in October 2022.(Citation: Microsoft Prestige ransomware October 2022)", + "meta": { + "external_id": "S1058", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1058", + "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/" + ], + "synonyms": [ + "Prestige" + ] + }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "5d2be8b9-d24c-4e98-83bf-2f5f79477163", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "1da748a5-875d-4212-9222-b4c23ab861be", + "value": "Prestige - S1058" + }, { "description": "[SNUGRIDE](https://attack.mitre.org/software/S0159) is a backdoor that has been used by [menuPass](https://attack.mitre.org/groups/G0045) as first stage malware. (Citation: FireEye APT10 April 2017)", "meta": { @@ -38885,6 +40867,223 @@ "uuid": "3240cbe4-c550-443b-aa76-cc2a7058b870", "value": "SNUGRIDE - S0159" }, + { + "description": "[metaMain](https://attack.mitre.org/software/S1059) is a backdoor used by [Metador](https://attack.mitre.org/groups/G1013) to maintain long-term access to compromised machines; it has also been used to decrypt [Mafalda](https://attack.mitre.org/software/S1060) into memory.(Citation: SentinelLabs Metador Sept 2022)(Citation: SentinelLabs Metador Technical Appendix Sept 2022)", + "meta": { + "external_id": "S1059", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://assets.sentinelone.com/sentinellabs22/metador#page=1", + "https://attack.mitre.org/software/S1059", + "https://docs.google.com/document/d/1e9ZTW9b71YwFWS_18ZwDAxa-cYbV8q1wUefmKZLYVsA/edit#heading=h.lmnbtht1ikzm" + ], + "synonyms": [ + "metaMain" + ] + }, + "related": [ + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "df350889-4de9-44e5-8cb3-888b8343e97c", + "value": "metaMain - S1059" + }, { "description": "[DEATHRANSOM](https://attack.mitre.org/software/S0616) is ransomware written in C that has been used since at least 2020, and has potential overlap with [FIVEHANDS](https://attack.mitre.org/software/S0618) and [HELLOKITTY](https://attack.mitre.org/software/S0617).(Citation: FireEye FiveHands April 2021)", "meta": { @@ -39009,6 +41208,222 @@ "uuid": "4e6b9625-bbda-4d96-a652-b3bb45453f26", "value": "RemoteCMD - S0166" }, + { + "description": "[DarkTortilla](https://attack.mitre.org/software/S1066) is a highly configurable .NET-based crypter that has been possibly active since at least August 2015. [DarkTortilla](https://attack.mitre.org/software/S1066) has been used to deliver popular information stealers, RATs, and payloads such as [Agent Tesla](https://attack.mitre.org/software/S0331), AsyncRat, [NanoCore](https://attack.mitre.org/software/S0336), RedLine, [Cobalt Strike](https://attack.mitre.org/software/S0154), and Metasploit.(Citation: Secureworks DarkTortilla Aug 2022)", + "meta": { + "external_id": "S1066", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1066", + "https://www.secureworks.com/research/darktortilla-malware-analysis" + ], + "synonyms": [ + "DarkTortilla" + ] + }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6836813e-8ec8-4375-b459-abb388cb1a35", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e4dc8c01-417f-458d-9ee0-bb0617c1b391", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "5faaf81a-aa5b-4a4b-bae5-522439e068f8", + "value": "DarkTortilla - S1066" + }, { "description": "[FoggyWeb](https://attack.mitre.org/software/S0661) is a passive and highly-targeted backdoor capable of remotely exfiltrating sensitive information from a compromised Active Directory Federated Services (AD FS) server. It has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least early April 2021.(Citation: MSTIC FoggyWeb September 2021)", "meta": { @@ -39176,6 +41591,125 @@ "uuid": "72911fe3-f085-40f7-b4f2-f25a4221fe44", "value": "FoggyWeb - S0661" }, + { + "description": "[FluBot](https://attack.mitre.org/software/S1067) is a multi-purpose mobile banking malware that was first observed in Spain in late 2020. It primarily spread through European countries using a variety of SMS phishing messages in multiple languages.(Citation: proofpoint_flubot_0421)(Citation: bitdefender_flubot_0524)", + "meta": { + "external_id": "S1067", + "mitre_platforms": [ + "Android" + ], + "refs": [ + "https://attack.mitre.org/software/S1067", + "https://www.bitdefender.com/blog/labs/new-flubot-campaign-sweeps-through-europe-targeting-android-and-ios-users-alike/", + "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon" + ], + "synonyms": [ + "FluBot" + ] + }, + "related": [ + { + "dest-uuid": "16d73b64-5681-4ea0-9af4-4ad86f7c96e8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "24a77e53-0751-46fc-b207-99378fb35c08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2aa78dfd-cb6f-4c70-9408-137cfd96be49", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "5ca3c7ec-55b2-4587-9376-cf6c96f8047a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dc01774a-d1c1-45fb-b506-0a5d1d6593d9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "fd211238-f767-4599-8c0d-9dca36624626", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "f5ff006c-702f-4ded-8e60-ca6c540d91bc", + "value": "FluBot - S1067" + }, { "description": "[HELLOKITTY](https://attack.mitre.org/software/S0617) is a ransomware written in C++ that shares similar code structure and functionality with [DEATHRANSOM](https://attack.mitre.org/software/S0616) and [FIVEHANDS](https://attack.mitre.org/software/S0618). [HELLOKITTY](https://attack.mitre.org/software/S0617) has been used since at least 2020, targets have included a Polish video game developer and a Brazilian electric power company.(Citation: FireEye FiveHands April 2021)", "meta": { @@ -39564,6 +42098,171 @@ "uuid": "f464354c-7103-47c6-969b-8766f0157ed2", "value": "FIVEHANDS - S0618" }, + { + "description": "[BlackCat](https://attack.mitre.org/software/S1068) is ransomware written in Rust that has been offered via the Ransomware-as-a-Service (RaaS) model. First observed November 2021, [BlackCat](https://attack.mitre.org/software/S1068) has been used to target multiple sectors and organizations in various countries and regions in Africa, the Americas, Asia, Australia, and Europe.(Citation: Microsoft BlackCat Jun 2022)(Citation: Sophos BlackCat Jul 2022)(Citation: ACSC BlackCat Apr 2022)", + "meta": { + "external_id": "S1068", + "mitre_platforms": [ + "Linux", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1068", + "https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/", + "https://www.cyber.gov.au/acsc/view-all-content/advisories/2022-004-acsc-ransomware-profile-alphv-aka-blackcat", + "https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/" + ], + "synonyms": [ + "BlackCat", + "ALPHV", + "Noberus" + ] + }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "34e793de-0274-4982-9c1a-246ed1c19dee", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c41090b-aa47-4331-986b-8c9a51a91103", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "fb640c43-aa6b-431e-a961-a279010424ac", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "50c44c34-3abb-48ae-9433-a2337de5b0bc", + "value": "BlackCat - S1068" + }, { "description": "[DownPaper](https://attack.mitre.org/software/S0186) is a backdoor Trojan; its main functionality is to download and run second stage malware. (Citation: ClearSky Charming Kitten Dec 2017)", "meta": { @@ -40108,6 +42807,110 @@ "uuid": "5c6ed2dc-37f4-40ea-b2e1-4c76140a388c", "value": "PUNCHBUGGY - S0196" }, + { + "description": "[TangleBot](https://attack.mitre.org/software/S1069) is SMS malware that was initially observed in September 2021, primarily targeting mobile users in the United States and Canada. [TangleBot](https://attack.mitre.org/software/S1069) has used SMS text message lures about COVID-19 regulations and vaccines to trick mobile users into downloading the malware, similar to [FluBot](https://attack.mitre.org/software/S1067) Android malware campaigns.(Citation: cloudmark_tanglebot_0921)", + "meta": { + "external_id": "S1069", + "mitre_platforms": [ + "Android" + ], + "refs": [ + "https://attack.mitre.org/software/S1069", + "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19" + ], + "synonyms": [ + "TangleBot" + ] + }, + "related": [ + { + "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", + "value": "TangleBot - S1069" + }, { "description": "[Neoichor](https://attack.mitre.org/software/S0691) is C2 malware used by [Ke3chang](https://attack.mitre.org/groups/G0004) since at least 2019; similar malware families used by the group include Leeson and Numbldea.(Citation: Microsoft NICKEL December 2021)", "meta": { @@ -40564,6 +43367,13 @@ ], "type": "uses" }, + { + "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "tags": [ @@ -41181,13 +43991,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "tags": [ @@ -41196,14 +43999,14 @@ "type": "uses" }, { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -41241,6 +44044,9 @@ "refs": [ "http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/", "https://attack.mitre.org/software/S0322" + ], + "synonyms": [ + "HummingBad" ] }, "related": [ @@ -43545,6 +46351,13 @@ ] }, "related": [ + { + "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "tags": [ @@ -43615,13 +46428,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "tags": [ @@ -43649,13 +46455,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "7ba0fc46-197d-466d-8b9f-f1c64d5d81e5", @@ -44339,13 +47138,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "tags": [ @@ -44867,6 +47659,13 @@ ], "type": "uses" }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "tags": [ @@ -45231,13 +48030,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "tags": [ @@ -45784,13 +48576,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "21c0b55b-5ff3-4654-a05e-e3fc1ee1ce1b", @@ -45931,6 +48716,13 @@ ], "type": "uses" }, + { + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "tags": [ @@ -46938,6 +49730,13 @@ ], "type": "uses" }, + { + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "tags": [ @@ -47523,13 +50322,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "tags": [ @@ -47558,6 +50350,13 @@ ], "type": "uses" }, + { + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ @@ -47690,13 +50489,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "d186c1d6-e3ac-4c3d-a534-9ddfeb8c57bb", @@ -48471,6 +51263,13 @@ ], "type": "uses" }, + { + "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ @@ -49390,13 +52189,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "tags": [ @@ -49936,13 +52728,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "tags": [ @@ -50028,6 +52813,13 @@ ], "type": "uses" }, + { + "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ @@ -50513,8 +53305,8 @@ "Windows" ], "refs": [ - "http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf", - "https://attack.mitre.org/software/S0672" + "https://attack.mitre.org/software/S0672", + "https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf" ], "synonyms": [ "Zox", @@ -51005,6 +53797,13 @@ ], "type": "uses" }, + { + "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ @@ -51061,13 +53860,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "tags": [ @@ -51082,6 +53874,13 @@ ], "type": "uses" }, + { + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "tags": [ @@ -51347,14 +54146,14 @@ "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -51750,13 +54549,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "518bb5f1-91f4-4ff2-b09d-5a94e1ebe95f", @@ -52545,13 +55337,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "tags": [ @@ -52792,6 +55577,13 @@ ], "type": "uses" }, + { + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "tags": [ @@ -52971,13 +55763,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "43155329-3edf-47a6-9a14-7dac899b01e4", @@ -54017,6 +56802,13 @@ ], "type": "uses" }, + { + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "tags": [ @@ -54253,13 +57045,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "b45747dc-87ca-4597-a245-7e16a61bc491", @@ -55948,13 +58733,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "tags": [ @@ -57349,13 +60127,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "tags": [ @@ -57404,13 +60175,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "d906e6f7-434c-44c0-b51a-ed50af8f7945", @@ -58106,7 +60870,8 @@ "meta": { "external_id": "S0663", "mitre_platforms": [ - "Windows" + "Windows", + "Linux" ], "refs": [ "https://attack.mitre.org/software/S0663", @@ -58134,6 +60899,48 @@ ], "type": "uses" }, + { + "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "tags": [ @@ -58141,6 +60948,20 @@ ], "type": "uses" }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ @@ -58148,6 +60969,20 @@ ], "type": "uses" }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "tags": [ @@ -58162,6 +60997,13 @@ ], "type": "uses" }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ @@ -58169,6 +61011,27 @@ ], "type": "uses" }, + { + "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "tags": [ @@ -58197,6 +61060,13 @@ ], "type": "uses" }, + { + "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "tags": [ @@ -58259,6 +61129,13 @@ ], "type": "uses" }, + { + "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ @@ -58441,6 +61318,13 @@ ], "type": "uses" }, + { + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "tags": [ @@ -58649,13 +61533,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "tags": [ @@ -58664,14 +61541,14 @@ "type": "uses" }, { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -58705,13 +61582,6 @@ ], "type": "uses" }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", "tags": [ @@ -58760,6 +61630,13 @@ ], "type": "uses" }, + { + "dest-uuid": "215d9700-5881-48b8-8265-6449dbb7195d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ @@ -58823,13 +61700,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "tags": [ @@ -59407,6 +62277,13 @@ ], "type": "uses" }, + { + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "tags": [ @@ -59448,13 +62325,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "1492d0f8-7e14-4af3-9239-bc3fe10d3407", @@ -59622,13 +62492,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "tags": [ @@ -59911,7 +62774,7 @@ "https://attack.mitre.org/software/S0387", "https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/", "https://citizenlab.ca/2016/11/parliament-keyboy/", - "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html" + "https://web.archive.org/web/20211129064701/https://www.pwc.co.uk/issues/cyber-security-services/research/the-keyboys-are-back-in-town.html" ], "synonyms": [ "KeyBoy" @@ -60085,13 +62948,6 @@ ], "type": "uses" }, - { - "dest-uuid": "6856ddd6-2df3-4379-8b87-284603c189c3", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "tags": [ @@ -60119,7 +62975,7 @@ ], "refs": [ "https://attack.mitre.org/software/S0388", - "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf" + "https://documents.trendmicro.com/assets/wp/wp-operation-tropic-trooper.pdf" ], "synonyms": [ "YAHOYAH" @@ -62915,14 +65771,14 @@ "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -63081,6 +65937,13 @@ ], "type": "uses" }, + { + "dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "tags": [ @@ -63130,13 +65993,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "tags": [ @@ -63165,6 +66021,13 @@ ], "type": "uses" }, + { + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ @@ -65087,6 +67950,13 @@ ], "type": "uses" }, + { + "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ @@ -65900,6 +68770,13 @@ ], "type": "uses" }, + { + "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "tags": [ @@ -67126,7 +70003,7 @@ "value": "BusyGasper - S0655" }, { - "description": "[Raindrop](https://attack.mitre.org/software/S0565) is a loader used by [APT29](https://attack.mitre.org/groups/G0016) that was discovered on some victim machines during investigations related to the 2020 SolarWinds cyber intrusion. It was discovered in January 2021 and was likely used since at least May 2020.(Citation: Symantec RAINDROP January 2021)(Citation: Microsoft Deep Dive Solorigate January 2021)", + "description": "[Raindrop](https://attack.mitre.org/software/S0565) is a loader used by [APT29](https://attack.mitre.org/groups/G0016) that was discovered on some victim machines during investigations related to the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024). It was discovered in January 2021 and was likely used since at least May 2020.(Citation: Symantec RAINDROP January 2021)(Citation: Microsoft Deep Dive Solorigate January 2021)", "meta": { "external_id": "S0565", "mitre_platforms": [ @@ -67848,6 +70725,13 @@ ] }, "related": [ + { + "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "tags": [ @@ -68908,7 +71792,7 @@ "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -69201,10 +72085,10 @@ ], "refs": [ "https://attack.mitre.org/software/S0596", - "https://content.fireeye.com/apt-41/rpt-apt41", "https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/08/07172148/ShadowPad_technical_description_PDF.pdf", - "https://securelist.com/shadowpad-in-corporate-networks/81432/" + "https://securelist.com/shadowpad-in-corporate-networks/81432/", + "https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf" ], "synonyms": [ "ShadowPad", @@ -69212,6 +72096,13 @@ ] }, "related": [ + { + "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ @@ -69641,7 +72532,7 @@ "value": "Penquin - S0587" }, { - "description": "[GoldFinder](https://attack.mitre.org/software/S0597) is a custom HTTP tracer tool written in Go that logs the route a packet takes between a compromised network and a C2 server. It can be used to inform threat actors of potential points of discovery or logging of their actions, including C2 related to other malware. [GoldFinder](https://attack.mitre.org/software/S0597) was discovered in early 2021 during an investigation into the SolarWinds cyber intrusion by [APT29](https://attack.mitre.org/groups/G0016).(Citation: MSTIC NOBELIUM Mar 2021)", + "description": "[GoldFinder](https://attack.mitre.org/software/S0597) is a custom HTTP tracer tool written in Go that logs the route a packet takes between a compromised network and a C2 server. It can be used to inform threat actors of potential points of discovery or logging of their actions, including C2 related to other malware. [GoldFinder](https://attack.mitre.org/software/S0597) was discovered in early 2021 during an investigation into the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024) by [APT29](https://attack.mitre.org/groups/G0016).(Citation: MSTIC NOBELIUM Mar 2021)", "meta": { "external_id": "S0597", "mitre_platforms": [ @@ -69800,7 +72691,7 @@ "value": "Waterbear - S0579" }, { - "description": "[GoldMax](https://attack.mitre.org/software/S0588) is a second-stage C2 backdoor written in Go with Windows and Linux variants that are nearly identical in functionality. [GoldMax](https://attack.mitre.org/software/S0588) was discovered in early 2021 during the investigation into the SolarWinds intrusion, and has likely been used by [APT29](https://attack.mitre.org/groups/G0016) since at least mid-2019. [GoldMax](https://attack.mitre.org/software/S0588) uses multiple defense evasion techniques, including avoiding virtualization execution and masking malicious traffic.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021)(Citation: CrowdStrike StellarParticle January 2022)", + "description": "[GoldMax](https://attack.mitre.org/software/S0588) is a second-stage C2 backdoor written in Go with Windows and Linux variants that are nearly identical in functionality. [GoldMax](https://attack.mitre.org/software/S0588) was discovered in early 2021 during the investigation into the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), and has likely been used by [APT29](https://attack.mitre.org/groups/G0016) since at least mid-2019. [GoldMax](https://attack.mitre.org/software/S0588) uses multiple defense evasion techniques, including avoiding virtualization execution and masking malicious traffic.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021)(Citation: CrowdStrike StellarParticle January 2022)", "meta": { "external_id": "S0588", "mitre_platforms": [ @@ -69943,7 +72834,7 @@ "value": "GoldMax - S0588" }, { - "description": "[Sibot](https://attack.mitre.org/software/S0589) is dual-purpose malware written in VBScript designed to achieve persistence on a compromised system as well as download and execute additional payloads. Microsoft discovered three [Sibot](https://attack.mitre.org/software/S0589) variants in early 2021 during its investigation of [APT29](https://attack.mitre.org/groups/G0016) and the SolarWinds cyber intrusion campaign.(Citation: MSTIC NOBELIUM Mar 2021)", + "description": "[Sibot](https://attack.mitre.org/software/S0589) is dual-purpose malware written in VBScript designed to achieve persistence on a compromised system as well as download and execute additional payloads. Microsoft discovered three [Sibot](https://attack.mitre.org/software/S0589) variants in early 2021 during its investigation of [APT29](https://attack.mitre.org/groups/G0016) and the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024).(Citation: MSTIC NOBELIUM Mar 2021)", "meta": { "external_id": "S0589", "mitre_platforms": [ @@ -69972,6 +72863,13 @@ ], "type": "uses" }, + { + "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "tags": [ @@ -70036,14 +72934,14 @@ "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -70242,6 +73140,13 @@ ] }, "related": [ + { + "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ @@ -70680,6 +73585,13 @@ ] }, "related": [ + { + "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "tags": [ @@ -70882,13 +73794,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "tags": [ @@ -70910,6 +73815,13 @@ ], "type": "uses" }, + { + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "tags": [ @@ -71681,7 +74593,7 @@ "value": "Meteor - S0688" }, { - "description": "[WhisperGate](https://attack.mitre.org/software/S0689) is a multi-stage wiper designed to look like ransomware that has been used in attacks against Ukraine since at least January 2022.(Citation: Cybereason WhisperGate February 2022)(Citation: Unit 42 WhisperGate January 2022)(Citation: Microsoft WhisperGate January 2022)", + "description": "[WhisperGate](https://attack.mitre.org/software/S0689) is a multi-stage wiper designed to look like ransomware that has been used against multiple government, non-profit, and information technology organizations in Ukraine since at least January 2022.(Citation: Cybereason WhisperGate February 2022)(Citation: Unit 42 WhisperGate January 2022)(Citation: Microsoft WhisperGate January 2022)", "meta": { "external_id": "S0689", "mitre_platforms": [ @@ -71761,6 +74673,13 @@ ], "type": "uses" }, + { + "dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", "tags": [ @@ -72024,5 +74943,5 @@ "value": "HermeticWizard - S0698" } ], - "version": 28 + "version": 29 } diff --git a/clusters/mitre-tool.json b/clusters/mitre-tool.json index bd8c675..964aa97 100644 --- a/clusters/mitre-tool.json +++ b/clusters/mitre-tool.json @@ -37,6 +37,262 @@ "uuid": "242f3da3-4425-4d11-8f5c-b842886da966", "value": "Windows Credential Editor - S0005" }, + { + "description": "[Brute Ratel C4](https://attack.mitre.org/software/S1063) is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. [Brute Ratel C4](https://attack.mitre.org/software/S1063) was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities, and deploys agents called badgers to enable arbitrary command execution for lateral movement, privilege escalation, and persistence. In September 2022, a cracked version of [Brute Ratel C4](https://attack.mitre.org/software/S1063) was leaked in the cybercriminal underground, leading to its use by threat actors.(Citation: Dark Vortex Brute Ratel C4)(Citation: Palo Alto Brute Ratel July 2022)(Citation: MDSec Brute Ratel August 2022)(Citation: SANS Brute Ratel October 2022)(Citation: Trend Micro Black Basta October 2022)", + "meta": { + "external_id": "S1063", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1063", + "https://bruteratel.com/", + "https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/", + "https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/", + "https://www.sans.org/blog/cracked-brute-ratel-c4-framework-proliferates-across-the-cybercriminal-underground/", + "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html" + ], + "synonyms": [ + "Brute Ratel C4", + "BRc4" + ] + }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "208884f1-7b83-4473-ac22-4e1cf6c41471", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "74d2a63f-3c7b-4852-92da-02d8fbab16da", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ea4c2f9c-9df1-477c-8c42-6da1118f2ac4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "75d8b521-6b6a-42ff-8af3-d97e20ce12a5", + "value": "Brute Ratel C4 - S1063" + }, { "description": "[Pass-The-Hash Toolkit](https://attack.mitre.org/software/S0122) is a toolkit that allows an adversary to \"pass\" a password hash (without knowing the original password) to log in to systems. (Citation: Mandiant APT1)", "meta": { @@ -1117,6 +1373,13 @@ ], "type": "uses" }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", "tags": [ @@ -1211,6 +1474,13 @@ ] }, "related": [ + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "tags": [ @@ -2292,6 +2562,64 @@ "uuid": "102c3898-85e0-43ee-ae28-62a0a3ed9507", "value": "UACMe - S0116" }, + { + "description": "[Rubeus](https://attack.mitre.org/software/S1071) is a C# toolset designed for raw Kerberos interaction that has been used since at least 2020, including in ransomware operations.(Citation: GitHub Rubeus March 2023)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)", + "meta": { + "external_id": "S1071", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S1071", + "https://github.com/GhostPack/Rubeus", + "https://thedfirreport.com/2020/10/08/ryuks-return/", + "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/", + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" + ], + "synonyms": [ + "Rubeus" + ] + }, + "related": [ + { + "dest-uuid": "3986e7fd-a8e9-4ecb-bfc6-55920855912b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "768dce68-8d0d-477a-b01d-0eea98b963a1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d273434a-448e-4598-8e14-607f4a0d5e27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "e33267fe-099f-4af2-8730-63d49f8813b2", + "value": "Rubeus - S1071" + }, { "description": "[Cachedump](https://attack.mitre.org/software/S0119) is a publicly-available tool that program extracts cached password hashes from a system’s registry. (Citation: Mandiant APT1)", "meta": { @@ -3003,6 +3331,9 @@ "refs": [ "https://attack.mitre.org/software/S0174", "https://github.com/SpiderLabs/Responder" + ], + "synonyms": [ + "Responder" ] }, "related": [ @@ -3189,13 +3520,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", "tags": [ @@ -3211,14 +3535,14 @@ "type": "uses" }, { - "dest-uuid": "c4ad009b-6e13-4419-8d21-918a1652de02", + "dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447", + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3728,8 +4052,8 @@ "refs": [ "https://attack.mitre.org/software/S0332", "https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html", - "https://www.fortinet.com/blog/threat-research/remcos-a-new-rat-in-the-wild-2.html", - "https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/" + "https://web.archive.org/web/20180124082756/https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/", + "https://www.fortinet.com/blog/threat-research/remcos-a-new-rat-in-the-wild-2.html" ], "synonyms": [ "Remcos" @@ -5009,13 +5333,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "b7dc639b-24cd-482d-a7f1-8897eda21023", "tags": [ @@ -5079,6 +5396,13 @@ ], "type": "uses" }, + { + "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", "tags": [ @@ -6393,6 +6717,13 @@ ], "type": "uses" }, + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "b4409cd8-0da9-46e1-a401-a241afd4d1cc", "tags": [ @@ -6407,6 +6738,13 @@ ], "type": "uses" }, + { + "dest-uuid": "d94b3ae9-8059-4989-8e9f-ea0f601f80a7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e24fcba8-2557-4442-a139-1ee2f2e784db", "tags": [ @@ -6542,5 +6880,5 @@ "value": "Mythic - S0699" } ], - "version": 27 + "version": 28 }