From d82a76c08ff6002b0f8922a7efd35bde15d9002b Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Sat, 19 May 2018 13:09:30 +0200 Subject: [PATCH] fix scripts for nobile and pre attack attack pattern --- .../mitre-mobile-attack-attack-pattern.json | 3074 +++++------ clusters/mitre-pre-attack-attack-pattern.json | 4896 ++++++++--------- .../mitre-mobile-attack-attack-pattern.json | 14 +- galaxies/mitre-pre-attack-attack-pattern.json | 14 +- ...tre-mobile-attack-attack-pattern_galaxy.py | 2 +- ..._mitre-pre-attack-attack-pattern_galaxy.py | 2 +- 6 files changed, 4001 insertions(+), 4001 deletions(-) diff --git a/clusters/mitre-mobile-attack-attack-pattern.json b/clusters/mitre-mobile-attack-attack-pattern.json index 7fb8937..501b8c6 100644 --- a/clusters/mitre-mobile-attack-attack-pattern.json +++ b/clusters/mitre-mobile-attack-attack-pattern.json @@ -1,1538 +1,1538 @@ { - "name": "Mobile Attack - Attack Pattern", - "type": "mitre-mobile-attack-attack-pattern", - "description": "ATT&CK tactic", - "version": 3, - "source": "https://github.com/mitre/cti", - "uuid": "1e606d06-1708-11e8-8a43-df11c8cf9ae2", - "authors": [ - "MITRE" - ], - "values": [ - { - "description": "An SMS message could contain content designed to exploit vulnerabilities in the SMS parser on the receiving device. For example, Mulliner and Miller demonstrated such an attack against the iPhone in 2009 as described in (Citation: Forbes-iPhoneSMS).\n\nAn SMS message could also contain a link to a web site containing malicious content designed to exploit the device web browser.\n\nAs described by SRLabs in (Citation: SRLabs-SIMCard), vulnerable SIM cards may be remotely exploited and reprogrammed via SMS messages.\n\nPlatforms: Android, iOS", - "value": "Malicious SMS Message - MOB-T1057", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1057", - "http://www.forbes.com/2009/07/28/hackers-iphone-apple-technology-security-hackers.html", - "https://srlabs.de/bites/rooting-sim-cards/" - ], - "external_id": "MOB-T1057", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:exploit-via-cellular-network" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "0bcc4ec1-a897-49a9-a9ff-c00df1d1209d" - }, - { - "description": "If network traffic between the mobile device and remote servers is unencrypted or is encrypted in an insecure manner, then an adversary positioned on the network can eavesdrop on communication. For example, He et al. (Citation: mHealth) describe numerous healthcare-related applications that did not properly protect network communication.\n\nPlatforms: Android, iOS", - "value": "Eavesdrop on Insecure Network Communication - MOB-T1042", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1042", - "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-0.html", - "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html", - "https://experts.illinois.edu/en/publications/security-concerns-in-android-mhealth-apps" - ], - "external_id": "APP-1", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:general-network-based" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "393e8c12-a416-4575-ba90-19cc85656796" - }, - { - "description": "An adversary could use knowledge of the techniques used by security software to evade detection. For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed \"su\" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature-based detection as described by (Citation: Rastogi) et al. (Citation: Rastogi). \n\n (Citation: Brodie) (Citation: Brodie) describes limitations of jailbreak/root detection mechanisms.\n\n (Citation: Tan) (Citation: Tan) describes his experience defeating the jailbreak detection used by the iOS version of Good for Enterprise.\n\nPlatforms: Android, iOS", - "value": "Disguise Root/Jailbreak Indicators - MOB-T1011", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1011", - "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-5.html", - "http://pages.cs.wisc.edu/~vrastogi/static/papers/rcj13b.pdf", - "https://media.blackhat.com/eu-13/briefings/Brodie/bh-eu-13-lacoon-attacks-mdm-brodie-wp.pdf", - "http://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions" - ], - "external_id": "EMM-5", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:defense-evasion" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "b332a960-3c04-495a-827f-f17a5daed3a6" - }, - { - "description": "On Android, device type information is accessible to apps through the android.os.Build class (Citation: Android-Build). Device information could be used to target privilege escalation exploits.\n\nPlatforms: Android", - "value": "Device Type Discovery - MOB-T1022", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1022", - "https://zeltser.com/third-party-keyboards-security/" - ], - "external_id": "MOB-T1022", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:discovery" - ], - "mitre_platforms": [ - "Android" - ] - }, - "uuid": "89fcd02f-62dc-40b9-a54b-9ac4b1baef05" - }, - { - "description": "A malicious app could use standard Android APIs to send SMS messages. SMS messages could potentially be sent to premium numbers that charge the device owner and generate revenue for an adversary, for example as described by Lookout in (Citation: Lookout-SMS).\n\nOn iOS, apps cannot send SMS messages.\n\nOn Android, apps must hold the SEND_SMS permission to send SMS messages. Additionally, Android version 4.2 and above has mitigations against this threat by requiring user consent before allowing SMS messages to be sent to premium numbers (Citation: AndroidSecurity2014).\n\nDetection: As described in Google's Android Security 2014 Year in Review Report (Citation: AndroidSecurity2014), starting with Android 4.2 the user is prompted and must provide consent before applications can send SMS messages to premium numbers.\n\nOn Android 6.0 and up, the user can view which applications have permission to send SMS messages through the device settings screen, and the user can choose to revoke the permissions.\n\nPlatforms: Android", - "value": "Premium SMS Toll Fraud - MOB-T1051", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1051", - "https://blog.lookout.com/blog/2013/08/02/dragon-lady/", - "https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google%20Android%20Security%202014%20Report%20Final.pdf" - ], - "external_id": "MOB-T1051", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:effects" - ], - "mitre_platforms": [ - "Android" - ] - }, - "uuid": "8f0e39c6-82c9-41ec-9f93-5696c0f2e274" - }, - { - "description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud backup services (e.g. Google's Android backup service or Apple's iCloud) could use that access to obtain sensitive data stored in device backups. For example, the Elcomsoft Phone Breaker product advertises the ability to retrieve iOS backup data from Apple's iCloud (Citation: Elcomsoft-EPPB).\n\nDetection: Google provides the ability for users to view their account activity. Apple iCloud also provides notifications to users of account activity.\n\nPlatforms: Android, iOS", - "value": "Obtain Device Cloud Backups - MOB-T1073", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1073", - "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-0.html", - "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-1.html", - "https://www.elcomsoft.com/eppb.html" - ], - "external_id": "ECO-1", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:cloud-based" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "0c71033e-401e-4b97-9309-7a7c95e43a5d" - }, - { - "description": "On versions of Android prior to 4.1, an adversary may use a malicious application that holds the READ_LOGS permission to obtain private keys, passwords, other credentials, or other sensitive data stored in the device's system log. On Android 4.1 and later, an adversary would need to attempt to perform an operating system privilege escalation attack to be able to access the log.\n\nPlatforms: Android", - "value": "Access Sensitive Data in Device Logs - MOB-T1016", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1016", - "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-3.html", - "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html" - ], - "external_id": "APP-13", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:collection", - "mitre-mobile-attack:enterprise-attack:credential-access" - ], - "mitre_platforms": [ - "Android" - ] - }, - "uuid": "29e07491-8947-43a3-8d4e-9a787c45f3d3" - }, - { - "description": "With escalated privileges, an adversary could program the mobile device to impersonate USB devices such as input devices (keyboard and mouse), storage devices, and/or networking devices in order to attack a physically connected PC. Wang and Stavrou (Citation: Wang-ExploitingUSB) and Kamkar (Citation: ArsTechnica-PoisonTap) describe this technique. This technique has been demonstrated on Android, and we are unaware of any demonstrations on iOS.\n\nPlatforms: Android", - "value": "Attack PC via USB Connection - MOB-T1030", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1030", - "https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-2.html", - "http://dl.acm.org/citation.cfm?id=1920314", - "http://arstechnica.com/security/2016/11/meet-poisontap-the-5-tool-that-ransacks-password-protected-computers/" - ], - "external_id": "PHY-2", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:lateral-movement" - ], - "mitre_platforms": [ - "Android" - ] - }, - "uuid": "a0464539-e1b7-4455-a355-12495987c300" - }, - { - "description": "A malicious app can register to receive intents meant for other applications and may then be able to receive sensitive values such as OAuth authorization codes as described in (Citation: IETF-PKCE).\n\nPlatforms: Android", - "value": "Android Intent Hijacking - MOB-T1019", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1019", - "https://tools.ietf.org/html/rfc7636" - ], - "external_id": "MOB-T1019", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:credential-access" - ], - "mitre_platforms": [ - "Android" - ] - }, - "uuid": "77e30eee-fd48-40b4-99ec-73e97c158b58" - }, - { - "description": "An iOS application may be able to maliciously claim a URL scheme, allowing it to intercept calls that are meant for a different application. This technique, for example, could be used to capture OAuth authorization codes as described in (Citation: IETF-PKCE) or to phish user credentials as described in (Citation: MobileIron-XARA). Related potential security implications are described in (Citation: Dhanjani-URLScheme). FireEye researchers describe URL scheme hijacking in a blog post (Citation: FireEye-Masque2), including evidence of its use.\n\nPlatforms: iOS", - "value": "URL Scheme Hijacking - MOB-T1018", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1018", - "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-10.html", - "https://tools.ietf.org/html/rfc7636", - "https://www.mobileiron.com/en/smartwork-blog/ios-url-scheme-hijacking-xara-attack-analysis-and-countermeasures", - "http://www.dhanjani.com/blog/2010/11/insecure-handling-of-url-schemes-in-apples-ios.html", - "https://www.fireeye.com/blog/threat-research/2015/02/ios%20masque%20attackre.html" - ], - "external_id": "AUT-10", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:credential-access" - ], - "mitre_platforms": [ - "iOS" - ] - }, - "uuid": "8f142a25-f6c3-4520-bd50-2ae3ab50ed3e" - }, - { - "description": "Adversaries may attempt to exploit enterprise servers, workstations, or other resources over the network. This technique may take advantage of the mobile device's access to an internal enterprise network either through local connectivity or through a Virtual Private Network (VPN).\n\nPlatforms: Android, iOS", - "value": "Exploit Enterprise Resources - MOB-T1031", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1031", - "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-32.html" - ], - "external_id": "APP-32", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:lateral-movement" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "22379609-a99f-4a01-bd7e-70f3e105859d" - }, - { - "description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device system partition, where it may persist after device resets and may not be easily removed by the device user.\n\nMany Android devices provide the ability to unlock the bootloader for development purposes. An unlocked bootloader may provide the ability for an adversary to modify the system partition. Even if the bootloader is locked, it may be possible for an adversary to escalate privileges and then modify the system partition.\n\nDetection: Android devices with the Verified Boot capability (Citation: Android-VerifiedBoot) perform cryptographic checks of the integrity of the system partition.\n\nThe Android SafetyNet API's remote attestation capability could potentially be used to identify and respond to compromised devices.\n\nSamsung KNOX also provides a remote attestation capability on supported Samsung Android devices.\n\nAs described in the iOS Security Guide (Citation: Apple-iOSSecurityGuide), iOS devices will fail to boot or fail to allow device activation if unauthorized modifications are detected.\n\nPlatforms: Android, iOS", - "value": "Modify System Partition - MOB-T1003", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1003", - "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html", - "https://source.android.com/security/verifiedboot/", - "https://www.apple.com/business/docs/iOS%20Security%20Guide.pdf" - ], - "external_id": "APP-27", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:defense-evasion", - "mitre-mobile-attack:enterprise-attack:persistence" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0" - }, - { - "description": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, and architecture.\n\nOn Android, much of this information is programmatically accessible to applications through the android.os.Build class (Citation: Android-Build).\n\nOn iOS, techniques exist for applications to programmatically access this information, for example as described in (Citation: StackOverflow-iOSVersion).\n\nPlatforms: Android, iOS", - "value": "System Information Discovery - MOB-T1029", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1029", - "https://zeltser.com/third-party-keyboards-security/", - "http://stackoverflow.com/questions/7848766/how-can-we-programmatically-detect-which-ios-version-is-device-running-on" - ], - "external_id": "MOB-T1029", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:discovery" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77" - }, - { - "description": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans from the mobile device. This technique may take advantage of the mobile device's access to an internal enterprise network either through local connectivity or through a Virtual Private Network (VPN).\n\nPlatforms: Android, iOS", - "value": "Network Service Scanning - MOB-T1026", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1026" - ], - "external_id": "MOB-T1026", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:discovery" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "2de38279-043e-47e8-aaad-1b07af6d0790" - }, - { - "description": "On Android, an adversary could call standard operating system APIs from a malicious application to gather call log data, or with escalated privileges could directly access files containing call log data.\n\nOn iOS, applications do not have access to the call log, so privilege escalation would be required in order to access the data.\n\nDetection: On Android 6.0 and up, the user can view which applications have permission to access call log information through the device settings screen, and the user can choose to revoke the permissions.\n\nPlatforms: Android, iOS", - "value": "Access Call Log - MOB-T1036", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1036", - "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html" - ], - "external_id": "APP-13", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:collection" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44" - }, - { - "description": "An adversary could evade app vetting techniques by placing code in a malicious application to detect whether it is running in an app analysis environment and, if so, avoid performing malicious actions while under analysis.\n\nDiscussion of general Android anti-analysis techniques can be found in (Citation: Petsas). Discussion of Google Play Store-specific anti-analysis techniques can be found in (Citation: Oberheide-Bouncer), (Citation: Percoco-Bouncer).\n\n (Citation: Wang) presents a discussion of iOS anti-analysis techniques.\n\nPlatforms: Android, iOS", - "value": "Detect App Analysis Environment - MOB-T1043", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1043", - "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-20.html", - "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-21.html", - "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-22.html", - "http://dl.acm.org/citation.cfm?id=2592796", - "https://jon.oberheide.org/files/summercon12-bouncer.pdf", - "https://media.blackhat.com/bh-us-12/Briefings/Percoco/BH%20US%2012%20Percoco%20Adventures%20in%20Bouncerland%20WP.pdf", - "https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/wang%20tielei" - ], - "external_id": "ECO-22", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:app-delivery-via-authorized-app-store" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "b765efd1-02e6-4e67-aebf-0fef5c37e54b" - }, - { - "description": "Content of a web page could be designed to exploit vulnerabilities in a web browser running on the mobile device.\n\nPlatforms: Android, iOS", - "value": "Malicious Web Content - MOB-T1059", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1059", - "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-22.html" - ], - "external_id": "CEL-22", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:exploit-via-internet" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57" - }, - { - "description": "An adversary could use fake identities, payment cards, etc., to create developer accounts to publish malicious applications to app stores. For example, Oberheide and Miller describe use of this technique in (Citation: Oberheide-Bouncer).\n\nPlatforms: Android, iOS", - "value": "Fake Developer Accounts - MOB-T1045", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1045", - "https://jon.oberheide.org/files/summercon12-bouncer.pdf" - ], - "external_id": "MOB-T1045", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:app-delivery-via-authorized-app-store" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "e30cc912-7ea1-4683-9219-543b86cbdec9" - }, - { - "description": "Content of a media (audio or video) file could be designed to exploit vulnerabilities in parsers on the mobile device, as for example demonstrated by the Android Stagefright vulnerability (Citation: Zimperium-Stagefright).\n\nPlatforms: Android, iOS", - "value": "Malicious Media Content - MOB-T1060", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1060", - "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-22.html", - "https://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/" - ], - "external_id": "CEL-22", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:exploit-via-internet" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "a9cab8f6-4c94-4c9b-9e7d-9d863ff53431" - }, - { - "description": "The application is delivered as an email attachment.\n\nDetection: An EMM/MDM or mobile threat protection solution can identify the presence of unwanted, known insecure, or malicious apps on devices. Enterprise email security solutions can identify the presence of Android or iOS application packages within email messages.\n\nPlatforms: Android, iOS", - "value": "App Delivered via Email Attachment - MOB-T1037", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1037", - "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-9.html", - "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-13.html" - ], - "external_id": "ECO-13", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:app-delivery-via-other-means" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "1f96d624-8409-4472-ad8a-30618ee6b2e2" - }, - { - "description": "Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic.\n\nIn the mobile environment, the Google Cloud Messaging (GCM; two-way) and Apple Push Notification Service (APNS; one-way server-to-device) are commonly used protocols on Android and iOS respectively that would blend in with routine device traffic and are difficult for enterprises to inspect. As described by Kaspersky (Citation: Kaspersky-MobileMalware), Google responds to reports of abuse by blocking access to GCM.\n\nPlatforms: Android, iOS", - "value": "Standard Application Layer Protocol - MOB-T1040", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1040", - "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-29.html", - "https://securelist.com/analysis/kaspersky-security-bulletin/58335/mobile-malware-evolution-2013/" - ], - "external_id": "APP-29", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:command-and-control", - "mitre-mobile-attack:enterprise-attack:exfiltration" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "6a3f6490-9c44-40de-b059-e5940f246673" - }, - { - "description": "On Android, command line tools or the Java file APIs can be used to enumerate file system contents. However, Linux file permissions and SELinux policies generally strongly restrict what can be accessed by apps (without taking advantage of a privilege escalation exploit). The contents of the external storage directory are generally visible, which could present concern if sensitive data is inappropriately stored there.\n\niOS's security architecture generally restricts the ability to perform file and directory discovery without use of escalated privileges.\n\nPlatforms: Android", - "value": "File and Directory Discovery - MOB-T1023", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1023" - ], - "external_id": "MOB-T1023", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:discovery" - ], - "mitre_platforms": [ - "Android" - ] - }, - "uuid": "cf28ca46-1fd3-46b4-b1f6-ec0b72361848" - }, - { - "description": "A malicious application could abuse Android device administrator access to wipe device contents, for example if a ransom is not paid.\n\nPlatforms: Android", - "value": "Wipe Device Data - MOB-T1050", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1050" - ], - "external_id": "MOB-T1050", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:effects" - ], - "mitre_platforms": [ - "Android" - ] - }, - "uuid": "8e27551a-5080-4148-a584-c64348212e4f" - }, - { - "description": "An adversary could use a malicious or exploited application to surreptitiously record activities using the device microphone and/or camera through use of standard operating system APIs.\n\nDetection: On both Android (6.0 and up) and iOS, the user can view which applications have permission to use the microphone or the camera through the device settings screen, and the user can choose to revoke the permissions.\n\nPlatforms: Android, iOS", - "value": "Microphone or Camera Recordings - MOB-T1032", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1032", - "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html" - ], - "external_id": "APP-19", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:collection" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760" - }, - { - "description": "The mobile device could contain built-in functionality with malicious behavior or exploitable vulnerabilities. An adversary could deliberately insert and take advantage of the malicious behavior or could exploit inadvertent vulnerabilities. In many cases, it is difficult to be certain whether exploitable functionality is due to malicious intent or simply an inadvertent mistake.\n\nPlatforms: Android, iOS", - "value": "Malicious or Vulnerable Built-in Device Functionality - MOB-T1076", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1076" - ], - "external_id": "MOB-T1076", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:supply-chain" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "f9e4f526-ac9d-4df5-8949-833a82a1d2df" - }, - { - "description": "An app could contain malicious code in obfuscated or encrypted form, then deobfuscate or decrypt the code at runtime to evade many app vetting techniques, as described in (Citation: Rastogi) (Citation: Zhou) (Citation: TrendMicro-Obad) (Citation: Xiao-iOS).\n\nPlatforms: Android, iOS", - "value": "Obfuscated or Encrypted Payload - MOB-T1009", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1009", - "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-21.html", - "http://pages.cs.wisc.edu/~vrastogi/static/papers/rcj13b.pdf", - "http://ieeexplore.ieee.org/document/6234407", - "http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/", - "http://www.slideshare.net/Shakacon/fruit-vs-zombies-defeat-nonjailbroken-ios-malware-by-claud-xiao" - ], - "external_id": "APP-21", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:defense-evasion" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a" - }, - { - "description": "At least three methods exist to perform User Interface Spoofing:\n\nFirst, on both Android and iOS, an adversary could impersonate the user interface of a legitimate app or device function to trick a user into entering account credentials. \n\nSecond, on both Android and iOS, a malicious app could impersonate the identity of another app in order to trick users into installing and using it.\n\nThird, on older versions of Android, a malicious app could abuse mobile operating system features to interfere with a running legitimate app as described in (Citation: Felt-PhishingOnMobileDevices) and (Citation: Hassell-ExploitingAndroid). However, this technique appears to have been addressed starting in Android 5.0 with the deprecation of the Android's ActivityManager.getRunningTasks method and modification of its behavior (Citation: Android-getRunningTasks) and further addressed in Android 5.1.1 (Citation: StackOverflow-getRunningAppProcesses) to prevent a malicious app from determining what app is currently in the foreground.\n\nPlatforms: Android, iOS", - "value": "User Interface Spoofing - MOB-T1014", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1014", - "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html", - "http://w2spconf.com/2011/papers/felt-mobilephishing.pdf", - "http://conference.hitb.org/hitbsecconf2011kul/materials/D1T1", - "https://developer.android.com/reference/android/app/ActivityManager.html#getRunningTasks%28int%29", - "http://stackoverflow.com/questions/30619349/android-5-1-1-and-above-getrunningappprocesses-returns-my-application-packag" - ], - "external_id": "APP-31", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:credential-access" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2" - }, - { - "description": "A message sent over a radio interface (typically cellular, but potentially Bluetooth, GPS, NFC, Wi-Fi or other) to the mobile device could exploit a vulnerability in code running on the device.\n\nD. Komaromy and N. Golde demonstrated baseband exploitation of a Samsung mobile device at the PacSec 2015 security conference (Citation: Register-BaseStation).\n\nWeinmann described and demonstrated \"the risk of remotely exploitable memory corruptions in cellular baseband stacks.\" (Citation: Weinmann-Baseband)\n\nPlatforms: Android, iOS", - "value": "Exploit Baseband Vulnerability - MOB-T1058", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1058", - "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-18.html", - "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-19.html", - "http://www.theregister.co.uk/2015/11/12/mobile%20pwn2own1/", - "https://www.usenix.org/system/files/conference/woot12/woot12-final24.pdf" - ], - "external_id": "STA-19", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:exploit-via-cellular-network" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "c91c304a-975d-4501-9789-0db1c57afd3f" - }, - { - "description": "On Android versions prior to 5, applications can observe information about other processes that are running through methods in the ActivityManager class. On Android versions prior to 7, applications can obtain this information by executing the ps command, or by examining the /proc directory. Starting in Android version 7, use of the Linux kernel's hidepid feature prevents applications (without escalated privileges) from accessing this information (Citation: Android-SELinuxChanges).\n\nPlatforms: Android", - "value": "Process Discovery - MOB-T1027", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1027", - "https://code.google.com/p/android/issues/detail?id=205565" - ], - "external_id": "MOB-T1027", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:discovery" - ], - "mitre_platforms": [ - "Android" - ] - }, - "uuid": "1b51f5bc-b97a-498a-8dbd-bc6b1901bf19" - }, - { - "description": "A malicious application can request Device Administrator privileges. If the user grants the privileges, the application can take steps to make its removal more difficult.\n\nDetection: The device user can view a list of apps with Device Administrator privilege in the device settings.\n\nPlatforms: Android", - "value": "Abuse Device Administrator Access to Prevent Removal - MOB-T1004", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1004", - "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html" - ], - "external_id": "APP-22", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:persistence" - ], - "mitre_platforms": [ - "Android" - ] - }, - "uuid": "82f04b1e-5371-4a6f-be06-411f0f43b483" - }, - { - "description": "The application is downloaded from an arbitrary web site. A link to the application's download URI may be sent in an email or SMS, placed on another web site that the target is likely to view, or sent via other means (such as QR code).\n\nDetection: An EMM/MDM or mobile threat protection solution can identify the presence of unwanted, known insecure, or malicious apps on devices.\n\nPlatforms: Android, iOS", - "value": "App Delivered via Web Download - MOB-T1034", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1034", - "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-9.html", - "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-21.html" - ], - "external_id": "ECO-21", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:app-delivery-via-other-means" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "6b846ad0-cc20-4db6-aa34-91561397c5e2" - }, - { - "description": "A malicious application could capture sensitive data sent via SMS, including authentication credentials. SMS is frequently used to transmit codes used for multi-factor authentication.\n\nOn Android, a malicious application must request and obtain permission (either at app install time or run time) in order to receive SMS messages. Alternatively, a malicious application could attempt to perform an operating system privilege escalation attack to bypass the permission requirement.\n\nOn iOS, applications cannot access SMS messages in normal operation, so an adversary would need to attempt to perform an operating system privilege escalation attack to potentially be able to access SMS messages.\n\nPlatforms: Android, iOS", - "value": "Capture SMS Messages - MOB-T1015", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1015" - ], - "external_id": "MOB-T1015", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:collection", - "mitre-mobile-attack:enterprise-attack:credential-access" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060" - }, - { - "description": "An adversary may encrypt files stored on the mobile device to prevent the user from accessing them, only unlocking access to the files after a ransom is paid. Without escalated privileges, the adversary is generally limited to only encrypting files in external/shared storage locations. This technique has been demonstrated on Android, and we are unaware of any demonstrated use on iOS.\n\nPlatforms: Android", - "value": "Encrypt Files for Ransom - MOB-T1074", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1074", - "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-28.html" - ], - "external_id": "APP-28", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:effects" - ], - "mitre_platforms": [ - "Android" - ] - }, - "uuid": "d9e88203-2b5d-405f-a406-2933b1e3d7e4" - }, - { - "description": "An adversary could abuse an iOS enterprise app signing key (intended for enterprise in-house distribution of apps) to sign malicious iOS apps so that they can be installed on iOS devices without the app needing to be published on Apple's App Store. For example, Xiao describes use of this technique in (Citation: Xiao-iOS).\n\nDetection: iOS 9 and above typically requires explicit user consent before allowing installation of applications signed with enterprise distribution keys rather than installed from Apple's App Store.\n\nPlatforms: iOS", - "value": "Abuse of iOS Enterprise App Signing Key - MOB-T1048", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1048", - "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-23.html", - "http://www.slideshare.net/Shakacon/fruit-vs-zombies-defeat-nonjailbroken-ios-malware-by-claud-xiao" - ], - "external_id": "ECO-23", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:app-delivery-via-other-means" - ], - "mitre_platforms": [ - "iOS" - ] - }, - "uuid": "51aedbd6-2837-4d15-aeb0-cb09f2bf22ac" - }, - { - "description": "On Android, details of onboard network interfaces are accessible to apps through the java.net. (Citation: NetworkInterface) class (Citation: NetworkInterface). The Android (Citation: TelephonyManager) class can be used to gather related information such as the IMSI, IMEI, and phone number (Citation: TelephonyManager).\n\nPlatforms: Android", - "value": "Local Network Configuration Discovery - MOB-T1025", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1025", - "https://developer.android.com/reference/java/net/NetworkInterface.html", - "https://developer.android.com/reference/android/telephony/TelephonyManager.html" - ], - "external_id": "MOB-T1025", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:discovery" - ], - "mitre_platforms": [ - "Android" - ] - }, - "uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd" - }, - { - "description": "Adversaries can communicate using cellular networks rather than enterprise Wi-Fi in order to bypass enterprise network monitoring systems. Adversaries may also communicate using other non-Internet Protocol mediums such as SMS, NFC, or Bluetooth to bypass network monitoring systems.\n\nPlatforms: Android, iOS", - "value": "Alternate Network Mediums - MOB-T1041", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1041", - "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-30.html" - ], - "external_id": "APP-30", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:command-and-control", - "mitre-mobile-attack:enterprise-attack:exfiltration" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a" - }, - { - "description": "On Android, applications can use standard APIs to gather a list of network connections to and from the device. For example, the Network Connections app available in the Google Play Store (Citation: ConnMonitor) advertises this functionality.\n\nPlatforms: Android", - "value": "Local Network Connections Discovery - MOB-T1024", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1024", - "https://play.google.com/store/apps/details?id=com.antispycell.connmonitor&hl=en" - ], - "external_id": "MOB-T1024", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:discovery" - ], - "mitre_platforms": [ - "Android" - ] - }, - "uuid": "dd818ea5-adf5-41c7-93b5-f3b839a219fb" - }, - { - "description": "An adversary could make educated guesses of the device lock screen's PIN/password (e.g., commonly used values, birthdays, anniversaries) or attempt a dictionary or brute force attack against it. Brute force attacks could potentially be automated (Citation: PopSci-IPBox).\n\nPlatforms: Android, iOS", - "value": "Device Unlock Code Guessing or Brute Force - MOB-T1062", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1062", - "http://www.popsci.com/box-can-figure-out-your-4-digit-iphone-passcode" - ], - "external_id": "MOB-T1062", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:exploit-via-physical-access" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "f296fc9c-2ff5-43ee-941e-6b49c438270a" - }, - { - "description": "A malicious app or other attack vector could be used to exploit vulnerabilities in code running within the Trusted Execution Environment (TEE) (Citation: Thomas-TrustZone). The adversary could then obtain privileges held by the TEE potentially including the ability to access cryptographic keys or other sensitive data (Citation: QualcommKeyMaster). Escalated operating system privileges may be first required in order to have the ability to attack the TEE (Citation: EkbergTEE). If not, privileges within the TEE can potentially be used to exploit the operating system (Citation: laginimaineb-TEE).\n\nPlatforms: Android", - "value": "Exploit TEE Vulnerability - MOB-T1008", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1008", - "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html", - "https://usmile.at/symposium/program/2015/thomas-holmes", - "https://bits-please.blogspot.in/2016/06/extracting-qualcomms-keymaster-keys.html", - "https://usmile.at/symposium/program/2015/ekberg", - "http://bits-please.blogspot.co.il/2016/05/war-of-worlds-hijacking-linux-kernel.html" - ], - "external_id": "APP-27", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:credential-access", - "mitre-mobile-attack:enterprise-attack:privilege-escalation" - ], - "mitre_platforms": [ - "Android" - ] - }, - "uuid": "ef771e03-e080-43b4-a619-ac6f84899884" - }, - { - "description": "An adversary could set up unauthorized Wi-Fi access points or compromise existing access points and, if the device connects to them, carry out network-based attacks such as eavesdropping on or modifying network communication as described in NIST SP 800-153 (Citation: NIST-SP800153). \n\nFor example, Kaspersky describes a threat actor they call DarkHotel that targeted hotel Wi-Fi networks, using them to compromise computers belonging to business executives (Citation: Kaspersky-DarkHotel).\n\nPlatforms: Android, iOS", - "value": "Rogue Wi-Fi Access Points - MOB-T1068", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1068", - "https://pages.nist.gov/mobile-threat-catalogue/lan-pan-threats/LPN-0.html", - "http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-153.pdf", - "https://blog.kaspersky.com/darkhotel-apt/6613/" - ], - "external_id": "LPN-0", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:general-network-based" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "633baf01-6de4-4963-bb54-ff6c6357bed3" - }, - { - "description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM) / mobile device management (MDM) server console could use that access to track mobile devices.\n\nDetection: Google sends a notification to the device when Android Device Manager is used to locate it. Additionally, Google provides the ability for users to view their general account activity. Apple iCloud also provides notifications to users of account activity.\n\nPlatforms: Android, iOS", - "value": "Remotely Track Device Without Authorization - MOB-T1071", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1071", - "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html", - "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html" - ], - "external_id": "EMM-7", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:cloud-based" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "6f86d346-f092-4abc-80df-8558a90c426a" - }, - { - "description": "An adversary could attempt to spoof a mobile device's biometric authentication mechanism, for example by providing a fake fingerprint as described by SRLabs in (Citation: SRLabs-Fingerprint).\n\niOS partly mitigates this attack by requiring the device passcode rather than a fingerprint to unlock the device after every device restart and after 48 hours since the device was last unlocked (Citation: Apple-TouchID).\n\nPlatforms: Android, iOS", - "value": "Biometric Spoofing - MOB-T1063", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1063", - "https://srlabs.de/bites/spoofing-fingerprints/", - "https://support.apple.com/en-us/HT204587" - ], - "external_id": "MOB-T1063", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:exploit-via-physical-access" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "45dcbc83-4abc-4de1-b643-e528d1e9df09" - }, - { - "description": "An attacker could jam radio signals (e.g. Wi-Fi, cellular, GPS) to prevent the mobile device from communicating as described in draft NIST SP 800-187 (Citation: NIST-SP800187).\n\nPlatforms: Android, iOS", - "value": "Jamming or Denial of Service - MOB-T1067", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1067", - "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-7.html", - "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-8.html", - "https://pages.nist.gov/mobile-threat-catalogue/lan-pan-threats/LPN-5.html", - "https://pages.nist.gov/mobile-threat-catalogue/gps-threats/GPS-0.html", - "http://csrc.nist.gov/publications/drafts/800-187/sp800%20187%20draft.pdf" - ], - "external_id": "GPS-0", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:cellular-network-based", - "mitre-mobile-attack:enterprise-attack:general-network-based" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d" - }, - { - "description": "A malicious app or other attack vector could capture sensitive data stored in the device clipboard, for example passwords being copy-and-pasted from a password manager app.\n\nPlatforms: Android, iOS", - "value": "Capture Clipboard Data - MOB-T1017", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1017", - "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-35.html" - ], - "external_id": "APP-35", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:collection", - "mitre-mobile-attack:enterprise-attack:credential-access" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "c4b96c0b-cb58-497a-a1c2-bb447d79d692" - }, - { - "description": "An adversary could call standard operating system APIs from a malicious application to gather contact list (i.e., address book) data, or with escalated privileges could directly access files containing contact list data.\n\nDetection: On both Android (6.0 and up) and iOS, the user can view which applications have permission to access contact list information through the device settings screen, and the user can choose to revoke the permissions.\n\nPlatforms: Android, iOS", - "value": "Access Contact List - MOB-T1035", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1035", - "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html" - ], - "external_id": "APP-13", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:collection" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce" - }, - { - "description": "An adversary could steal developer account credentials on an app store and/or signing keys to publish malicious updates to existing Android or iOS apps, or to abuse the developer's identity and reputation to publish new malicious applications. For example, Infoworld describes this technique and suggests mitigations in (Citation: Infoworld-Appstore).\n\nDetection: Developers can regularly scan (or have a third party scan on their behalf) the app stores for presence of unauthorized apps that were submitted using the developer's identity.\n\nPlatforms: Android, iOS", - "value": "Stolen Developer Credentials or Signing Keys - MOB-T1044", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1044", - "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-16.html", - "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-17.html", - "http://www.infoworld.com/article/2854963/mobile-development/how-to-keep-your-app-store-dev-account-from-being-hijacked.html" - ], - "external_id": "ECO-17", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:app-delivery-via-authorized-app-store" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "a21a6a79-f9a1-4c87-aed9-ba2d79536881" - }, - { - "description": "An adversary may capture network traffic to and from the device to obtain credentials or other sensitive data, or redirect network traffic to flow through an adversary-controlled gateway to do the same.\n\nA malicious app could register itself as a VPN client on Android or iOS to gain access to network packets. However, on both platforms, the user must grant consent to the app to act as a VPN client, and on iOS the app requires a special entitlement that must be granted by Apple.\n\nAlternatively, if a malicious app is able to escalate operating system privileges, it may be able to use those privileges to gain access to network traffic.\n\nAn adversary could redirect network traffic to an adversary-controlled gateway by establishing a VPN connection or by manipulating the device's proxy settings. For example, Skycure (Citation: Skycure-Profiles) describes the ability to redirect network traffic by installing a malicious iOS Configuration Profile.\n\nIf applications encrypt their network traffic, sensitive data may not be accessible to an adversary, depending on the point of capture.\n\nDetection: On both Android and iOS the user must grant consent to an app to act as a VPN. Both platforms also provide visual context to the user in the top status bar when a VPN connection is in place.\n\nPlatforms: Android, iOS", - "value": "Network Traffic Capture or Redirection - MOB-T1013", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1013", - "https://www.skycure.com/blog/malicious-profiles-the-sleeping-giant-of-ios-security/" - ], - "external_id": "MOB-T1013", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:collection", - "mitre-mobile-attack:enterprise-attack:credential-access" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "3b0b604f-10db-41a0-b54c-493124d455b9" - }, - { - "description": "An adversary could attempt to read files that contain sensitive data or credentials (e.g., private keys, passwords, access tokens). This technique requires either escalated privileges or for the targeted app to have stored the data in an insecure manner (e.g., with insecure file permissions or in an insecure location such as an external storage directory).\n\nPlatforms: Android, iOS", - "value": "Access Sensitive Data or Credentials in Files - MOB-T1012", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1012", - "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-0.html" - ], - "external_id": "AUT-0", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:collection", - "mitre-mobile-attack:enterprise-attack:credential-access" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160" - }, - { - "description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device's Trusted Execution Environment (TEE) or other similar isolated execution environment where the code can evade detection, may persist after device resets, and may not be removable by the device user. Running code within the TEE may provide an adversary with the ability to monitor or tamper with overall device behavior.\n\nThomas Roth describes the potential for placing a rootkit within the TrustZone secure world (Citation: Roth-Rootkits).\n\nDetection: Devices may perform cryptographic integrity checks of code running within the TEE at boot time.\n\nAs described in the iOS Security Guide (Citation: Apple-iOSSecurityGuide), iOS devices will fail to boot if the software running within the Secure Enclave does not pass signature verification.\n\nPlatforms: Android", - "value": "Modify Trusted Execution Environment - MOB-T1002", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1002", - "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html", - "https://hackinparis.com/data/slides/2013/Slidesthomasroth.pdf", - "https://www.apple.com/business/docs/iOS%20Security%20Guide.pdf" - ], - "external_id": "APP-27", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:defense-evasion", - "mitre-mobile-attack:enterprise-attack:persistence" - ], - "mitre_platforms": [ - "Android" - ] - }, - "uuid": "f1c3d071-0c24-483d-aca0-e8b8496ce468" - }, - { - "description": "An adversary could cause the mobile device to use less secure protocols, for example by jamming frequencies used by newer protocols such as LTE and only allowing older protocols such as GSM to communicate as described in draft NIST SP 800-187 (Citation: NIST-SP800187). Use of less secure protocols may make communication easier to eavesdrop upon or manipulate.\n\nPlatforms: Android, iOS", - "value": "Downgrade to Insecure Protocols - MOB-T1069", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1069", - "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-3.html", - "http://csrc.nist.gov/publications/drafts/800-187/sp800%20187%20draft.pdf" - ], - "external_id": "CEL-3", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:cellular-network-based", - "mitre-mobile-attack:enterprise-attack:general-network-based" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "f58cd69a-e548-478b-9248-8a9af881dc34" - }, - { - "description": "An adversary could seek to generate fraudulent advertising revenue from mobile devices, for example by triggering automatic clicks of advertising links without user involvement.\n\nPlatforms: Android, iOS", - "value": "Generate Fraudulent Advertising Revenue - MOB-T1075", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1075" - ], - "external_id": "MOB-T1075", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:effects" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "f981d199-2720-467e-9dc9-eea04dbe05cf" - }, - { - "description": "An Android application can listen for the BOOT_COMPLETED broadcast, ensuring that the app's functionality will be activated every time the device starts up without having to wait for the device user to manually start the app.\n\n (Citation: Zhou) and Jiang (Citation: Zhou) analyzed 1260 Android malware samples belonging to 49 families of malware, and determined that 29 malware families and 83.3% of the samples listened for BOOT_COMPLETED.\n\nPlatforms: Android", - "value": "App Auto-Start at Device Boot - MOB-T1005", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1005", - "http://ieeexplore.ieee.org/document/6234407" - ], - "external_id": "MOB-T1005", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:persistence" - ], - "mitre_platforms": [ - "Android" - ] - }, - "uuid": "bd4d32f5-eed4-4018-a649-40b229dd1d69" - }, - { - "description": "Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection. They may use commonly open ports such as\n* TCP:80 (HTTP)\n* TCP:443 (HTTPS)\n* TCP:25 (SMTP)\n* TCP/UDP:53 (DNS)\n\nThey may use the protocol associated with the port or a completely different protocol.\n\nPlatforms: Android, iOS", - "value": "Commonly Used Port - MOB-T1039", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1039" - ], - "external_id": "MOB-T1039", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:command-and-control", - "mitre-mobile-attack:enterprise-attack:exfiltration" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "3911658a-6506-4deb-9ab4-595a51ae71ad" - }, - { - "description": "An adversary could use access to a compromised device's credentials to attempt to manipulate app store rankings or ratings by triggering application downloads or posting fake reviews of applications. This technique likely requires privileged access (a rooted or jailbroken device).\n\nPlatforms: Android, iOS", - "value": "Manipulate App Store Rankings or Ratings - MOB-T1055", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1055" - ], - "external_id": "MOB-T1055", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:effects" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "76c12fc8-a4eb-45d6-a3b7-e371a7248f69" - }, - { - "description": "An adversary could call standard operating system APIs from a malicious application to gather calendar entry data, or with escalated privileges could directly access files containing calendar data.\n\nDetection: On both Android (6.0 and up) and iOS, the user can view which applications have permission to access calendar information through the device settings screen, and the user can choose to revoke the permissions.\n\nPlatforms: Android, iOS", - "value": "Access Calendar Entries - MOB-T1038", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1038", - "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html" - ], - "external_id": "APP-13", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:collection" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "62adb627-f647-498e-b4cc-41499361bacb" - }, - { - "description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an EMM console could use that access to wipe enrolled devices (Citation: Honan-Hacking).\n\nDetection: Google provides the ability for users to view their general account activity. Apple iCloud also provides notifications to users of account activity.\n\nPlatforms: Android, iOS", - "value": "Remotely Wipe Data Without Authorization - MOB-T1072", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1072", - "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html", - "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html", - "https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/" - ], - "external_id": "EMM-7", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:cloud-based" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "537ea573-8a1c-468c-956b-d16d2ed9d067" - }, - { - "description": "An adversary could exploit signaling system vulnerabilities to redirect calls or text messages to a phone number under the attacker's control. The adversary could then act as a man-in-the-middle to intercept or manipulate the communication. These issues are discussed in (Citation: Engel-SS7), (Citation: Engel-SS7)-2008, (Citation: 3GPP-Security), (Citation: Positive-SS7), as well as in a report from the Communications, Security, Reliability, and Interoperability Council (CSRIC) (Citation: CSRIC5-WG10-FinalReport).\n\nDetection: Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation as described by the CSRIC (Citation: CSRIC5-WG10-FinalReport). The CSRIC also suggests threat information sharing between telecommunications industry members.\n\nPlatforms: Android, iOS", - "value": "Exploit SS7 to Redirect Phone Calls/SMS - MOB-T1052", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1052", - "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-37.html", - "https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf", - "http://www.3gpp.org/ftp/tsg%20sa/wg3%20security/%20specs/33900-120.pdf", - "https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf", - "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf" - ], - "external_id": "CEL-37", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:cellular-network-based" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d" - }, - { - "description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device kernel or other boot partition components, where the code may evade detection, may persist after device resets, and may not be removable by the device user. In some cases (e.g., the Samsung Knox warranty bit as described under Detection), the attack may be detected but could result in the device being placed in a state that no longer allows certain functionality.\n\nMany Android devices provide the ability to unlock the bootloader for development purposes, but doing so introduces the potential ability for others to maliciously update the kernel or other boot partition code.\n\nIf the bootloader is not unlocked, it may still be possible to exploit device vulnerabilities to update the code.\n\nDetection: The Android SafetyNet API's remote attestation capability could potentially be used to identify and respond to compromised devices. Samsung KNOX also provides a remote attestation capability on supported Samsung Android devices.\n\nSamsung KNOX devices include a non-reversible Knox warranty bit fuse that is triggered \"if a non-Knox kernel has been loaded on the device\" (Citation: Samsung-KnoxWarrantyBit). If triggered, enterprise Knox container services will no longer be available on the device.\n\nAs described in the iOS Security Guide (Citation: Apple-iOSSecurityGuide), iOS devices will fail to boot or fail to allow device activation if unauthorized modifications are detected.\n\nMany enterprise applications perform their own checks to detect and respond to compromised devices. These checks are not foolproof but can detect common signs of compromise.\n\nPlatforms: Android, iOS", - "value": "Modify OS Kernel or Boot Partition - MOB-T1001", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1001", - "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-26.html", - "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html", - "https://www2.samsungknox.com/en/faq/what-knox-warranty-bit-and-how-it-triggered", - "https://www.apple.com/business/docs/iOS%20Security%20Guide.pdf" - ], - "external_id": "APP-27", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:defense-evasion", - "mitre-mobile-attack:enterprise-attack:persistence" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "46d818a5-67fa-4585-a7fc-ecf15376c8d5" - }, - { - "description": "A malicious app could abuse Android's accessibility features to capture sensitive data or perform other malicious actions, as demonstrated in a proof of concept created by Skycure (Citation: Skycure-Accessibility).\n\nPlatforms: Android", - "value": "Abuse Accessibility Features - MOB-T1056", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1056", - "https://www.skycure.com/blog/accessibility-clickjacking/" - ], - "external_id": "MOB-T1056", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:collection", - "mitre-mobile-attack:enterprise-attack:credential-access" - ], - "mitre_platforms": [ - "Android" - ] - }, - "uuid": "2204c371-6100-4ae0-82f3-25c07c29772a" - }, - { - "description": "Third-party libraries incorporated into mobile apps could contain malicious behavior, privacy-invasive behavior, or exploitable vulnerabilities. An adversary could deliberately insert malicious behavior or could exploit inadvertent vulnerabilities.\n\nFor example, Ryan Welton of NowSecure identified exploitable remote code execution vulnerabilities in a third-party advertisement library (Citation: NowSecure-RemoteCode). Grace et al. identified security issues in mobile advertisement libraries (Citation: Grace-Advertisement).\n\nPlatforms: Android, iOS", - "value": "Insecure Third-Party Libraries - MOB-T1028", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1028", - "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-6.html", - "https://www.nowsecure.com/blog/2015/06/15/a-pattern-for-remote-code-execution-using-arbitrary-file-writes-and-multidex-applications/" - ], - "external_id": "APP-6", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:supply-chain" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "11bd699b-f2c2-4e48-bf46-fb3f8acd9799" - }, - { - "description": "An app could download and execute dynamic code (not included in the original application package) after installation to evade static analysis techniques (and potentially dynamic analysis techniques) used for application vetting or application store review (Citation: Poeplau-ExecuteThis). \n\nOn Android, dynamic code could include native code, Dalvik code, or JavaScript code that uses the Android WebView's JavascriptInterface capability (Citation: Bromium-AndroidRCE).\n\nOn iOS, techniques for executing dynamic code downloaded after application installation include JSPatch (Citation: FireEye-JSPatch). (Citation: Wang) et al. describe a related method of constructing malicious logic at app runtime on iOS (Citation: Wang).\n\nPlatforms: Android, iOS", - "value": "Download New Code at Runtime - MOB-T1010", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1010", - "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-20.html", - "https://www.internetsociety.org/sites/default/files/10%205%200.pdf", - "https://labs.bromium.com/2014/07/31/remote-code-execution-on-android-devices/", - "https://www.fireeye.com/blog/threat-research/2016/01/hot%20or%20not%20the%20bene.html", - "https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/wang%20tielei" - ], - "external_id": "APP-20", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:defense-evasion" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "6c49d50f-494d-4150-b774-a655022d20a6" - }, - { - "description": "An adversary could exploit signaling system vulnerabilities to track the location of mobile devices, for example as described in (Citation: Engel-SS7), (Citation: Engel-SS7)-2008, (Citation: 3GPP-Security) and (Citation: Positive-SS7), as well as in a report from the Communications, Security, Reliability, and Interoperability Council (CSRIC) (Citation: CSRIC5-WG10-FinalReport).\n\nDetection: Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation as described by the CSRIC (Citation: CSRIC-WG1-FinalReport). The CSRIC also suggests threat information sharing between telecommunications industry members.\n\nPlatforms: Android, iOS", - "value": "Exploit SS7 to Track Device Location - MOB-T1053", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1053", - "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-38.html", - "https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf", - "http://www.3gpp.org/ftp/tsg%20sa/wg3%20security/%20specs/33900-120.pdf", - "https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf", - "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf" - ], - "external_id": "CEL-38", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:cellular-network-based" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "52651225-0b3a-482d-aa7e-10618fd063b5" - }, - { - "description": "A malicious app can register as a device keyboard and intercept keypresses containing sensitive values such as usernames and passwords. Zeltser (Citation: Zeltser-Keyboard) describes these risks.\n\nBoth iOS and Android require the user to explicitly authorize use of third party keyboard apps. Users should be advised to use extreme caution before granting this authorization when it is requested.\n\nPlatforms: Android, iOS", - "value": "Malicious Third Party Keyboard App - MOB-T1020", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1020", - "https://zeltser.com/third-party-keyboards-security/" - ], - "external_id": "MOB-T1020", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:collection", - "mitre-mobile-attack:enterprise-attack:credential-access" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "a8c31121-852b-46bd-9ba4-674ae5afe7ad" - }, - { - "description": "A malicious app can exploit unpatched vulnerabilities in the operating system to obtain escalated privileges.\n\nPlatforms: Android, iOS", - "value": "Exploit OS Vulnerability - MOB-T1007", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1007", - "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-26.html" - ], - "external_id": "APP-26", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:privilege-escalation" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172" - }, - { - "description": "An adversary with control of a target's Google account can use the Google Play Store's remote installation capability to install apps onto the Android devices associated with the Google account as described in (Citation: Oberheide-RemoteInstall), (Citation: Konoth). However, only applications that are available for download through the Google Play Store can be remotely installed using this technique.\n\nDetection: An EMM/MDM or mobile threat protection solution can identify the presence of unwanted or known insecure or malicious apps on devices.\n\nPlatforms: Android", - "value": "Remotely Install Application - MOB-T1046", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1046", - "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-4.html", - "https://jon.oberheide.org/blog/2010/06/25/remote-kill-and-install-on-google-android/", - "http://www.vvdveen.com/publications/BAndroid.pdf" - ], - "external_id": "ECO-4", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:app-delivery-via-authorized-app-store" - ], - "mitre_platforms": [ - "Android" - ] - }, - "uuid": "831e3269-da49-48ac-94dc-948008e8fd16" - }, - { - "description": "ART (the Android Runtime) compiles optimized code on the device itself to improve performance. If an adversary can escalate privileges, he or she may be able to use those privileges to modify the cached code in order to hide malicious behavior. Since the code is compiled on the device, it may not receive the same level of integrity checks that are provided to code running in the system partition.\n\nSabanal describes the potential use of this technique in (Citation: Sabanal-ART).\n\nPlatforms: Android", - "value": "Modify cached executable code - MOB-T1006", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1006", - "https://www.blackhat.com/docs/asia-15/materials/asia-15-Sabanal-Hiding-Behind-ART-wp.pdf" - ], - "external_id": "MOB-T1006", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:persistence" - ], - "mitre_platforms": [ - "Android" - ] - }, - "uuid": "88932a8c-3a17-406f-9431-1da3ff19f6d6" - }, - { - "description": "Adversaries may seek to identify all applications installed on the device. One use case for doing so is to identify the presence of endpoint security applications that may increase the adversary's risk of detection. Another use case is to identify the presence of applications that the adversary may wish to target.\n\nOn Android, applications can use methods in the PackageManager class (Citation: Android-PackageManager) to enumerate other apps installed on device, or an entity with shell access can use the pm command line tool.\n\nOn iOS, apps can use private API calls to obtain a list of other apps installed on the device as described by Kurtz (Citation: Kurtz-MaliciousiOSApps), however use of private API calls will likely prevent the application from being distributed through Apple's App Store.\n\nPlatforms: Android, iOS", - "value": "Application Discovery - MOB-T1021", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1021", - "https://developer.android.com/reference/android/content/pm/PackageManager.html", - "https://andreas-kurtz.de/2014/09/malicious-ios-apps/" - ], - "external_id": "MOB-T1021", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:defense-evasion", - "mitre-mobile-attack:enterprise-attack:discovery" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "198ce408-1470-45ee-b47f-7056050d4fc2" - }, - { - "description": "Techniques have periodically been demonstrated that exploit vulnerabilities on Android (Citation: Wired-AndroidBypass), iOS (Citation: Kaspersky-iOSBypass), or other mobile devices to bypass the device lock screen. The vulnerabilities are generally patched by the device/operating system vendor once they become aware of their existence.\n\nPlatforms: Android, iOS", - "value": "Lockscreen Bypass - MOB-T1064", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1064", - "https://www.wired.com/2015/09/hack-brief-new-emergency-number-hack-easily-bypasses-android-lock-screens/", - "https://threatpost.com/ios-10-passcode-bypass-can-access-photos-contacts/122033/" - ], - "external_id": "MOB-T1064", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:exploit-via-physical-access" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "dfe29258-ce59-421c-9dee-e85cb9fa90cd" - }, - { - "description": "An adversary could convince the mobile network operator (e.g. through social networking or forged identification) to issue a new SIM card and associate it with an existing phone number and account (Citation: NYGov-Simswap). The adversary could then obtain SMS messages or hijack phone calls intended for someone else (Citation: Betanews-Simswap). One use case is intercepting authentication messages or phone calls to obtain illicit access to online banking or other online accounts (Citation: Guardian-Simswap).\n\nPlatforms: Android, iOS", - "value": "SIM Card Swap - MOB-T1054", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1054", - "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-22.html", - "http://www.dos.ny.gov/consumerprotection/scams/att-sim.html", - "http://betanews.com/2016/02/12/everything-you-need-to-know-about-sim-swap-scams/", - "https://www.theguardian.com/money/2016/apr/16/sim-swap-fraud-mobile-banking-fraudsters" - ], - "external_id": "STA-22", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:cellular-network-based" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "a64a820a-cb21-471f-920c-506a2ff04fa5" - }, - { - "description": "An adversary could use a malicious or exploited application to surreptitiously track the device's physical location through use of standard operating system APIs.\n\nDetection: On both Android (6.0 and up) and iOS, the user can view which applications have permission to access device location through the device settings screen, and the user can choose to revoke the permissions.\n\nPlatforms: Android, iOS", - "value": "Location Tracking - MOB-T1033", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1033", - "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-24.html" - ], - "external_id": "APP-24", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:collection" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "99e6295e-741b-4857-b6e5-64989eb039b4" - }, - { - "description": "If the mobile device is connected (typically via USB) to a charging station or a PC, for example to charge the device's battery, then a compromised or malicious charging station or PC could attempt to exploit the mobile device via the connection.\n\nKrebs described this technique in (Citation: Krebs-JuiceJacking). Lau et al. (Citation: Lau-Mactans) demonstrated the ability to inject malicious applications into an iOS device via USB. Hay (Citation: IBM-NexusUSB) demonstrated the ability to exploit a Nexus 6 or 6P device over USB and then gain the ability to perform actions including intercepting phone calls, intercepting network traffic, and obtaining the device physical location.\n\nPlatforms: Android, iOS", - "value": "Exploit via Charging Station or PC - MOB-T1061", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1061", - "https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-1.html", - "http://krebsonsecurity.com/2011/08/beware-of-juice-jacking/", - "https://media.blackhat.com/us-13/US-13-Lau-Mactans-Injecting-Malware-into-iOS-Devices-via-Malicious-Chargers-WP.pdf", - "https://securityintelligence.com/android-vulnerabilities-attacking-nexus-6-and-6p-custom-boot-modes/" - ], - "external_id": "PHY-1", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:exploit-via-physical-access" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "667e5707-3843-4da8-bd34-88b922526f0d" - }, - { - "description": "If network traffic between the mobile device and a remote server is not securely protected, then an attacker positioned on the network may be able to manipulate network communication without being detected. For example, FireEye researchers found in 2014 that 68% of the top 1,000 free applications in the Google Play Store had at least one Transport Layer Security (TLS) implementation vulnerability potentially opening the applications' network traffic to man-in-the-middle attacks (Citation: FireEye-SSL).\n\nPlatforms: Android, iOS", - "value": "Manipulate Device Communication - MOB-T1066", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1066", - "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html", - "https://www.fireeye.com/blog/threat-research/2014/08/ssl-vulnerabilities-who-listens-when-android-applications-talk.html" - ], - "external_id": "APP-1", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:general-network-based" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "d731c21e-f27d-4756-b418-0e2aaabd6d63" - }, - { - "description": "An adversary could set up a rogue cellular base station and then use it to eavesdrop on or manipulate cellular device communication. For example, Ritter and DePerry of iSEC Partners demonstrated this technique using a compromised cellular femtocell at Black Hat USA 2013 (Citation: Computerworld-Femtocell).\n\nPlatforms: Android, iOS", - "value": "Rogue Cellular Base Station - MOB-T1070", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1070", - "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-7.html", - "http://www.computerworld.com/article/2484538/cybercrime-hacking/researchers-exploit-cellular-tech-flaws-to-intercept-phone-calls.html" - ], - "external_id": "CEL-7", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:cellular-network-based" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "a5de0540-73e7-4c67-96da-4143afedc7ed" - }, - { - "description": "An adversary could download a legitimate app, disassemble it, add malicious code, and then reassemble the app, for example as described by (Citation: Zhou) and Jiang in (Citation: Zhou). The app would appear to be the original app but contain additional malicious functionality. The adversary could then publish this app to app stores or use another delivery technique.\n\nDetection: An EMM/MDM or mobile threat protection solution can identify the presence of unwanted, known insecure, or malicious apps on devices.\n\nPlatforms: Android, iOS", - "value": "Repackaged Application - MOB-T1047", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1047", - "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-14.html", - "http://ieeexplore.ieee.org/document/6234407" - ], - "external_id": "APP-14", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:app-delivery-via-authorized-app-store", - "mitre-mobile-attack:enterprise-attack:app-delivery-via-other-means" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f" - }, - { - "description": "An adversary may seek to lock the legitimate user out of the device, for example until a ransom is paid.\n\nOn Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode to lock the user out of the device.\n\nOn iOS devices, this technique does not work because mobile device management servers can only remove the screen lock passcode, they cannot set a new passcode. However, on jailbroken devices, malware has been demonstrated that can lock the user out of the device (Citation: KeyRaider).\n\nPlatforms: Android, iOS", - "value": "Lock User Out of Device - MOB-T1049", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1049", - "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-28.html", - "http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/" - ], - "external_id": "APP-28", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:effects" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1" - }, - { - "description": "As demonstrated by the XcodeGhost attack (Citation: PaloAlto-XcodeGhost1), app developers could be provided with modified versions of software development tools (e.g. compilers) that automatically inject malicious or exploitable code into applications.\n\nDetection: Enterprises could deploy integrity checking software to the computers that they use to develop code to detect presence of unauthorized, modified software development tools.\n\nPlatforms: Android, iOS", - "value": "Malicious Software Development Tools - MOB-T1065", - "meta": { - "refs": [ - "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1065", - "http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/" - ], - "external_id": "MOB-T1065", - "kill_chain": [ - "mitre-mobile-attack:enterprise-attack:supply-chain" - ], - "mitre_platforms": [ - "Android", - "iOS" - ] - }, - "uuid": "b928b94a-4966-4e2a-9e61-36505b896ebc" - } - ] -} + "name": "Mobile Attack - Attack Pattern", + "type": "mitre-mobile-attack-attack-pattern", + "description": "ATT&CK tactic", + "version": 3, + "source": "https://github.com/mitre/cti", + "uuid": "1e606d06-1708-11e8-8a43-df11c8cf9ae2", + "authors": [ + "MITRE" + ], + "values": [ + { + "description": "An SMS message could contain content designed to exploit vulnerabilities in the SMS parser on the receiving device. For example, Mulliner and Miller demonstrated such an attack against the iPhone in 2009 as described in (Citation: Forbes-iPhoneSMS).\n\nAn SMS message could also contain a link to a web site containing malicious content designed to exploit the device web browser.\n\nAs described by SRLabs in (Citation: SRLabs-SIMCard), vulnerable SIM cards may be remotely exploited and reprogrammed via SMS messages.\n\nPlatforms: Android, iOS", + "value": "Malicious SMS Message - MOB-T1057", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1057", + "http://www.forbes.com/2009/07/28/hackers-iphone-apple-technology-security-hackers.html", + "https://srlabs.de/bites/rooting-sim-cards/" + ], + "external_id": "MOB-T1057", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:exploit-via-cellular-network" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "0bcc4ec1-a897-49a9-a9ff-c00df1d1209d" + }, + { + "description": "If network traffic between the mobile device and remote servers is unencrypted or is encrypted in an insecure manner, then an adversary positioned on the network can eavesdrop on communication. For example, He et al. (Citation: mHealth) describe numerous healthcare-related applications that did not properly protect network communication.\n\nPlatforms: Android, iOS", + "value": "Eavesdrop on Insecure Network Communication - MOB-T1042", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1042", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-0.html", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html", + "https://experts.illinois.edu/en/publications/security-concerns-in-android-mhealth-apps" + ], + "external_id": "APP-1", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:general-network-based" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "393e8c12-a416-4575-ba90-19cc85656796" + }, + { + "description": "An adversary could use knowledge of the techniques used by security software to evade detection. For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed \"su\" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature-based detection as described by (Citation: Rastogi) et al. (Citation: Rastogi). \n\n (Citation: Brodie) (Citation: Brodie) describes limitations of jailbreak/root detection mechanisms.\n\n (Citation: Tan) (Citation: Tan) describes his experience defeating the jailbreak detection used by the iOS version of Good for Enterprise.\n\nPlatforms: Android, iOS", + "value": "Disguise Root/Jailbreak Indicators - MOB-T1011", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1011", + "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-5.html", + "http://pages.cs.wisc.edu/~vrastogi/static/papers/rcj13b.pdf", + "https://media.blackhat.com/eu-13/briefings/Brodie/bh-eu-13-lacoon-attacks-mdm-brodie-wp.pdf", + "http://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions" + ], + "external_id": "EMM-5", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:defense-evasion" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "b332a960-3c04-495a-827f-f17a5daed3a6" + }, + { + "description": "On Android, device type information is accessible to apps through the android.os.Build class (Citation: Android-Build). Device information could be used to target privilege escalation exploits.\n\nPlatforms: Android", + "value": "Device Type Discovery - MOB-T1022", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1022", + "https://zeltser.com/third-party-keyboards-security/" + ], + "external_id": "MOB-T1022", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:discovery" + ], + "mitre_platforms": [ + "Android" + ] + }, + "uuid": "89fcd02f-62dc-40b9-a54b-9ac4b1baef05" + }, + { + "description": "A malicious app could use standard Android APIs to send SMS messages. SMS messages could potentially be sent to premium numbers that charge the device owner and generate revenue for an adversary, for example as described by Lookout in (Citation: Lookout-SMS).\n\nOn iOS, apps cannot send SMS messages.\n\nOn Android, apps must hold the SEND_SMS permission to send SMS messages. Additionally, Android version 4.2 and above has mitigations against this threat by requiring user consent before allowing SMS messages to be sent to premium numbers (Citation: AndroidSecurity2014).\n\nDetection: As described in Google's Android Security 2014 Year in Review Report (Citation: AndroidSecurity2014), starting with Android 4.2 the user is prompted and must provide consent before applications can send SMS messages to premium numbers.\n\nOn Android 6.0 and up, the user can view which applications have permission to send SMS messages through the device settings screen, and the user can choose to revoke the permissions.\n\nPlatforms: Android", + "value": "Premium SMS Toll Fraud - MOB-T1051", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1051", + "https://blog.lookout.com/blog/2013/08/02/dragon-lady/", + "https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google%20Android%20Security%202014%20Report%20Final.pdf" + ], + "external_id": "MOB-T1051", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:effects" + ], + "mitre_platforms": [ + "Android" + ] + }, + "uuid": "8f0e39c6-82c9-41ec-9f93-5696c0f2e274" + }, + { + "description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud backup services (e.g. Google's Android backup service or Apple's iCloud) could use that access to obtain sensitive data stored in device backups. For example, the Elcomsoft Phone Breaker product advertises the ability to retrieve iOS backup data from Apple's iCloud (Citation: Elcomsoft-EPPB).\n\nDetection: Google provides the ability for users to view their account activity. Apple iCloud also provides notifications to users of account activity.\n\nPlatforms: Android, iOS", + "value": "Obtain Device Cloud Backups - MOB-T1073", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1073", + "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-0.html", + "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-1.html", + "https://www.elcomsoft.com/eppb.html" + ], + "external_id": "ECO-1", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:cloud-based" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "0c71033e-401e-4b97-9309-7a7c95e43a5d" + }, + { + "description": "On versions of Android prior to 4.1, an adversary may use a malicious application that holds the READ_LOGS permission to obtain private keys, passwords, other credentials, or other sensitive data stored in the device's system log. On Android 4.1 and later, an adversary would need to attempt to perform an operating system privilege escalation attack to be able to access the log.\n\nPlatforms: Android", + "value": "Access Sensitive Data in Device Logs - MOB-T1016", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1016", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-3.html", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html" + ], + "external_id": "APP-13", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:collection", + "mitre-mobile-attack:mobile-attack:credential-access" + ], + "mitre_platforms": [ + "Android" + ] + }, + "uuid": "29e07491-8947-43a3-8d4e-9a787c45f3d3" + }, + { + "description": "With escalated privileges, an adversary could program the mobile device to impersonate USB devices such as input devices (keyboard and mouse), storage devices, and/or networking devices in order to attack a physically connected PC. Wang and Stavrou (Citation: Wang-ExploitingUSB) and Kamkar (Citation: ArsTechnica-PoisonTap) describe this technique. This technique has been demonstrated on Android, and we are unaware of any demonstrations on iOS.\n\nPlatforms: Android", + "value": "Attack PC via USB Connection - MOB-T1030", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1030", + "https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-2.html", + "http://dl.acm.org/citation.cfm?id=1920314", + "http://arstechnica.com/security/2016/11/meet-poisontap-the-5-tool-that-ransacks-password-protected-computers/" + ], + "external_id": "PHY-2", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:lateral-movement" + ], + "mitre_platforms": [ + "Android" + ] + }, + "uuid": "a0464539-e1b7-4455-a355-12495987c300" + }, + { + "description": "A malicious app can register to receive intents meant for other applications and may then be able to receive sensitive values such as OAuth authorization codes as described in (Citation: IETF-PKCE).\n\nPlatforms: Android", + "value": "Android Intent Hijacking - MOB-T1019", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1019", + "https://tools.ietf.org/html/rfc7636" + ], + "external_id": "MOB-T1019", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:credential-access" + ], + "mitre_platforms": [ + "Android" + ] + }, + "uuid": "77e30eee-fd48-40b4-99ec-73e97c158b58" + }, + { + "description": "An iOS application may be able to maliciously claim a URL scheme, allowing it to intercept calls that are meant for a different application. This technique, for example, could be used to capture OAuth authorization codes as described in (Citation: IETF-PKCE) or to phish user credentials as described in (Citation: MobileIron-XARA). Related potential security implications are described in (Citation: Dhanjani-URLScheme). FireEye researchers describe URL scheme hijacking in a blog post (Citation: FireEye-Masque2), including evidence of its use.\n\nPlatforms: iOS", + "value": "URL Scheme Hijacking - MOB-T1018", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1018", + "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-10.html", + "https://tools.ietf.org/html/rfc7636", + "https://www.mobileiron.com/en/smartwork-blog/ios-url-scheme-hijacking-xara-attack-analysis-and-countermeasures", + "http://www.dhanjani.com/blog/2010/11/insecure-handling-of-url-schemes-in-apples-ios.html", + "https://www.fireeye.com/blog/threat-research/2015/02/ios%20masque%20attackre.html" + ], + "external_id": "AUT-10", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:credential-access" + ], + "mitre_platforms": [ + "iOS" + ] + }, + "uuid": "8f142a25-f6c3-4520-bd50-2ae3ab50ed3e" + }, + { + "description": "Adversaries may attempt to exploit enterprise servers, workstations, or other resources over the network. This technique may take advantage of the mobile device's access to an internal enterprise network either through local connectivity or through a Virtual Private Network (VPN).\n\nPlatforms: Android, iOS", + "value": "Exploit Enterprise Resources - MOB-T1031", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1031", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-32.html" + ], + "external_id": "APP-32", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:lateral-movement" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "22379609-a99f-4a01-bd7e-70f3e105859d" + }, + { + "description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device system partition, where it may persist after device resets and may not be easily removed by the device user.\n\nMany Android devices provide the ability to unlock the bootloader for development purposes. An unlocked bootloader may provide the ability for an adversary to modify the system partition. Even if the bootloader is locked, it may be possible for an adversary to escalate privileges and then modify the system partition.\n\nDetection: Android devices with the Verified Boot capability (Citation: Android-VerifiedBoot) perform cryptographic checks of the integrity of the system partition.\n\nThe Android SafetyNet API's remote attestation capability could potentially be used to identify and respond to compromised devices.\n\nSamsung KNOX also provides a remote attestation capability on supported Samsung Android devices.\n\nAs described in the iOS Security Guide (Citation: Apple-iOSSecurityGuide), iOS devices will fail to boot or fail to allow device activation if unauthorized modifications are detected.\n\nPlatforms: Android, iOS", + "value": "Modify System Partition - MOB-T1003", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1003", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html", + "https://source.android.com/security/verifiedboot/", + "https://www.apple.com/business/docs/iOS%20Security%20Guide.pdf" + ], + "external_id": "APP-27", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:defense-evasion", + "mitre-mobile-attack:mobile-attack:persistence" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0" + }, + { + "description": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, and architecture.\n\nOn Android, much of this information is programmatically accessible to applications through the android.os.Build class (Citation: Android-Build).\n\nOn iOS, techniques exist for applications to programmatically access this information, for example as described in (Citation: StackOverflow-iOSVersion).\n\nPlatforms: Android, iOS", + "value": "System Information Discovery - MOB-T1029", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1029", + "https://zeltser.com/third-party-keyboards-security/", + "http://stackoverflow.com/questions/7848766/how-can-we-programmatically-detect-which-ios-version-is-device-running-on" + ], + "external_id": "MOB-T1029", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:discovery" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77" + }, + { + "description": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans from the mobile device. This technique may take advantage of the mobile device's access to an internal enterprise network either through local connectivity or through a Virtual Private Network (VPN).\n\nPlatforms: Android, iOS", + "value": "Network Service Scanning - MOB-T1026", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1026" + ], + "external_id": "MOB-T1026", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:discovery" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "2de38279-043e-47e8-aaad-1b07af6d0790" + }, + { + "description": "On Android, an adversary could call standard operating system APIs from a malicious application to gather call log data, or with escalated privileges could directly access files containing call log data.\n\nOn iOS, applications do not have access to the call log, so privilege escalation would be required in order to access the data.\n\nDetection: On Android 6.0 and up, the user can view which applications have permission to access call log information through the device settings screen, and the user can choose to revoke the permissions.\n\nPlatforms: Android, iOS", + "value": "Access Call Log - MOB-T1036", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1036", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html" + ], + "external_id": "APP-13", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:collection" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44" + }, + { + "description": "An adversary could evade app vetting techniques by placing code in a malicious application to detect whether it is running in an app analysis environment and, if so, avoid performing malicious actions while under analysis.\n\nDiscussion of general Android anti-analysis techniques can be found in (Citation: Petsas). Discussion of Google Play Store-specific anti-analysis techniques can be found in (Citation: Oberheide-Bouncer), (Citation: Percoco-Bouncer).\n\n (Citation: Wang) presents a discussion of iOS anti-analysis techniques.\n\nPlatforms: Android, iOS", + "value": "Detect App Analysis Environment - MOB-T1043", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1043", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-20.html", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-21.html", + "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-22.html", + "http://dl.acm.org/citation.cfm?id=2592796", + "https://jon.oberheide.org/files/summercon12-bouncer.pdf", + "https://media.blackhat.com/bh-us-12/Briefings/Percoco/BH%20US%2012%20Percoco%20Adventures%20in%20Bouncerland%20WP.pdf", + "https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/wang%20tielei" + ], + "external_id": "ECO-22", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:app-delivery-via-authorized-app-store" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "b765efd1-02e6-4e67-aebf-0fef5c37e54b" + }, + { + "description": "Content of a web page could be designed to exploit vulnerabilities in a web browser running on the mobile device.\n\nPlatforms: Android, iOS", + "value": "Malicious Web Content - MOB-T1059", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1059", + "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-22.html" + ], + "external_id": "CEL-22", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:exploit-via-internet" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57" + }, + { + "description": "An adversary could use fake identities, payment cards, etc., to create developer accounts to publish malicious applications to app stores. For example, Oberheide and Miller describe use of this technique in (Citation: Oberheide-Bouncer).\n\nPlatforms: Android, iOS", + "value": "Fake Developer Accounts - MOB-T1045", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1045", + "https://jon.oberheide.org/files/summercon12-bouncer.pdf" + ], + "external_id": "MOB-T1045", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:app-delivery-via-authorized-app-store" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "e30cc912-7ea1-4683-9219-543b86cbdec9" + }, + { + "description": "Content of a media (audio or video) file could be designed to exploit vulnerabilities in parsers on the mobile device, as for example demonstrated by the Android Stagefright vulnerability (Citation: Zimperium-Stagefright).\n\nPlatforms: Android, iOS", + "value": "Malicious Media Content - MOB-T1060", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1060", + "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-22.html", + "https://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/" + ], + "external_id": "CEL-22", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:exploit-via-internet" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "a9cab8f6-4c94-4c9b-9e7d-9d863ff53431" + }, + { + "description": "The application is delivered as an email attachment.\n\nDetection: An EMM/MDM or mobile threat protection solution can identify the presence of unwanted, known insecure, or malicious apps on devices. Enterprise email security solutions can identify the presence of Android or iOS application packages within email messages.\n\nPlatforms: Android, iOS", + "value": "App Delivered via Email Attachment - MOB-T1037", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1037", + "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-9.html", + "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-13.html" + ], + "external_id": "ECO-13", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:app-delivery-via-other-means" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "1f96d624-8409-4472-ad8a-30618ee6b2e2" + }, + { + "description": "Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic.\n\nIn the mobile environment, the Google Cloud Messaging (GCM; two-way) and Apple Push Notification Service (APNS; one-way server-to-device) are commonly used protocols on Android and iOS respectively that would blend in with routine device traffic and are difficult for enterprises to inspect. As described by Kaspersky (Citation: Kaspersky-MobileMalware), Google responds to reports of abuse by blocking access to GCM.\n\nPlatforms: Android, iOS", + "value": "Standard Application Layer Protocol - MOB-T1040", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1040", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-29.html", + "https://securelist.com/analysis/kaspersky-security-bulletin/58335/mobile-malware-evolution-2013/" + ], + "external_id": "APP-29", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:command-and-control", + "mitre-mobile-attack:mobile-attack:exfiltration" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "6a3f6490-9c44-40de-b059-e5940f246673" + }, + { + "description": "On Android, command line tools or the Java file APIs can be used to enumerate file system contents. However, Linux file permissions and SELinux policies generally strongly restrict what can be accessed by apps (without taking advantage of a privilege escalation exploit). The contents of the external storage directory are generally visible, which could present concern if sensitive data is inappropriately stored there.\n\niOS's security architecture generally restricts the ability to perform file and directory discovery without use of escalated privileges.\n\nPlatforms: Android", + "value": "File and Directory Discovery - MOB-T1023", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1023" + ], + "external_id": "MOB-T1023", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:discovery" + ], + "mitre_platforms": [ + "Android" + ] + }, + "uuid": "cf28ca46-1fd3-46b4-b1f6-ec0b72361848" + }, + { + "description": "A malicious application could abuse Android device administrator access to wipe device contents, for example if a ransom is not paid.\n\nPlatforms: Android", + "value": "Wipe Device Data - MOB-T1050", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1050" + ], + "external_id": "MOB-T1050", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:effects" + ], + "mitre_platforms": [ + "Android" + ] + }, + "uuid": "8e27551a-5080-4148-a584-c64348212e4f" + }, + { + "description": "An adversary could use a malicious or exploited application to surreptitiously record activities using the device microphone and/or camera through use of standard operating system APIs.\n\nDetection: On both Android (6.0 and up) and iOS, the user can view which applications have permission to use the microphone or the camera through the device settings screen, and the user can choose to revoke the permissions.\n\nPlatforms: Android, iOS", + "value": "Microphone or Camera Recordings - MOB-T1032", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1032", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html" + ], + "external_id": "APP-19", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:collection" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760" + }, + { + "description": "The mobile device could contain built-in functionality with malicious behavior or exploitable vulnerabilities. An adversary could deliberately insert and take advantage of the malicious behavior or could exploit inadvertent vulnerabilities. In many cases, it is difficult to be certain whether exploitable functionality is due to malicious intent or simply an inadvertent mistake.\n\nPlatforms: Android, iOS", + "value": "Malicious or Vulnerable Built-in Device Functionality - MOB-T1076", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1076" + ], + "external_id": "MOB-T1076", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:supply-chain" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "f9e4f526-ac9d-4df5-8949-833a82a1d2df" + }, + { + "description": "An app could contain malicious code in obfuscated or encrypted form, then deobfuscate or decrypt the code at runtime to evade many app vetting techniques, as described in (Citation: Rastogi) (Citation: Zhou) (Citation: TrendMicro-Obad) (Citation: Xiao-iOS).\n\nPlatforms: Android, iOS", + "value": "Obfuscated or Encrypted Payload - MOB-T1009", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1009", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-21.html", + "http://pages.cs.wisc.edu/~vrastogi/static/papers/rcj13b.pdf", + "http://ieeexplore.ieee.org/document/6234407", + "http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/", + "http://www.slideshare.net/Shakacon/fruit-vs-zombies-defeat-nonjailbroken-ios-malware-by-claud-xiao" + ], + "external_id": "APP-21", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:defense-evasion" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a" + }, + { + "description": "At least three methods exist to perform User Interface Spoofing:\n\nFirst, on both Android and iOS, an adversary could impersonate the user interface of a legitimate app or device function to trick a user into entering account credentials. \n\nSecond, on both Android and iOS, a malicious app could impersonate the identity of another app in order to trick users into installing and using it.\n\nThird, on older versions of Android, a malicious app could abuse mobile operating system features to interfere with a running legitimate app as described in (Citation: Felt-PhishingOnMobileDevices) and (Citation: Hassell-ExploitingAndroid). However, this technique appears to have been addressed starting in Android 5.0 with the deprecation of the Android's ActivityManager.getRunningTasks method and modification of its behavior (Citation: Android-getRunningTasks) and further addressed in Android 5.1.1 (Citation: StackOverflow-getRunningAppProcesses) to prevent a malicious app from determining what app is currently in the foreground.\n\nPlatforms: Android, iOS", + "value": "User Interface Spoofing - MOB-T1014", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1014", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html", + "http://w2spconf.com/2011/papers/felt-mobilephishing.pdf", + "http://conference.hitb.org/hitbsecconf2011kul/materials/D1T1", + "https://developer.android.com/reference/android/app/ActivityManager.html#getRunningTasks%28int%29", + "http://stackoverflow.com/questions/30619349/android-5-1-1-and-above-getrunningappprocesses-returns-my-application-packag" + ], + "external_id": "APP-31", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:credential-access" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2" + }, + { + "description": "A message sent over a radio interface (typically cellular, but potentially Bluetooth, GPS, NFC, Wi-Fi or other) to the mobile device could exploit a vulnerability in code running on the device.\n\nD. Komaromy and N. Golde demonstrated baseband exploitation of a Samsung mobile device at the PacSec 2015 security conference (Citation: Register-BaseStation).\n\nWeinmann described and demonstrated \"the risk of remotely exploitable memory corruptions in cellular baseband stacks.\" (Citation: Weinmann-Baseband)\n\nPlatforms: Android, iOS", + "value": "Exploit Baseband Vulnerability - MOB-T1058", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1058", + "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-18.html", + "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-19.html", + "http://www.theregister.co.uk/2015/11/12/mobile%20pwn2own1/", + "https://www.usenix.org/system/files/conference/woot12/woot12-final24.pdf" + ], + "external_id": "STA-19", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:exploit-via-cellular-network" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "c91c304a-975d-4501-9789-0db1c57afd3f" + }, + { + "description": "On Android versions prior to 5, applications can observe information about other processes that are running through methods in the ActivityManager class. On Android versions prior to 7, applications can obtain this information by executing the ps command, or by examining the /proc directory. Starting in Android version 7, use of the Linux kernel's hidepid feature prevents applications (without escalated privileges) from accessing this information (Citation: Android-SELinuxChanges).\n\nPlatforms: Android", + "value": "Process Discovery - MOB-T1027", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1027", + "https://code.google.com/p/android/issues/detail?id=205565" + ], + "external_id": "MOB-T1027", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:discovery" + ], + "mitre_platforms": [ + "Android" + ] + }, + "uuid": "1b51f5bc-b97a-498a-8dbd-bc6b1901bf19" + }, + { + "description": "A malicious application can request Device Administrator privileges. If the user grants the privileges, the application can take steps to make its removal more difficult.\n\nDetection: The device user can view a list of apps with Device Administrator privilege in the device settings.\n\nPlatforms: Android", + "value": "Abuse Device Administrator Access to Prevent Removal - MOB-T1004", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1004", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html" + ], + "external_id": "APP-22", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:persistence" + ], + "mitre_platforms": [ + "Android" + ] + }, + "uuid": "82f04b1e-5371-4a6f-be06-411f0f43b483" + }, + { + "description": "The application is downloaded from an arbitrary web site. A link to the application's download URI may be sent in an email or SMS, placed on another web site that the target is likely to view, or sent via other means (such as QR code).\n\nDetection: An EMM/MDM or mobile threat protection solution can identify the presence of unwanted, known insecure, or malicious apps on devices.\n\nPlatforms: Android, iOS", + "value": "App Delivered via Web Download - MOB-T1034", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1034", + "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-9.html", + "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-21.html" + ], + "external_id": "ECO-21", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:app-delivery-via-other-means" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "6b846ad0-cc20-4db6-aa34-91561397c5e2" + }, + { + "description": "A malicious application could capture sensitive data sent via SMS, including authentication credentials. SMS is frequently used to transmit codes used for multi-factor authentication.\n\nOn Android, a malicious application must request and obtain permission (either at app install time or run time) in order to receive SMS messages. Alternatively, a malicious application could attempt to perform an operating system privilege escalation attack to bypass the permission requirement.\n\nOn iOS, applications cannot access SMS messages in normal operation, so an adversary would need to attempt to perform an operating system privilege escalation attack to potentially be able to access SMS messages.\n\nPlatforms: Android, iOS", + "value": "Capture SMS Messages - MOB-T1015", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1015" + ], + "external_id": "MOB-T1015", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:collection", + "mitre-mobile-attack:mobile-attack:credential-access" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060" + }, + { + "description": "An adversary may encrypt files stored on the mobile device to prevent the user from accessing them, only unlocking access to the files after a ransom is paid. Without escalated privileges, the adversary is generally limited to only encrypting files in external/shared storage locations. This technique has been demonstrated on Android, and we are unaware of any demonstrated use on iOS.\n\nPlatforms: Android", + "value": "Encrypt Files for Ransom - MOB-T1074", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1074", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-28.html" + ], + "external_id": "APP-28", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:effects" + ], + "mitre_platforms": [ + "Android" + ] + }, + "uuid": "d9e88203-2b5d-405f-a406-2933b1e3d7e4" + }, + { + "description": "An adversary could abuse an iOS enterprise app signing key (intended for enterprise in-house distribution of apps) to sign malicious iOS apps so that they can be installed on iOS devices without the app needing to be published on Apple's App Store. For example, Xiao describes use of this technique in (Citation: Xiao-iOS).\n\nDetection: iOS 9 and above typically requires explicit user consent before allowing installation of applications signed with enterprise distribution keys rather than installed from Apple's App Store.\n\nPlatforms: iOS", + "value": "Abuse of iOS Enterprise App Signing Key - MOB-T1048", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1048", + "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-23.html", + "http://www.slideshare.net/Shakacon/fruit-vs-zombies-defeat-nonjailbroken-ios-malware-by-claud-xiao" + ], + "external_id": "ECO-23", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:app-delivery-via-other-means" + ], + "mitre_platforms": [ + "iOS" + ] + }, + "uuid": "51aedbd6-2837-4d15-aeb0-cb09f2bf22ac" + }, + { + "description": "On Android, details of onboard network interfaces are accessible to apps through the java.net. (Citation: NetworkInterface) class (Citation: NetworkInterface). The Android (Citation: TelephonyManager) class can be used to gather related information such as the IMSI, IMEI, and phone number (Citation: TelephonyManager).\n\nPlatforms: Android", + "value": "Local Network Configuration Discovery - MOB-T1025", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1025", + "https://developer.android.com/reference/java/net/NetworkInterface.html", + "https://developer.android.com/reference/android/telephony/TelephonyManager.html" + ], + "external_id": "MOB-T1025", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:discovery" + ], + "mitre_platforms": [ + "Android" + ] + }, + "uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd" + }, + { + "description": "Adversaries can communicate using cellular networks rather than enterprise Wi-Fi in order to bypass enterprise network monitoring systems. Adversaries may also communicate using other non-Internet Protocol mediums such as SMS, NFC, or Bluetooth to bypass network monitoring systems.\n\nPlatforms: Android, iOS", + "value": "Alternate Network Mediums - MOB-T1041", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1041", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-30.html" + ], + "external_id": "APP-30", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:command-and-control", + "mitre-mobile-attack:mobile-attack:exfiltration" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a" + }, + { + "description": "On Android, applications can use standard APIs to gather a list of network connections to and from the device. For example, the Network Connections app available in the Google Play Store (Citation: ConnMonitor) advertises this functionality.\n\nPlatforms: Android", + "value": "Local Network Connections Discovery - MOB-T1024", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1024", + "https://play.google.com/store/apps/details?id=com.antispycell.connmonitor&hl=en" + ], + "external_id": "MOB-T1024", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:discovery" + ], + "mitre_platforms": [ + "Android" + ] + }, + "uuid": "dd818ea5-adf5-41c7-93b5-f3b839a219fb" + }, + { + "description": "An adversary could make educated guesses of the device lock screen's PIN/password (e.g., commonly used values, birthdays, anniversaries) or attempt a dictionary or brute force attack against it. Brute force attacks could potentially be automated (Citation: PopSci-IPBox).\n\nPlatforms: Android, iOS", + "value": "Device Unlock Code Guessing or Brute Force - MOB-T1062", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1062", + "http://www.popsci.com/box-can-figure-out-your-4-digit-iphone-passcode" + ], + "external_id": "MOB-T1062", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:exploit-via-physical-access" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "f296fc9c-2ff5-43ee-941e-6b49c438270a" + }, + { + "description": "A malicious app or other attack vector could be used to exploit vulnerabilities in code running within the Trusted Execution Environment (TEE) (Citation: Thomas-TrustZone). The adversary could then obtain privileges held by the TEE potentially including the ability to access cryptographic keys or other sensitive data (Citation: QualcommKeyMaster). Escalated operating system privileges may be first required in order to have the ability to attack the TEE (Citation: EkbergTEE). If not, privileges within the TEE can potentially be used to exploit the operating system (Citation: laginimaineb-TEE).\n\nPlatforms: Android", + "value": "Exploit TEE Vulnerability - MOB-T1008", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1008", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html", + "https://usmile.at/symposium/program/2015/thomas-holmes", + "https://bits-please.blogspot.in/2016/06/extracting-qualcomms-keymaster-keys.html", + "https://usmile.at/symposium/program/2015/ekberg", + "http://bits-please.blogspot.co.il/2016/05/war-of-worlds-hijacking-linux-kernel.html" + ], + "external_id": "APP-27", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:credential-access", + "mitre-mobile-attack:mobile-attack:privilege-escalation" + ], + "mitre_platforms": [ + "Android" + ] + }, + "uuid": "ef771e03-e080-43b4-a619-ac6f84899884" + }, + { + "description": "An adversary could set up unauthorized Wi-Fi access points or compromise existing access points and, if the device connects to them, carry out network-based attacks such as eavesdropping on or modifying network communication as described in NIST SP 800-153 (Citation: NIST-SP800153). \n\nFor example, Kaspersky describes a threat actor they call DarkHotel that targeted hotel Wi-Fi networks, using them to compromise computers belonging to business executives (Citation: Kaspersky-DarkHotel).\n\nPlatforms: Android, iOS", + "value": "Rogue Wi-Fi Access Points - MOB-T1068", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1068", + "https://pages.nist.gov/mobile-threat-catalogue/lan-pan-threats/LPN-0.html", + "http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-153.pdf", + "https://blog.kaspersky.com/darkhotel-apt/6613/" + ], + "external_id": "LPN-0", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:general-network-based" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "633baf01-6de4-4963-bb54-ff6c6357bed3" + }, + { + "description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM) / mobile device management (MDM) server console could use that access to track mobile devices.\n\nDetection: Google sends a notification to the device when Android Device Manager is used to locate it. Additionally, Google provides the ability for users to view their general account activity. Apple iCloud also provides notifications to users of account activity.\n\nPlatforms: Android, iOS", + "value": "Remotely Track Device Without Authorization - MOB-T1071", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1071", + "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html", + "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html" + ], + "external_id": "EMM-7", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:cloud-based" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "6f86d346-f092-4abc-80df-8558a90c426a" + }, + { + "description": "An adversary could attempt to spoof a mobile device's biometric authentication mechanism, for example by providing a fake fingerprint as described by SRLabs in (Citation: SRLabs-Fingerprint).\n\niOS partly mitigates this attack by requiring the device passcode rather than a fingerprint to unlock the device after every device restart and after 48 hours since the device was last unlocked (Citation: Apple-TouchID).\n\nPlatforms: Android, iOS", + "value": "Biometric Spoofing - MOB-T1063", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1063", + "https://srlabs.de/bites/spoofing-fingerprints/", + "https://support.apple.com/en-us/HT204587" + ], + "external_id": "MOB-T1063", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:exploit-via-physical-access" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "45dcbc83-4abc-4de1-b643-e528d1e9df09" + }, + { + "description": "An attacker could jam radio signals (e.g. Wi-Fi, cellular, GPS) to prevent the mobile device from communicating as described in draft NIST SP 800-187 (Citation: NIST-SP800187).\n\nPlatforms: Android, iOS", + "value": "Jamming or Denial of Service - MOB-T1067", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1067", + "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-7.html", + "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-8.html", + "https://pages.nist.gov/mobile-threat-catalogue/lan-pan-threats/LPN-5.html", + "https://pages.nist.gov/mobile-threat-catalogue/gps-threats/GPS-0.html", + "http://csrc.nist.gov/publications/drafts/800-187/sp800%20187%20draft.pdf" + ], + "external_id": "GPS-0", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:cellular-network-based", + "mitre-mobile-attack:mobile-attack:general-network-based" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d" + }, + { + "description": "A malicious app or other attack vector could capture sensitive data stored in the device clipboard, for example passwords being copy-and-pasted from a password manager app.\n\nPlatforms: Android, iOS", + "value": "Capture Clipboard Data - MOB-T1017", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1017", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-35.html" + ], + "external_id": "APP-35", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:collection", + "mitre-mobile-attack:mobile-attack:credential-access" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "c4b96c0b-cb58-497a-a1c2-bb447d79d692" + }, + { + "description": "An adversary could call standard operating system APIs from a malicious application to gather contact list (i.e., address book) data, or with escalated privileges could directly access files containing contact list data.\n\nDetection: On both Android (6.0 and up) and iOS, the user can view which applications have permission to access contact list information through the device settings screen, and the user can choose to revoke the permissions.\n\nPlatforms: Android, iOS", + "value": "Access Contact List - MOB-T1035", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1035", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html" + ], + "external_id": "APP-13", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:collection" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce" + }, + { + "description": "An adversary could steal developer account credentials on an app store and/or signing keys to publish malicious updates to existing Android or iOS apps, or to abuse the developer's identity and reputation to publish new malicious applications. For example, Infoworld describes this technique and suggests mitigations in (Citation: Infoworld-Appstore).\n\nDetection: Developers can regularly scan (or have a third party scan on their behalf) the app stores for presence of unauthorized apps that were submitted using the developer's identity.\n\nPlatforms: Android, iOS", + "value": "Stolen Developer Credentials or Signing Keys - MOB-T1044", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1044", + "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-16.html", + "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-17.html", + "http://www.infoworld.com/article/2854963/mobile-development/how-to-keep-your-app-store-dev-account-from-being-hijacked.html" + ], + "external_id": "ECO-17", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:app-delivery-via-authorized-app-store" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "a21a6a79-f9a1-4c87-aed9-ba2d79536881" + }, + { + "description": "An adversary may capture network traffic to and from the device to obtain credentials or other sensitive data, or redirect network traffic to flow through an adversary-controlled gateway to do the same.\n\nA malicious app could register itself as a VPN client on Android or iOS to gain access to network packets. However, on both platforms, the user must grant consent to the app to act as a VPN client, and on iOS the app requires a special entitlement that must be granted by Apple.\n\nAlternatively, if a malicious app is able to escalate operating system privileges, it may be able to use those privileges to gain access to network traffic.\n\nAn adversary could redirect network traffic to an adversary-controlled gateway by establishing a VPN connection or by manipulating the device's proxy settings. For example, Skycure (Citation: Skycure-Profiles) describes the ability to redirect network traffic by installing a malicious iOS Configuration Profile.\n\nIf applications encrypt their network traffic, sensitive data may not be accessible to an adversary, depending on the point of capture.\n\nDetection: On both Android and iOS the user must grant consent to an app to act as a VPN. Both platforms also provide visual context to the user in the top status bar when a VPN connection is in place.\n\nPlatforms: Android, iOS", + "value": "Network Traffic Capture or Redirection - MOB-T1013", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1013", + "https://www.skycure.com/blog/malicious-profiles-the-sleeping-giant-of-ios-security/" + ], + "external_id": "MOB-T1013", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:collection", + "mitre-mobile-attack:mobile-attack:credential-access" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "3b0b604f-10db-41a0-b54c-493124d455b9" + }, + { + "description": "An adversary could attempt to read files that contain sensitive data or credentials (e.g., private keys, passwords, access tokens). This technique requires either escalated privileges or for the targeted app to have stored the data in an insecure manner (e.g., with insecure file permissions or in an insecure location such as an external storage directory).\n\nPlatforms: Android, iOS", + "value": "Access Sensitive Data or Credentials in Files - MOB-T1012", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1012", + "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-0.html" + ], + "external_id": "AUT-0", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:collection", + "mitre-mobile-attack:mobile-attack:credential-access" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160" + }, + { + "description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device's Trusted Execution Environment (TEE) or other similar isolated execution environment where the code can evade detection, may persist after device resets, and may not be removable by the device user. Running code within the TEE may provide an adversary with the ability to monitor or tamper with overall device behavior.\n\nThomas Roth describes the potential for placing a rootkit within the TrustZone secure world (Citation: Roth-Rootkits).\n\nDetection: Devices may perform cryptographic integrity checks of code running within the TEE at boot time.\n\nAs described in the iOS Security Guide (Citation: Apple-iOSSecurityGuide), iOS devices will fail to boot if the software running within the Secure Enclave does not pass signature verification.\n\nPlatforms: Android", + "value": "Modify Trusted Execution Environment - MOB-T1002", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1002", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html", + "https://hackinparis.com/data/slides/2013/Slidesthomasroth.pdf", + "https://www.apple.com/business/docs/iOS%20Security%20Guide.pdf" + ], + "external_id": "APP-27", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:defense-evasion", + "mitre-mobile-attack:mobile-attack:persistence" + ], + "mitre_platforms": [ + "Android" + ] + }, + "uuid": "f1c3d071-0c24-483d-aca0-e8b8496ce468" + }, + { + "description": "An adversary could cause the mobile device to use less secure protocols, for example by jamming frequencies used by newer protocols such as LTE and only allowing older protocols such as GSM to communicate as described in draft NIST SP 800-187 (Citation: NIST-SP800187). Use of less secure protocols may make communication easier to eavesdrop upon or manipulate.\n\nPlatforms: Android, iOS", + "value": "Downgrade to Insecure Protocols - MOB-T1069", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1069", + "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-3.html", + "http://csrc.nist.gov/publications/drafts/800-187/sp800%20187%20draft.pdf" + ], + "external_id": "CEL-3", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:cellular-network-based", + "mitre-mobile-attack:mobile-attack:general-network-based" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "f58cd69a-e548-478b-9248-8a9af881dc34" + }, + { + "description": "An adversary could seek to generate fraudulent advertising revenue from mobile devices, for example by triggering automatic clicks of advertising links without user involvement.\n\nPlatforms: Android, iOS", + "value": "Generate Fraudulent Advertising Revenue - MOB-T1075", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1075" + ], + "external_id": "MOB-T1075", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:effects" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "f981d199-2720-467e-9dc9-eea04dbe05cf" + }, + { + "description": "An Android application can listen for the BOOT_COMPLETED broadcast, ensuring that the app's functionality will be activated every time the device starts up without having to wait for the device user to manually start the app.\n\n (Citation: Zhou) and Jiang (Citation: Zhou) analyzed 1260 Android malware samples belonging to 49 families of malware, and determined that 29 malware families and 83.3% of the samples listened for BOOT_COMPLETED.\n\nPlatforms: Android", + "value": "App Auto-Start at Device Boot - MOB-T1005", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1005", + "http://ieeexplore.ieee.org/document/6234407" + ], + "external_id": "MOB-T1005", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:persistence" + ], + "mitre_platforms": [ + "Android" + ] + }, + "uuid": "bd4d32f5-eed4-4018-a649-40b229dd1d69" + }, + { + "description": "Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection. They may use commonly open ports such as\n* TCP:80 (HTTP)\n* TCP:443 (HTTPS)\n* TCP:25 (SMTP)\n* TCP/UDP:53 (DNS)\n\nThey may use the protocol associated with the port or a completely different protocol.\n\nPlatforms: Android, iOS", + "value": "Commonly Used Port - MOB-T1039", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1039" + ], + "external_id": "MOB-T1039", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:command-and-control", + "mitre-mobile-attack:mobile-attack:exfiltration" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "3911658a-6506-4deb-9ab4-595a51ae71ad" + }, + { + "description": "An adversary could use access to a compromised device's credentials to attempt to manipulate app store rankings or ratings by triggering application downloads or posting fake reviews of applications. This technique likely requires privileged access (a rooted or jailbroken device).\n\nPlatforms: Android, iOS", + "value": "Manipulate App Store Rankings or Ratings - MOB-T1055", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1055" + ], + "external_id": "MOB-T1055", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:effects" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "76c12fc8-a4eb-45d6-a3b7-e371a7248f69" + }, + { + "description": "An adversary could call standard operating system APIs from a malicious application to gather calendar entry data, or with escalated privileges could directly access files containing calendar data.\n\nDetection: On both Android (6.0 and up) and iOS, the user can view which applications have permission to access calendar information through the device settings screen, and the user can choose to revoke the permissions.\n\nPlatforms: Android, iOS", + "value": "Access Calendar Entries - MOB-T1038", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1038", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html" + ], + "external_id": "APP-13", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:collection" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "62adb627-f647-498e-b4cc-41499361bacb" + }, + { + "description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an EMM console could use that access to wipe enrolled devices (Citation: Honan-Hacking).\n\nDetection: Google provides the ability for users to view their general account activity. Apple iCloud also provides notifications to users of account activity.\n\nPlatforms: Android, iOS", + "value": "Remotely Wipe Data Without Authorization - MOB-T1072", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1072", + "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html", + "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html", + "https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/" + ], + "external_id": "EMM-7", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:cloud-based" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "537ea573-8a1c-468c-956b-d16d2ed9d067" + }, + { + "description": "An adversary could exploit signaling system vulnerabilities to redirect calls or text messages to a phone number under the attacker's control. The adversary could then act as a man-in-the-middle to intercept or manipulate the communication. These issues are discussed in (Citation: Engel-SS7), (Citation: Engel-SS7)-2008, (Citation: 3GPP-Security), (Citation: Positive-SS7), as well as in a report from the Communications, Security, Reliability, and Interoperability Council (CSRIC) (Citation: CSRIC5-WG10-FinalReport).\n\nDetection: Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation as described by the CSRIC (Citation: CSRIC5-WG10-FinalReport). The CSRIC also suggests threat information sharing between telecommunications industry members.\n\nPlatforms: Android, iOS", + "value": "Exploit SS7 to Redirect Phone Calls/SMS - MOB-T1052", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1052", + "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-37.html", + "https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf", + "http://www.3gpp.org/ftp/tsg%20sa/wg3%20security/%20specs/33900-120.pdf", + "https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf", + "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf" + ], + "external_id": "CEL-37", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:cellular-network-based" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d" + }, + { + "description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device kernel or other boot partition components, where the code may evade detection, may persist after device resets, and may not be removable by the device user. In some cases (e.g., the Samsung Knox warranty bit as described under Detection), the attack may be detected but could result in the device being placed in a state that no longer allows certain functionality.\n\nMany Android devices provide the ability to unlock the bootloader for development purposes, but doing so introduces the potential ability for others to maliciously update the kernel or other boot partition code.\n\nIf the bootloader is not unlocked, it may still be possible to exploit device vulnerabilities to update the code.\n\nDetection: The Android SafetyNet API's remote attestation capability could potentially be used to identify and respond to compromised devices. Samsung KNOX also provides a remote attestation capability on supported Samsung Android devices.\n\nSamsung KNOX devices include a non-reversible Knox warranty bit fuse that is triggered \"if a non-Knox kernel has been loaded on the device\" (Citation: Samsung-KnoxWarrantyBit). If triggered, enterprise Knox container services will no longer be available on the device.\n\nAs described in the iOS Security Guide (Citation: Apple-iOSSecurityGuide), iOS devices will fail to boot or fail to allow device activation if unauthorized modifications are detected.\n\nMany enterprise applications perform their own checks to detect and respond to compromised devices. These checks are not foolproof but can detect common signs of compromise.\n\nPlatforms: Android, iOS", + "value": "Modify OS Kernel or Boot Partition - MOB-T1001", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1001", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-26.html", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html", + "https://www2.samsungknox.com/en/faq/what-knox-warranty-bit-and-how-it-triggered", + "https://www.apple.com/business/docs/iOS%20Security%20Guide.pdf" + ], + "external_id": "APP-27", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:defense-evasion", + "mitre-mobile-attack:mobile-attack:persistence" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "46d818a5-67fa-4585-a7fc-ecf15376c8d5" + }, + { + "description": "A malicious app could abuse Android's accessibility features to capture sensitive data or perform other malicious actions, as demonstrated in a proof of concept created by Skycure (Citation: Skycure-Accessibility).\n\nPlatforms: Android", + "value": "Abuse Accessibility Features - MOB-T1056", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1056", + "https://www.skycure.com/blog/accessibility-clickjacking/" + ], + "external_id": "MOB-T1056", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:collection", + "mitre-mobile-attack:mobile-attack:credential-access" + ], + "mitre_platforms": [ + "Android" + ] + }, + "uuid": "2204c371-6100-4ae0-82f3-25c07c29772a" + }, + { + "description": "Third-party libraries incorporated into mobile apps could contain malicious behavior, privacy-invasive behavior, or exploitable vulnerabilities. An adversary could deliberately insert malicious behavior or could exploit inadvertent vulnerabilities.\n\nFor example, Ryan Welton of NowSecure identified exploitable remote code execution vulnerabilities in a third-party advertisement library (Citation: NowSecure-RemoteCode). Grace et al. identified security issues in mobile advertisement libraries (Citation: Grace-Advertisement).\n\nPlatforms: Android, iOS", + "value": "Insecure Third-Party Libraries - MOB-T1028", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1028", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-6.html", + "https://www.nowsecure.com/blog/2015/06/15/a-pattern-for-remote-code-execution-using-arbitrary-file-writes-and-multidex-applications/" + ], + "external_id": "APP-6", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:supply-chain" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "11bd699b-f2c2-4e48-bf46-fb3f8acd9799" + }, + { + "description": "An app could download and execute dynamic code (not included in the original application package) after installation to evade static analysis techniques (and potentially dynamic analysis techniques) used for application vetting or application store review (Citation: Poeplau-ExecuteThis). \n\nOn Android, dynamic code could include native code, Dalvik code, or JavaScript code that uses the Android WebView's JavascriptInterface capability (Citation: Bromium-AndroidRCE).\n\nOn iOS, techniques for executing dynamic code downloaded after application installation include JSPatch (Citation: FireEye-JSPatch). (Citation: Wang) et al. describe a related method of constructing malicious logic at app runtime on iOS (Citation: Wang).\n\nPlatforms: Android, iOS", + "value": "Download New Code at Runtime - MOB-T1010", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1010", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-20.html", + "https://www.internetsociety.org/sites/default/files/10%205%200.pdf", + "https://labs.bromium.com/2014/07/31/remote-code-execution-on-android-devices/", + "https://www.fireeye.com/blog/threat-research/2016/01/hot%20or%20not%20the%20bene.html", + "https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/wang%20tielei" + ], + "external_id": "APP-20", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:defense-evasion" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "6c49d50f-494d-4150-b774-a655022d20a6" + }, + { + "description": "An adversary could exploit signaling system vulnerabilities to track the location of mobile devices, for example as described in (Citation: Engel-SS7), (Citation: Engel-SS7)-2008, (Citation: 3GPP-Security) and (Citation: Positive-SS7), as well as in a report from the Communications, Security, Reliability, and Interoperability Council (CSRIC) (Citation: CSRIC5-WG10-FinalReport).\n\nDetection: Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation as described by the CSRIC (Citation: CSRIC-WG1-FinalReport). The CSRIC also suggests threat information sharing between telecommunications industry members.\n\nPlatforms: Android, iOS", + "value": "Exploit SS7 to Track Device Location - MOB-T1053", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1053", + "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-38.html", + "https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf", + "http://www.3gpp.org/ftp/tsg%20sa/wg3%20security/%20specs/33900-120.pdf", + "https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf", + "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf" + ], + "external_id": "CEL-38", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:cellular-network-based" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "52651225-0b3a-482d-aa7e-10618fd063b5" + }, + { + "description": "A malicious app can register as a device keyboard and intercept keypresses containing sensitive values such as usernames and passwords. Zeltser (Citation: Zeltser-Keyboard) describes these risks.\n\nBoth iOS and Android require the user to explicitly authorize use of third party keyboard apps. Users should be advised to use extreme caution before granting this authorization when it is requested.\n\nPlatforms: Android, iOS", + "value": "Malicious Third Party Keyboard App - MOB-T1020", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1020", + "https://zeltser.com/third-party-keyboards-security/" + ], + "external_id": "MOB-T1020", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:collection", + "mitre-mobile-attack:mobile-attack:credential-access" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "a8c31121-852b-46bd-9ba4-674ae5afe7ad" + }, + { + "description": "A malicious app can exploit unpatched vulnerabilities in the operating system to obtain escalated privileges.\n\nPlatforms: Android, iOS", + "value": "Exploit OS Vulnerability - MOB-T1007", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1007", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-26.html" + ], + "external_id": "APP-26", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:privilege-escalation" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172" + }, + { + "description": "An adversary with control of a target's Google account can use the Google Play Store's remote installation capability to install apps onto the Android devices associated with the Google account as described in (Citation: Oberheide-RemoteInstall), (Citation: Konoth). However, only applications that are available for download through the Google Play Store can be remotely installed using this technique.\n\nDetection: An EMM/MDM or mobile threat protection solution can identify the presence of unwanted or known insecure or malicious apps on devices.\n\nPlatforms: Android", + "value": "Remotely Install Application - MOB-T1046", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1046", + "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-4.html", + "https://jon.oberheide.org/blog/2010/06/25/remote-kill-and-install-on-google-android/", + "http://www.vvdveen.com/publications/BAndroid.pdf" + ], + "external_id": "ECO-4", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:app-delivery-via-authorized-app-store" + ], + "mitre_platforms": [ + "Android" + ] + }, + "uuid": "831e3269-da49-48ac-94dc-948008e8fd16" + }, + { + "description": "ART (the Android Runtime) compiles optimized code on the device itself to improve performance. If an adversary can escalate privileges, he or she may be able to use those privileges to modify the cached code in order to hide malicious behavior. Since the code is compiled on the device, it may not receive the same level of integrity checks that are provided to code running in the system partition.\n\nSabanal describes the potential use of this technique in (Citation: Sabanal-ART).\n\nPlatforms: Android", + "value": "Modify cached executable code - MOB-T1006", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1006", + "https://www.blackhat.com/docs/asia-15/materials/asia-15-Sabanal-Hiding-Behind-ART-wp.pdf" + ], + "external_id": "MOB-T1006", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:persistence" + ], + "mitre_platforms": [ + "Android" + ] + }, + "uuid": "88932a8c-3a17-406f-9431-1da3ff19f6d6" + }, + { + "description": "Adversaries may seek to identify all applications installed on the device. One use case for doing so is to identify the presence of endpoint security applications that may increase the adversary's risk of detection. Another use case is to identify the presence of applications that the adversary may wish to target.\n\nOn Android, applications can use methods in the PackageManager class (Citation: Android-PackageManager) to enumerate other apps installed on device, or an entity with shell access can use the pm command line tool.\n\nOn iOS, apps can use private API calls to obtain a list of other apps installed on the device as described by Kurtz (Citation: Kurtz-MaliciousiOSApps), however use of private API calls will likely prevent the application from being distributed through Apple's App Store.\n\nPlatforms: Android, iOS", + "value": "Application Discovery - MOB-T1021", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1021", + "https://developer.android.com/reference/android/content/pm/PackageManager.html", + "https://andreas-kurtz.de/2014/09/malicious-ios-apps/" + ], + "external_id": "MOB-T1021", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:defense-evasion", + "mitre-mobile-attack:mobile-attack:discovery" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "198ce408-1470-45ee-b47f-7056050d4fc2" + }, + { + "description": "Techniques have periodically been demonstrated that exploit vulnerabilities on Android (Citation: Wired-AndroidBypass), iOS (Citation: Kaspersky-iOSBypass), or other mobile devices to bypass the device lock screen. The vulnerabilities are generally patched by the device/operating system vendor once they become aware of their existence.\n\nPlatforms: Android, iOS", + "value": "Lockscreen Bypass - MOB-T1064", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1064", + "https://www.wired.com/2015/09/hack-brief-new-emergency-number-hack-easily-bypasses-android-lock-screens/", + "https://threatpost.com/ios-10-passcode-bypass-can-access-photos-contacts/122033/" + ], + "external_id": "MOB-T1064", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:exploit-via-physical-access" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "dfe29258-ce59-421c-9dee-e85cb9fa90cd" + }, + { + "description": "An adversary could convince the mobile network operator (e.g. through social networking or forged identification) to issue a new SIM card and associate it with an existing phone number and account (Citation: NYGov-Simswap). The adversary could then obtain SMS messages or hijack phone calls intended for someone else (Citation: Betanews-Simswap). One use case is intercepting authentication messages or phone calls to obtain illicit access to online banking or other online accounts (Citation: Guardian-Simswap).\n\nPlatforms: Android, iOS", + "value": "SIM Card Swap - MOB-T1054", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1054", + "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-22.html", + "http://www.dos.ny.gov/consumerprotection/scams/att-sim.html", + "http://betanews.com/2016/02/12/everything-you-need-to-know-about-sim-swap-scams/", + "https://www.theguardian.com/money/2016/apr/16/sim-swap-fraud-mobile-banking-fraudsters" + ], + "external_id": "STA-22", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:cellular-network-based" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "a64a820a-cb21-471f-920c-506a2ff04fa5" + }, + { + "description": "An adversary could use a malicious or exploited application to surreptitiously track the device's physical location through use of standard operating system APIs.\n\nDetection: On both Android (6.0 and up) and iOS, the user can view which applications have permission to access device location through the device settings screen, and the user can choose to revoke the permissions.\n\nPlatforms: Android, iOS", + "value": "Location Tracking - MOB-T1033", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1033", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-24.html" + ], + "external_id": "APP-24", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:collection" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "99e6295e-741b-4857-b6e5-64989eb039b4" + }, + { + "description": "If the mobile device is connected (typically via USB) to a charging station or a PC, for example to charge the device's battery, then a compromised or malicious charging station or PC could attempt to exploit the mobile device via the connection.\n\nKrebs described this technique in (Citation: Krebs-JuiceJacking). Lau et al. (Citation: Lau-Mactans) demonstrated the ability to inject malicious applications into an iOS device via USB. Hay (Citation: IBM-NexusUSB) demonstrated the ability to exploit a Nexus 6 or 6P device over USB and then gain the ability to perform actions including intercepting phone calls, intercepting network traffic, and obtaining the device physical location.\n\nPlatforms: Android, iOS", + "value": "Exploit via Charging Station or PC - MOB-T1061", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1061", + "https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-1.html", + "http://krebsonsecurity.com/2011/08/beware-of-juice-jacking/", + "https://media.blackhat.com/us-13/US-13-Lau-Mactans-Injecting-Malware-into-iOS-Devices-via-Malicious-Chargers-WP.pdf", + "https://securityintelligence.com/android-vulnerabilities-attacking-nexus-6-and-6p-custom-boot-modes/" + ], + "external_id": "PHY-1", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:exploit-via-physical-access" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "667e5707-3843-4da8-bd34-88b922526f0d" + }, + { + "description": "If network traffic between the mobile device and a remote server is not securely protected, then an attacker positioned on the network may be able to manipulate network communication without being detected. For example, FireEye researchers found in 2014 that 68% of the top 1,000 free applications in the Google Play Store had at least one Transport Layer Security (TLS) implementation vulnerability potentially opening the applications' network traffic to man-in-the-middle attacks (Citation: FireEye-SSL).\n\nPlatforms: Android, iOS", + "value": "Manipulate Device Communication - MOB-T1066", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1066", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html", + "https://www.fireeye.com/blog/threat-research/2014/08/ssl-vulnerabilities-who-listens-when-android-applications-talk.html" + ], + "external_id": "APP-1", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:general-network-based" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "d731c21e-f27d-4756-b418-0e2aaabd6d63" + }, + { + "description": "An adversary could set up a rogue cellular base station and then use it to eavesdrop on or manipulate cellular device communication. For example, Ritter and DePerry of iSEC Partners demonstrated this technique using a compromised cellular femtocell at Black Hat USA 2013 (Citation: Computerworld-Femtocell).\n\nPlatforms: Android, iOS", + "value": "Rogue Cellular Base Station - MOB-T1070", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1070", + "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-7.html", + "http://www.computerworld.com/article/2484538/cybercrime-hacking/researchers-exploit-cellular-tech-flaws-to-intercept-phone-calls.html" + ], + "external_id": "CEL-7", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:cellular-network-based" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "a5de0540-73e7-4c67-96da-4143afedc7ed" + }, + { + "description": "An adversary could download a legitimate app, disassemble it, add malicious code, and then reassemble the app, for example as described by (Citation: Zhou) and Jiang in (Citation: Zhou). The app would appear to be the original app but contain additional malicious functionality. The adversary could then publish this app to app stores or use another delivery technique.\n\nDetection: An EMM/MDM or mobile threat protection solution can identify the presence of unwanted, known insecure, or malicious apps on devices.\n\nPlatforms: Android, iOS", + "value": "Repackaged Application - MOB-T1047", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1047", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-14.html", + "http://ieeexplore.ieee.org/document/6234407" + ], + "external_id": "APP-14", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:app-delivery-via-authorized-app-store", + "mitre-mobile-attack:mobile-attack:app-delivery-via-other-means" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f" + }, + { + "description": "An adversary may seek to lock the legitimate user out of the device, for example until a ransom is paid.\n\nOn Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode to lock the user out of the device.\n\nOn iOS devices, this technique does not work because mobile device management servers can only remove the screen lock passcode, they cannot set a new passcode. However, on jailbroken devices, malware has been demonstrated that can lock the user out of the device (Citation: KeyRaider).\n\nPlatforms: Android, iOS", + "value": "Lock User Out of Device - MOB-T1049", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1049", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-28.html", + "http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/" + ], + "external_id": "APP-28", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:effects" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1" + }, + { + "description": "As demonstrated by the XcodeGhost attack (Citation: PaloAlto-XcodeGhost1), app developers could be provided with modified versions of software development tools (e.g. compilers) that automatically inject malicious or exploitable code into applications.\n\nDetection: Enterprises could deploy integrity checking software to the computers that they use to develop code to detect presence of unauthorized, modified software development tools.\n\nPlatforms: Android, iOS", + "value": "Malicious Software Development Tools - MOB-T1065", + "meta": { + "refs": [ + "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1065", + "http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/" + ], + "external_id": "MOB-T1065", + "kill_chain": [ + "mitre-mobile-attack:mobile-attack:supply-chain" + ], + "mitre_platforms": [ + "Android", + "iOS" + ] + }, + "uuid": "b928b94a-4966-4e2a-9e61-36505b896ebc" + } + ] +} \ No newline at end of file diff --git a/clusters/mitre-pre-attack-attack-pattern.json b/clusters/mitre-pre-attack-attack-pattern.json index d8873e5..6004353 100644 --- a/clusters/mitre-pre-attack-attack-pattern.json +++ b/clusters/mitre-pre-attack-attack-pattern.json @@ -1,2449 +1,2449 @@ { - "name": "Pre Attack - Attack Pattern", - "type": "mitre-pre-attack-attack-pattern", - "description": "ATT&CK tactic", - "version": 3, - "source": "https://github.com/mitre/cti", - "uuid": "03c13bec-1708-11e8-92a0-a747c0787089", - "authors": [ - "MITRE" - ], - "values": [ - { - "description": "Many mobile devices are configured to only allow applications to be installed from the mainstream vendor app stores (e.g., Apple App Store and Google Play Store). An adversary can submit multiple code samples to these stores deliberately designed to probe the stores' security analysis capabilities, with the goal of determining effective techniques to place malicious applications in the stores that could then be delivered to targeted devices. (Citation: Android Bouncer) (Citation: Adventures in BouncerLand) (Citation: Jekyll on iOS) (Citation: Fruit vs Zombies)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: The app store operators (e.g., Apple and Google) may detect the attempts, but it would not be observable to those being attacked.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: An adversary can submit code remotely using throwaway accounts, although a registration fee may need to be paid for each new account (e.g., $99 for Apple and $25 for Google Play Store).", - "value": "Test ability to evade automated mobile application security analysis performed by app stores - PRE-T1170", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1170" - ], - "external_id": "PRE-T1170", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:test-capabilities" - ] - }, - "uuid": "c9e85b80-39e8-42df-b275-86a2afcea9e8" - }, - { - "description": "Obfuscation is hiding the day-to-day building and testing of new tools, chat servers, etc. (Citation: FireEyeAPT17)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Defender will generally not have visibility into their infrastructure.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Building and testing infrastructure and obfuscating it to protect it against intrusions are a standard part of the adversary process in preparing to conduct an operation against a target.", - "value": "Obfuscate infrastructure - PRE-T1108", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1108" - ], - "external_id": "PRE-T1108", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:establish-&-maintain-infrastructure" - ] - }, - "uuid": "72c8d526-1247-42d4-919c-6d7a31ca8f39" - }, - { - "description": "Backup infrastructure allows an adversary to recover from environmental and system failures. It also facilitates recovery or movement to other infrastructure if the primary infrastructure is discovered or otherwise is no longer viable. (Citation: LUCKYCAT2012)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Infrastructure is (typically) outside of control/visibility of defender and as such as tools are staged for specific campaigns, it will not be obvious to those being attacked.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: The adversary has control of the infrastructure and will likely be able to add/remove tools to infrastructure, whether acquired via hacking or standard computer acquisition (e.g., [https://aws.amazon.com AWS], commercial storage solutions).", - "value": "Create backup infrastructure - PRE-T1116", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1116" - ], - "external_id": "PRE-T1116", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:establish-&-maintain-infrastructure" - ] - }, - "uuid": "a425598d-7c19-40f7-9aa3-ac20f0d5c2b2" - }, - { - "description": "An adversary may assess a target's operational security (OPSEC) practices in order to identify targeting options. A target may share different information in different settings or be more of less cautious in different environments. (Citation: Scasny2015) (Citation: EverstineAirStrikes)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Defender does not have access to information stored outside of defenders scope or visibility (e.g., log data for Facebook is not easily accessible). Defender has very infrequent visibility into an adversary's more detailed TTPs for developing people targets.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Information is out in the open for items that are available - part of this is ease of use for consumers to support the expected networking use case. OSINT can provide many avenues to gather intel which contain weaknesses. Developing and refining the methodology to exploit weak human targets has been done for years (e.g., spies).", - "value": "Assess targeting options - PRE-T1073", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1073" - ], - "external_id": "PRE-T1073", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:people-weakness-identification" - ] - }, - "uuid": "d69c3e06-8311-4093-8e3e-0a8e06b15d92" - }, - { - "description": "Analysts may receive intelligence requirements from leadership and begin research process to satisfy a requirement. Part of this process may include delineating between needs and wants and thinking through all the possible aspects associating with satisfying a requirement. (Citation: FBIIntelligencePrimer)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", - "value": "Receive operator KITs/KIQs tasking - PRE-T1012", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1012" - ], - "external_id": "PRE-T1012", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:priority-definition-planning" - ] - }, - "uuid": "7863b7f1-c18a-4aad-a6cf-4aa6d8797531" - }, - { - "description": "An adversary will require some physical hardware and software. They may only need a lightweight set-up if most of their activities will take place using on-line infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems. (Citation: NYTStuxnet)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Outside of highly specific or rare HW, nearly impossible to detect and track.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Ease and availability of current hardware and software, mobile phones (cash and go phones), and additional online technology simplifies adversary process to achieve this technique (and possibly without traceability). The adversary has control of the infrastructure and will likely be able to add/remove tools to infrastructure, whether acquired via hacking or standard computer acquisition (e.g., [https://aws.amazon.com AWS], VPS).", - "value": "Procure required equipment and software - PRE-T1112", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1112" - ], - "external_id": "PRE-T1112", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:establish-&-maintain-infrastructure" - ] - }, - "uuid": "2141aea0-cf38-49aa-9e51-ac34092bc30a" - }, - { - "description": "Security defensive capabilities are designed to stop or limit unauthorized network traffic or other types of accesses. (Citation: OSFingerprinting2014) (Citation: NMAP WAF NSE)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Technically, the defender has the ability to detect. However, this is typically not performed as this type of traffic would likely not prompt the defender to take any actionable defense. In addition, this would require the defender to closely review their access logs for any suspicious activity (if the activity is even logged).\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: The adversary will have some insight into defenses based on dropped traffic or filtered responses. It is more difficult to pinpoint which defenses are implemented (e.g., [https://www.fireeye.com FireEye] WMPS, [https://www.hpe.com Hewlett Packard Enterprise] Tipping Point IPS).", - "value": "Identify security defensive capabilities - PRE-T1040", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1040" - ], - "external_id": "PRE-T1040", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:technical-information-gathering" - ] - }, - "uuid": "04e93ca1-8415-4a46-8549-73b7c84f8dc3" - }, - { - "description": "Leadership or key decision makers may derive specific intelligence requirements from Key Intelligence Topics (KITs) or Key Intelligence Questions (KIQs). Specific intelligence requirements assist analysts in gathering information to establish a baseline of information about a topic or question and collection managers to clarify the types of information that should be collected to satisfy the requirement. (Citation: LowenthalCh4) (Citation: Heffter)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", - "value": "Derive intelligence requirements - PRE-T1007", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1007" - ], - "external_id": "PRE-T1007", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:priority-definition-planning" - ] - }, - "uuid": "15d5eaa4-597a-47fd-a692-f2bed434d904" - }, - { - "description": "The use of algorithms in malware to periodically generate a large number of domain names which function as rendezvous points for malware command and control servers. (Citation: DamballaDGA) (Citation: DambballaDGACyberCriminals)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: It is possible to detect the use of DGAs; however, defenders have largely not been successful at mitigating the domains because they are generally registered less than an hour before they are used and disposed of within 24 hours.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: This technique does not require a significant amount of sophistication while still being highly effective. It was popularized by the Conficker worms but is prevalent in crimeware such as Murofet and BankPatch.", - "value": "Domain Generation Algorithms (DGA) - PRE-T1100", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1100" - ], - "external_id": "PRE-T1100", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:adversary-opsec" - ] - }, - "uuid": "274164c6-4297-42d4-84b5-2369e51013fe" - }, - { - "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nThe utilization of resources not owned by the adversary to launch exploits or operations. This includes utilizing equipment that was previously compromised or leveraging access gained by other methods (such as compromising an employee at a business partner location). (Citation: CitizenLabGreatCannon)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: While possible to detect, it requires a broader vantage point than is typical that provides increased insight and conducts extensive data analysis and correlation between events.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Conducting technique requires either nation-state level capabilities or large amounts of financing to coordinate multiple 3rd party resources to gain desired insight.", - "value": "Leverage compromised 3rd party resources - PRE-T1152", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1152" - ], - "external_id": "PRE-T1152", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:launch" - ] - }, - "uuid": "2c8a9df4-52a9-4770-94b3-5e95ab7d59f9" - }, - { - "description": "Execution of code and network communications often result in logging or other system or network forensic artifacts. An adversary can run their code to identify what is recorded under different conditions. This may result in changes to their code or adding additional actions (such as deleting a record from a log) to the code. (Citation: EDB-39007) (Citation: infosec-covering-tracks)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Adversary controls the test and defender likely has no visibility.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Adversary has full control of environment to determine what level of auditing and traces exist on a system after execution.", - "value": "Review logs and residual traces - PRE-T1135", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1135" - ], - "external_id": "PRE-T1135", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:test-capabilities" - ] - }, - "uuid": "a16e4004-caac-4a0b-acd5-486f8fda1665" - }, - { - "description": "Job postings, on either company sites, or in other forums, provide information on organizational structure and often provide contact information for someone within the organization. This may give an adversary information on technologies within the organization which could be valuable in attack or provide insight in to possible security weaknesses or limitations in detection or protection mechanisms. (Citation: JobPostingThreat)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Impossible to differentiate between an adversary and a normal user when accessing open/public information.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Publicly posted information by design. Providing too much detail in the job posting could aid the adversary in learning more about the target's environment and possible technical weaknesses/deficiencies.", - "value": "Identify job postings and needs/gaps - PRE-T1025", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1025" - ], - "external_id": "PRE-T1025", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:technical-information-gathering" - ] - }, - "uuid": "c721b235-679a-4d76-9ae9-e08921fccf84" - }, - { - "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nEmails with malicious attachments are designed to get a user to open/execute the attachment in order to deliver malware payloads. (Citation: APT1)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Many technologies exist to scan content and/or emulate a workstation prior to the target receiving and executing the attachment (detonation chambers) in order to reduce malicious emails and attachments being delivered to the intended target. However, encryption continues to be a stumbling block. In addition, there are a variety of commercial technologies available that enable users to screen for phishing messages and which are designed to enhance email security.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Sending the emails is the simple part, ensuring they make it to the target (e.g., not being filtered) may be challenging. Over time, an adversary refines their techniques to minimize detection by making their emails seem legitimate in structure and content.", - "value": "Spear phishing messages with malicious attachments - PRE-T1144", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1144" - ], - "external_id": "PRE-T1144", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:launch" - ] - }, - "uuid": "e24a9f99-cb76-42a3-a50b-464668773e97" - }, - { - "description": "Fake certificates can be acquired by legal process or coercion. Or, an adversary can trick a Certificate Authority into issuing a certificate. These fake certificates can be used as a part of Man-in-the-Middle attacks. (Citation: SubvertSSL)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: The certificate authority who is hacked cannot easily see they've been compromised, but [https://www.google.com Google] has caught on to this occurring in previous attacks such as DigiNotar (Citation: DigiNotar2016) and [https://www.verisign.com Verisign].\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: One example of it occurring in the real world is the DigiNotar (Citation: DigiNotar2016) case. To be able to do this usually requires sophisticated skills and is traditionally done by a nation state to spy on its citizens.", - "value": "SSL certificate acquisition for trust breaking - PRE-T1115", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1115" - ], - "external_id": "PRE-T1115", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:establish-&-maintain-infrastructure" - ] - }, - "uuid": "54a42187-a20c-4e4e-ba31-8d15c9e1f57f" - }, - { - "description": "Proxies act as an intermediary for clients seeking resources from other systems. Using a proxy may make it more difficult to track back the origin of a network communication. (Citation: APT1)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Defenders with standard capabilities will traditionally be able to see the first hop but not all the subsequent earlier hops an adversary takes to be able to conduct reconnaissance.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Proxies are readily available for the adversary with both free and cost-based options available.", - "value": "Proxy/protocol relays - PRE-T1081", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1081" - ], - "external_id": "PRE-T1081", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:adversary-opsec" - ] - }, - "uuid": "b14f6692-b613-44bb-9f30-8381a5ff10d5" - }, - { - "description": "Domain Names are the human readable names used to represent one or more IP addresses. IP addresses are the unique identifier of computing devices on a network. Both pieces of information are valuable to an adversary who is looking to understand the structure of a network. (Citation: RSA-APTRecon)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Public or easily obtainable information by design.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: AS and IANA data are easily available, existing research tools.", - "value": "Determine domain and IP address space - PRE-T1027", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1027" - ], - "external_id": "PRE-T1027", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:technical-information-gathering" - ] - }, - "uuid": "23ecb7e0-0340-43d9-80a5-8971fe866ddf" - }, - { - "description": "A remote access tool (RAT) is a piece of software that allows a remote user to control a system as if they had physical access to that system. An adversary may utilize existing RATs, modify existing RATs, or create their own RAT. (Citation: ActiveMalwareEnergy)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Adversary will likely use code repositories, but development will be performed on their local systems.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Many successful RATs exist for re-use/tailoring in addition to those an adversary may choose to build from scratch. The adversary's capabilities, target sensitivity, and needs will likely determine whether a previous RAT is modified for use a new one is built from scratch.", - "value": "Remote access tool development - PRE-T1128", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1128" - ], - "external_id": "PRE-T1128", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:build-capabilities" - ] - }, - "uuid": "9755ecdc-deb0-40e6-af49-713cb0f8ed92" - }, - { - "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nA technique to push an [https://www.apple.com/ios iOS] or [https://www.android.com Android] MMS-type message to the target which does not require interaction on the part of the target to be successful. (Citation: BlackHat Stagefright) (Citation: WikiStagefright)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: For non-corporate cellular devices not joined to the corporate network, it is not possible to detect an adversary's use of the technique because messages traverse networks outside of the control of the employer. For corporate cellular devices which are joined to the corporate network, monitoring of messages and ability to patch against push attacks is possible, assuming they are fully monitored.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Easily executed technique to push an MMS-type message to the target which does not require interaction on the part of the target to be successful.", - "value": "Push-notification client-side exploit - PRE-T1150", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1150" - ], - "external_id": "PRE-T1150", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:launch" - ] - }, - "uuid": "702dc95d-3266-42dc-9eef-4a19e2445148" - }, - { - "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nClicking on links in email, opening attachments, or visiting websites that result in drive by downloads can all result in compromise due to users performing actions of a cyber nature. (Citation: AnonHBGary)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Some environments have anti-spearphishing mechanisms to detect or block the link before it reaches the user.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Users unwittingly click on spearphishing links frequently, despite training designed to educate about the perils of spearphishing.", - "value": "Authorized user performs requested cyber action - PRE-T1163", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1163" - ], - "external_id": "PRE-T1163", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:compromise" - ] - }, - "uuid": "0440f60f-9056-4791-a740-8eae96eb61fa" - }, - { - "description": "Once they have been created, intelligence requirements, Key Intelligence Topics (KITs), and Key Intelligence Questions (KIQs) are submitted into a central management system. (Citation: ICD204) (Citation: KIT-Herring)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", - "value": "Submit KITs, KIQs, and intelligence requirements - PRE-T1014", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1014" - ], - "external_id": "PRE-T1014", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:priority-definition-direction" - ] - }, - "uuid": "03da0598-ed46-4a73-bf43-0313b3522400" - }, - { - "description": "The use of credentials by an adversary with the intent to hide their true identity and/or portray them self as another person or entity. An adversary may use misattributable credentials in an attack to convince a victim that credentials are legitimate and trustworthy when this is not actually the case. (Citation: FakeSSLCerts)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: If a previous incident identified the credentials used by an adversary, defenders can potentially use these credentials to track the adversary through reuse of the same credentials.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: An adversary can easily create and use misattributable credentials to obtain servers, build environment, [https://aws.amazon.com AWS] accounts, etc. Many service providers require some form of identifiable information such as a phone number or email address, but there are several avenues to acquire these consistent with the misattributable identity.", - "value": "Misattributable credentials - PRE-T1099", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1099" - ], - "external_id": "PRE-T1099", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:adversary-opsec" - ] - }, - "uuid": "31fa5b03-1ede-4fab-8a68-ed831fcf4899" - }, - { - "description": "Strategic plans outline the mission, vision, and goals for an adversary at a high level in relation to the key partners, topics, and functions the adversary carries out. (Citation: KPMGChina5Year) (Citation: China5YearPlans) (Citation: ChinaUN)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", - "value": "Create strategic plan - PRE-T1008", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1008" - ], - "external_id": "PRE-T1008", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:priority-definition-planning" - ] - }, - "uuid": "ec739e26-d097-4804-b04a-54dd81ff11e0" - }, - { - "description": "Once a 3rd party vendor has been identified as being of interest it can be probed for vulnerabilities just like the main target would be. (Citation: Zetter2015Threats) (Citation: WSJTargetBreach)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: 3rd parties would most likely not report network scans to their partners. Target network would not know that their 3rd party partners were being used as a vector.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: The difficult part is enumerating all 3rd parties. Finding major partners would not be difficult. Significantly easier with insider knowledge. Vulnerability scanning the 3rd party networks is trivial.", - "value": "Assess vulnerability of 3rd party vendors - PRE-T1075", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1075" - ], - "external_id": "PRE-T1075", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:organizational-weakness-identification" - ] - }, - "uuid": "1def484d-2343-470d-8925-88f45b5f9615" - }, - { - "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nAttempt to use default vendor credentials, brute force credentials, or previously obtained legitimate credentials to authenticate remotely. This access could be to a web portal, through a VPN, or in a phone app. (Citation: Remote Access Healthcare) (Citation: RDP Point of Sale)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: This is possible with diligent monitoring of login anomalies, expected user behavior/location. If the adversary uses legitimate credentials, it may go undetected.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Attempt to use default vendor credentials, brute force credentials, or previously obtained legitimate credentials. This is increasingly difficult to obtain access when two-factor authentication mechanisms are employed.", - "value": "Authentication attempt - PRE-T1158", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1158" - ], - "external_id": "PRE-T1158", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:launch" - ] - }, - "uuid": "4dfb98ea-03cc-4a9c-a3a7-b22e14f126c4" - }, - { - "description": "Domain Registration Hijacking is the act of changing the registration of a domain name without the permission of the original registrant. (Citation: ICANNDomainNameHijacking)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Generally not easily detectable unless domain registrar provides alerting on any updates.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Requires adversary to gain access to an email account for person listed as the domain registrar/POC. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or take advantage of renewal process gaps.", - "value": "Domain registration hijacking - PRE-T1103", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1103" - ], - "external_id": "PRE-T1103", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:establish-&-maintain-infrastructure" - ] - }, - "uuid": "aadaee0d-794c-4642-8293-7ec22a99fb1a" - }, - { - "description": "Analyze strengths and weaknesses of the target for potential areas of where to focus compromise efforts. (Citation: FakeLinkedIn)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: This can be done offline after the data has been collected.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Analyze strengths and weaknesses of the target for potential areas of where to focus compromise efforts.", - "value": "Analyze organizational skillsets and deficiencies - PRE-T1077", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1077" - ], - "external_id": "PRE-T1077", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:organizational-weakness-identification" - ] - }, - "uuid": "7baccb84-356c-4e89-8c5d-58e701f033fc" - }, - { - "description": "Active scanning is the act of sending transmissions to end nodes, and analyzing the responses, in order to identify information about the communications system. (Citation: RSA-APTRecon)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: This technique is an expected and voluminous activity when on the Internet. Active scanning techniques/tools typically generate benign traffic that does not require further investigation by a defender since there is no actionable defense to execute. The high volume of this activity makes it burdensome for any defender to chase and therefore often ignored.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Various available tools and data sources for scouting and detecting address, routing, version numbers, patch levels, protocols/services running, etc.", - "value": "Conduct active scanning - PRE-T1031", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1031" - ], - "external_id": "PRE-T1031", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:technical-information-gathering" - ] - }, - "uuid": "7f2d3da6-7e34-44a3-9e7f-905455339726" - }, - { - "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nA technique used to compromise victims wherein the victims visit a compromised website that redirects their browser to a malicious web site, such as an exploit kit's landing page. The exploit kit landing page will probe the victim's operating system, web browser, or other software to find an exploitable vulnerability to infect the victim. (Citation: GeorgeDriveBy) (Citation: BellDriveBy)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: With the use of malware detonation chambers (e.g., for web or email traffic), this improves detection. Encryption and other techniques reduces the efficacy of these defenses.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Placing an exploit on a public web site for driveby types of delivery is not impossible. However, gaining access to a web site with high enough traffic to meet specific objectives could be the challenge.", - "value": "Unconditional client-side exploitation/Injected Website/Driveby - PRE-T1149", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1149" - ], - "external_id": "PRE-T1149", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:launch" - ] - }, - "uuid": "58d0b955-ae3d-424a-a537-2804dab38793" - }, - { - "description": "An adversary can test the detections of malicious emails or files by using publicly available services, such as virus total, to see if their files or emails cause an alert. They can also use similar services that are not openly available and don't publicly publish results or they can test on their own internal infrastructure. (Citation: WiredVirusTotal)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: If using a common service like [https://www.virustotal.com VirusTotal], it is possible to detect. If the adversary uses a hostile, less well-known service, the defender would not be aware.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Easy to automate upload/email of a wide range of data packages.", - "value": "Test signature detection - PRE-T1069", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1069" - ], - "external_id": "PRE-T1069", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:technical-weakness-identification" - ] - }, - "uuid": "57061a8a-d7c5-42a9-be60-f79526b95bf6" - }, - { - "description": "A technique in which a fully qualified domain name has multiple IP addresses assigned to it which are swapped with extreme frequency, using a combination of round robin IP address and short Time-To-Live (TTL) for a DNS resource record. (Citation: HoneynetFastFlux) (Citation: MisnomerFastFlux) (Citation: MehtaFastFluxPt1) (Citation: MehtaFastFluxPt2)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: In general, detecting usage of fast flux DNS is difficult due to web traffic load balancing that services client requests quickly. In single flux cases only IP addresses change for static domain names. In double flux cases, nothing is static. Defenders such as IPS, domain registrars, and service providers are likely in the best position for detection.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Fast flux is generally simple for an adversary to set up and offers several advantages. Such advantages include limited audit trails for defenders to find, ease of operation for an adversary to maintain, and support for main nodes.", - "value": "Fast Flux DNS - PRE-T1102", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1102" - ], - "external_id": "PRE-T1102", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:adversary-opsec" - ] - }, - "uuid": "248cbfdd-fec4-451b-b2a9-e46d4b268e30" - }, - { - "description": "Social Engineering is the practice of manipulating people in order to get them to divulge information or take an action. (Citation: SEAttackVectors) (Citation: BeachSE2003)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: No technical means to detect an adversary collecting technical information about a target. Any detection would be based upon strong OPSEC policy implementation.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Very effective technique for the adversary that does not require any formal training and relies upon finding just one person who exhibits poor judgement.", - "value": "Conduct social engineering - PRE-T1026", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1026" - ], - "external_id": "PRE-T1026", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:technical-information-gathering" - ] - }, - "uuid": "74a3288e-eee9-4f8e-973a-fbc128e033f1" - }, - { - "description": "A wide variety of cloud, virtual private services, hosting, compute, and storage solutions are available. Additionally botnets are available for rent or purchase. Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down. (Citation: TrendmicroHideoutsLease)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Hard to differentiate from standard business operations.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Wide variety of cloud/VPS/hosting/compute/storage solutions available for adversary to acquire freely or at a low cost.", - "value": "Acquire and/or use 3rd party infrastructure services - PRE-T1106", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1106" - ], - "external_id": "PRE-T1106", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:establish-&-maintain-infrastructure" - ] - }, - "uuid": "795c1a92-3a26-453e-b99a-6a566aa94dc6" - }, - { - "description": "Obfuscation is the act of creating code that is more difficult to understand. Encoding transforms the code using a publicly available format. Encryption transforms the code such that it requires a key to reverse the encryption. (Citation: CylanceOpCleaver)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Detecting encryption is easy, decrypting/deobfuscating is hard.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Various solutions exist for the adversary to use. This technique is commonly used to prevent attribution and evade detection.", - "value": "Obfuscate or encrypt code - PRE-T1096", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1096" - ], - "external_id": "PRE-T1096", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:adversary-opsec" - ] - }, - "uuid": "357e137c-7589-4af1-895c-3fbad35ea4d2" - }, - { - "description": "Understanding organizational skillsets and deficiencies could provide insight in to weakness in defenses, or opportunities for exploitation. (Citation: FakeLinkedIn)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: No access to who is consuming the job postings to know what is being observed.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Job postings have to be made public for contractors and many times have the name of the organization being supported.", - "value": "Analyze organizational skillsets and deficiencies - PRE-T1074", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1074" - ], - "external_id": "PRE-T1074", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:people-weakness-identification" - ] - }, - "uuid": "96eb59d1-6c46-44bb-bfcd-56be02a00d41" - }, - { - "description": "An adversary could distribute malicious software development tools (e.g., compiler) that hide malicious behavior in software built using the tools. (Citation: PA XcodeGhost) (Citation: Reflections on Trusting Trust)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Developers could check a hash or signature of their development tools to ensure that they match expected values (e.g., Apple provides instructions of how to do so for its Xcode developer tool), but developers may not always do so.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: The adversary would need to either replace the tools provided at the official download location or influence developers to download the tools from an adversary-controlled third-party download location. Desktop operating systems (e.g., Windows, macOS) are increasingly encouraging use of vendor-provided official app stores to distribute software, which utilize code signing and increase the difficulty of replacing development tools with malicious versions.", - "value": "Distribute malicious software development tools - PRE-T1171", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1171" - ], - "external_id": "PRE-T1171", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:stage-capabilities" - ] - }, - "uuid": "d2c4206a-a431-4494-834d-52944a79e9f4" - }, - { - "description": "Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Users may trust a signed piece of code more than an signed piece of code even if they don't know who issued the certificate or who the author is. (Citation: DiginotarCompromise)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Defender will not know what certificates an adversary acquires from a 3rd party. Defender will not know prior to public disclosure if a 3rd party has had their certificate compromised.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: It is trivial to purchase code signing certificates within an organization; many exist and are available at reasonable cost. It is complex to factor or steal 3rd party code signing certificates for use in malicious mechanisms", - "value": "Acquire or compromise 3rd party signing certificates - PRE-T1109", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1109" - ], - "external_id": "PRE-T1109", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:establish-&-maintain-infrastructure" - ] - }, - "uuid": "03f4a766-7a21-4b5e-9ccf-e0cf422ab983" - }, - { - "description": "Both newly built personas and pre-compromised personas may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos. (Citation: NEWSCASTER2014) (Citation: BlackHatRobinSage) (Citation: RobinSageInterview)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Unless there is some threat intelligence reporting, these users are hard to differentiate.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: The only difference between an adversary conducting this technique and a typical user, is the adversary's intent - to target an individual for compromise.", - "value": "Develop social network persona digital footprint - PRE-T1119", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1119" - ], - "external_id": "PRE-T1119", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:persona-development" - ] - }, - "uuid": "271e6d40-e191-421a-8f87-a8102452c201" - }, - { - "description": "A technique used by the adversary similar to Dynamic DNS with the exception that the use of multiple DNS infrastructures likely have whois records. (Citation: KrebsStLouisFed)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: This is by design captured in public registration logs. Various tools and services exist to track/query/monitor domain name registration information. However, tracking multiple DNS infrastructures will likely require multiple tools/services or more advanced analytics.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Requires more planning, but feasible.", - "value": "Use multiple DNS infrastructures - PRE-T1104", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1104" - ], - "external_id": "PRE-T1104", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:establish-&-maintain-infrastructure" - ] - }, - "uuid": "616238cb-990b-4c71-8f50-d8b10ed8ce6b" - }, - { - "description": "Many applications use third-party software libraries, often without full knowledge of the behavior of the libraries by the application developer. For example, mobile applications often incorporate advertising libraries to generate revenue for the application developer. Vulnerabilities in these third-party libraries could potentially be exploited in any application that uses the library, and even if the vulnerabilities are fixed, many applications may still use older, vulnerable versions of the library. (Citation: Flexera News Vulnerabilities) (Citation: Android Security Review 2015) (Citation: Android Multidex RCE)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: Open source software has great appeal mostly due to the time savings and that it is free. However, using this code without assessing it's security is akin to blindly executing third party software. Companies often do not dedicate the time to appropriately detect and scan for vulnerabilities. The mainstream mobile application stores scan applications for some known vulnerabilities. For example, Google's Android Application Security Improvement Program identifies and alerts developers to vulnerabilities present in their applications from use of the Vungle, Apache Cordova, WebView SSL, GnuTLS, and Vitamio third-party libraries. However, these scans are not likely to cover all vulnerable libraries, developers may not always act on the results, and the results may not be made available to impacted end users of the applications.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Developers commonly use open source libraries such that where an adversary can easily discover known vulnerabilities and create exploits. It is also generally easy to decompile arbitrary mobile applications to determine what libraries they use, and similarly use this information to correlate against known CVEs and exploit packages.", - "value": "Identify vulnerabilities in third-party software libraries - PRE-T1166", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1166" - ], - "external_id": "PRE-T1166", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:technical-weakness-identification" - ] - }, - "uuid": "ad124f84-52d2-40e3-95dd-cfdd44eae6ef" - }, - { - "description": "DNS Calc is a technique in which the octets of an IP address are used to calculate the port for command and control servers from an initial DNS request. (Citation: CrowdstrikeNumberedPanda) (Citation: FireEyeDarwinsAPTGroup) (Citation: Rapid7G20Espionage)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: There are not currently available tools that provide the ability to conduct this calculation to detect this type of activity.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: This technique assists the adversary in bypassing egress filtering designed to prevent unauthorized communication. It has been used by APT12, but not otherwise widely reported. Some botnets are hardcoded to be able to use this technique.", - "value": "DNSCalc - PRE-T1101", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1101" - ], - "external_id": "PRE-T1101", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:adversary-opsec" - ] - }, - "uuid": "7823039f-e2d5-4997-853c-ec983631206b" - }, - { - "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nExternally facing systems allow connections from outside the network as a normal course of operations. Externally facing systems may include, but are not limited to, websites, web portals, email, DNS, FTP, VPN concentrators, and boarder routers and firewalls. These systems could be in a demilitarized zone (DMZ) or may be within other parts of the internal environment. (Citation: CylanceOpCleaver) (Citation: DailyTechAntiSec)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Most DMZs are monitored but are also designed so that if they are compromised, the damage/risk is limited.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: DMZ environments are specifically designed to be isolated because one assumes they will ultimately be compromised by the adversary.", - "value": "Compromise of externally facing system - PRE-T1165", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1165" - ], - "external_id": "PRE-T1165", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:compromise" - ] - }, - "uuid": "4aeafdb3-eb0b-4e8e-b93f-95cd499088b4" - }, - { - "description": "Supply chains include the people, processes, and technologies used to move a product or service from a supplier to a consumer. Understanding supply chains may provide an adversary with opportunities to exploit the technology or interconnections that are part of the supply chain. (Citation: SmithSupplyChain) (Citation: CERT-UKSupplyChain) (Citation: RSA-supply-chain)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Difficult, if not impossible to detect, because the adversary may collect this information from external sources that cannot be monitored by a defender.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Supply chain diversity of sourcing increases adversary difficulty with accurate mapping. Industry practice has moved towards agile sourcing.", - "value": "Identify supply chains - PRE-T1023", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1023" - ], - "external_id": "PRE-T1023", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:technical-information-gathering" - ] - }, - "uuid": "78e41091-d10d-4001-b202-89612892b6ff" - }, - { - "description": "Dumpster diving is looking through waste for information on technology, people, and/or organizational items of interest. (Citation: FriedDumpsters)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Strong physical security and monitoring will detect this behavior if performed on premises.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Not difficult if waste is placed in an unsecured or minimally secured area before collection.", - "value": "Dumpster dive - PRE-T1063", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1063" - ], - "external_id": "PRE-T1063", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:organizational-information-gathering" - ] - }, - "uuid": "6c79d654-6506-4f33-b48f-c80babdcc52d" - }, - { - "description": "For a computing resource to be accessible to the public, domain names and IP addresses must be registered with an authorized organization. (Citation: Google Domains WHOIS) (Citation: FunAndSun2012) (Citation: Scasny2015)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Open access to DNS registration/routing information is inherent in Internet architecture.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Proliferation of DNS information makes registration information functionally freely available.", - "value": "Obtain domain/IP registration information - PRE-T1028", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1028" - ], - "external_id": "PRE-T1028", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:technical-information-gathering" - ] - }, - "uuid": "46017368-6e09-412b-a29c-385be201cc03" - }, - { - "description": "Business relationship information may be used by an adversary to shape social engineering attempts (exploiting who a target expects to hear from) or to plan for technical actions such as exploiting network trust relationship. (Citation: 11StepsAttackers)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Exception to the rule is if the adversary tips off the target that others have been asking about the relationship with them.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Requires an intensive process. In some industries, business relationships may be public in order to generate business, but this is not the case for all industries and all relationships.", - "value": "Identify business relationships - PRE-T1060", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1060" - ], - "external_id": "PRE-T1060", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:organizational-information-gathering" - ] - }, - "uuid": "73e7d7d5-1782-4cd0-a4d7-00c7ec051c2a" - }, - { - "description": "Anonymity services reduce the amount of information available that can be used to track an adversary's activities. Multiple options are available to hide activity, limit tracking, and increase anonymity. (Citation: TOR Design) (Citation: Stratfor2012)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Depends on service. Some are easy to detect, but are hard to trace (e.g., [https://torproject.org TOR]).\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Easy access to anonymizers, quasi-anonymous services like remailers, [https://torproject.org TOR], relays, burner phones, etc.", - "value": "Anonymity services - PRE-T1083", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1083" - ], - "external_id": "PRE-T1083", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:adversary-opsec" - ] - }, - "uuid": "d3dca536-8bf0-4e43-97c1-44a2353c3d69" - }, - { - "description": "Command and Control (C2 or C&C) is a method by which the adversary communicates with malware. An adversary may use a variety of protocols and methods to execute C2 such as a centralized server, peer to peer, IRC, compromised web sites, or even social media. (Citation: HAMMERTOSS2015)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Adversary will likely use code repositories, but development will be performed on their local systems.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: C2 over commonly used and permitted protocols provides the necessary cover and access.", - "value": "C2 protocol development - PRE-T1129", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1129" - ], - "external_id": "PRE-T1129", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:build-capabilities" - ] - }, - "uuid": "8e211ec9-5dfc-4915-aff4-84d5908f0336" - }, - { - "description": "For attacks incorporating social engineering the utilization of an on-line persona is important. These personas may be fictitious or impersonate real people. The persona may exist on a single site or across multiple sites ([https://www.facebook.com Facebook], [https://www.linkedin.com LinkedIn], [https://twitter.com Twitter], [https://plus.google.com Google+], etc.). (Citation: NEWSCASTER2014) (Citation: BlackHatRobinSage) (Citation: RobinSageInterview)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Unless there is some threat intelligence reporting, these users are hard to differentiate.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Performing activities like typical users, but with specific intent in mind.", - "value": "Build social network persona - PRE-T1118", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1118" - ], - "external_id": "PRE-T1118", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:persona-development" - ] - }, - "uuid": "9108e212-1c94-4f8d-be76-1aad9b4c86a4" - }, - { - "description": "Once divided into the most granular parts, analysts work with collection managers to task the collection management system with requirements and sub-requirements. (Citation: Heffter) (Citation: JP2-01)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", - "value": "Task requirements - PRE-T1017", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1017" - ], - "external_id": "PRE-T1017", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:priority-definition-direction" - ] - }, - "uuid": "b93bd611-da4e-4c84-a40f-325b712bed67" - }, - { - "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nSpearphishing for information is a specific variant of spearphishing. Spearphishing for information is different from other forms of spearphishing in that it it doesn't leverage malicious code. All forms of spearphishing are elctronically delivered social engineering targeted at a specific individual, company, or industry. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials, without involving malicious code. Spearphishing for information frequently involves masquerading as a source with a reason to collect information (such as a system administrator or a bank) and providing a user with a website link to visit. The given website often closely resembles a legitimate site in appearance and has a URL containing elements from the real site. From the fake website, information is gathered in web forms and sent to the attacker. Spearphishing for information may also try to obtain information directly through the exchange of emails, instant messengers or other electronic conversation means. (Citation: ATTACKREF GRIZZLY STEPPE JAR)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: Depending on the specific method of phishing, the detections can vary. For emails, filtering based on DKIP+SPF or header analysis can help detect when the email sender is spoofed. When it comes to following links, network intrusion detection systems (NIDS), firewalls, removing links, exploding shortened links, proxy monitoring, blocking uncategorized sites, and site reputation based filtering can all provide detection opportunities.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Sending emails is trivial, and, over time, an adversary can refine their technique to minimize detection by making their emails seem legitimate in structure and content.", - "value": "Spearphishing for Information - PRE-T1174", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1174" - ], - "external_id": "PRE-T1174", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:technical-information-gathering" - ] - }, - "uuid": "b182f29c-2505-4b32-a000-0440ef189f59" - }, - { - "description": "Domain Names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free. (Citation: PWCSofacy2014)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: This is by design captured in public registration logs. Various tools and services exist to track/query/monitor domain name registration information.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Proliferation of DNS TLDs and registrars. Adversary may choose domains that are similar to legitimate domains (aka \"domain typosquatting\" or homoglyphs).", - "value": "Buy domain name - PRE-T1105", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1105" - ], - "external_id": "PRE-T1105", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:establish-&-maintain-infrastructure" - ] - }, - "uuid": "45242287-2964-4a3e-9373-159fad4d8195" - }, - { - "description": "Technology usage patterns include identifying if users work offsite, connect remotely, or other possibly less restricted/secured access techniques. (Citation: SANSRemoteAccess)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Physical observations, OSINT for remote access instructions, and other techniques are not detectable.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Determine if users work offsite, connect remotely, or other possibly less restricted/secured access techniques.", - "value": "Identify technology usage patterns - PRE-T1041", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1041" - ], - "external_id": "PRE-T1041", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:technical-information-gathering" - ] - }, - "uuid": "194bff4f-c218-40df-bea3-1ace715de8dd" - }, - { - "description": "Business relationship information includes the associates of a target and may be discovered via social media sites such as [https://www.linkedin.com LinkedIn] or public press releases announcing new partnerships between organizations or people (such as key hire announcements in industry articles). This information may be used by an adversary to shape social engineering attempts (exploiting who a target expects to hear from) or to plan for technical actions such as exploiting network trust relationship. (Citation: RSA-APTRecon) (Citation: Scasny2015)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Searching publicly available sources that cannot be monitored by a defender. Much of this information is widely known and difficult to obscure.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Made easier by today's current social media.", - "value": "Identify business relationships - PRE-T1049", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1049" - ], - "external_id": "PRE-T1049", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:people-information-gathering" - ] - }, - "uuid": "5b6ce031-bb86-407a-9984-2b9700ac4549" - }, - { - "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nMany mobile devices are configured to only allow applications to be installed from the mainstream vendor app stores (e.g., Apple App Store and Google Play Store). These app stores scan submitted applications for malicious behavior. However, applications can evade these scans by downloading and executing new code at runtime that was not included in the original application package. (Citation: Fruit vs Zombies) (Citation: Android Hax) (Citation: Execute This!) (Citation: HT Fake News App) (Citation: Anywhere Computing kill 2FA) (Citation: Android Security Review 2015)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: Third-party mobile application security analysis services exist that scan for use of these techniques in iOS and Android applications. Additionally, Google specifically calls out the ability to \"identify attacks that require connection to a server and dynamic downloading of code\" in its Android Security 2015 Year in Review report. However, many applications use these techniques as part of their legitimate operation, increasing the difficulty of detecting or preventing malicious use.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Runtime code execution techniques and examples of their use are widely documented on both Apple iOS and Android.", - "value": "Runtime code download and execution - PRE-T1172", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1172" - ], - "external_id": "PRE-T1172", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:launch" - ] - }, - "uuid": "41086474-e6de-4fac-bb69-640db7fdf3d2" - }, - { - "description": "Analysts assess current information available against requirements that outline needs and wants as part of the research baselining process to begin satisfying a requirement. (Citation: CyberAdvertisingChar) (Citation: CIATradecraft) (Citation: ForensicAdversaryModeling) (Citation: CyberAdversaryBehavior)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", - "value": "Assess current holdings, needs, and wants - PRE-T1013", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1013" - ], - "external_id": "PRE-T1013", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:priority-definition-planning" - ] - }, - "uuid": "8e927b19-04a6-4aaa-a42f-4f0a53411d27" - }, - { - "description": "Templates and branding materials may be used by an adversary to add authenticity to social engineering message. (Citation: Scasny2015)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Adversary may download templates or branding from publicly available presentations that the defender can't monitor.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Some branding information is publicly available when a corporation publishes their briefings to the internet which provides insight into branding information and template materials. An exhaustive list of templating and branding is likely not available on the internet.", - "value": "Obtain templates/branding materials - PRE-T1058", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1058" - ], - "external_id": "PRE-T1058", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:organizational-information-gathering" - ] - }, - "uuid": "68b45999-bb0c-4829-bbd0-75d6dac57c94" - }, - { - "description": "Dynamic DNS is a method of automatically updating a name in the DNS system. Providers offer this rapid reconfiguration of IPs to hostnames as a service. (Citation: DellMirage2012)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Defender will not know at first use what is valid or hostile traffic without more context. It is possible, however, for defenders to see if the PTR record for an address is hosted by a known DDNS provider. There is potential to assign some level of risk based on this.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Flexible and re-configurable command and control servers, along with deniable ownership and reduced cost of ownership.", - "value": "Dynamic DNS - PRE-T1088", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1088" - ], - "external_id": "PRE-T1088", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:adversary-opsec" - ] - }, - "uuid": "20a66013-8dab-4ca3-a67d-766c842c561c" - }, - { - "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nEmails with malicious links are designed to get a user to click on the link in order to deliver malware payloads. (Citation: GoogleDrive Phishing) (Citation: RSASEThreat)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Defenders can implement mechanisms to analyze links and identify levels of concerns. However, the adversary has the advantage of creating new links or finding ways to obfuscate the link so that common detection lists can not identify it. Detection of a malicious link could be identified once the file has been downloaded.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Sending emails is trivial and expected. The adversary needs to ensure links don't get tampered, removed, or flagged as a previously black-listed site.", - "value": "Spear phishing messages with malicious links - PRE-T1146", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1146" - ], - "external_id": "PRE-T1146", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:launch" - ] - }, - "uuid": "489a7797-01c3-4706-8cd1-ec56a9db3adc" - }, - { - "description": "During production and distribution, the placement of software, firmware, or a CPU chip in a computer, handheld, or other electronic device that enables an adversary to gain illegal entrance. (Citation: McDRecall) (Citation: SeagateMaxtor)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: The number of elements and components in a supply chain of HW or SW is vast and detecting an implant is complex for SW, but more complex for HW.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Access to the supply chain by an adversary can be a challenging endeavor, depending on what element is attempting to be subverted.", - "value": "Hardware or software supply chain implant - PRE-T1142", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1142" - ], - "external_id": "PRE-T1142", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:stage-capabilities" - ] - }, - "uuid": "388f3a5c-2cdd-466c-9159-b507fa429fcd" - }, - { - "description": "The secondary level tactical element the adversary seeks to attack is the specific network or area of a network that is vulnerable to attack. Within the corporate network example, the secondary level tactical element might be a SQL server or a domain controller with a known vulnerability. (Citation: CyberAdversaryBehavior) (Citation: JP3-60) (Citation: JP3-12 (R)) (Citation: DoD Cyber 2015)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. May change for special use cases or adversary and defender overlays.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: This is the normal adversary targeting cycle where they utilize our poor OPSEC practices to their advantage.", - "value": "Determine secondary level tactical element - PRE-T1021", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1021" - ], - "external_id": "PRE-T1021", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:target-selection" - ] - }, - "uuid": "b9148981-152a-4a19-95c1-962803f5c9af" - }, - { - "description": "An adversary may stage software and tools for use during later stages of an attack. The software and tools may be placed on systems legitimately in use by the adversary or may be placed on previously compromised infrastructure. (Citation: APT1) (Citation: RedOctober)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Infrastructure is (typically) outside of control/visibility of defender and as such as tools are staged for specific campaigns, it will not be observable to those being attacked.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Adversary has control of the infrastructure and will likely be able to add/remove tools to infrastructure, whether acquired via hacking or standard computer acquisition (e.g., [https://aws.amazon.com AWS], VPS providers).", - "value": "Upload, install, and configure software/tools - PRE-T1139", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1139" - ], - "external_id": "PRE-T1139", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:stage-capabilities" - ] - }, - "uuid": "e8471f43-2742-4fd7-9af7-8ed1330ada37" - }, - { - "description": "Leadership organizes Key Intelligence Topics (KITs) and Key Intelligence Questions (KIQs) into three types of categories and creates more if necessary. An example of a description of key players KIT would be when an adversary assesses the cyber defensive capabilities of a nation-state threat actor. (Citation: Herring1999)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", - "value": "Assign KITs/KIQs into categories - PRE-T1005", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1005" - ], - "external_id": "PRE-T1005", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:priority-definition-planning" - ] - }, - "uuid": "a86a21a4-6304-4df3-aa6d-08114c47d48f" - }, - { - "description": "An adversary can probe a victim's network to determine configurations. The configurations may provide opportunities to route traffic through the network in an undetected or less detectable way. (Citation: Li2014ExploitKits) (Citation: RecurlyGHOST)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: This can be done offline after the data has been collected.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Analyze technical scanning results to identify weaknesses in the configuration or architecture. Many of the common tools highlight these weakness automatically (e.g., software security scanning tools or published vulnerabilities about commonly used libraries).", - "value": "Analyze application security posture - PRE-T1070", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1070" - ], - "external_id": "PRE-T1070", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:technical-weakness-identification" - ] - }, - "uuid": "fe421ab9-c8f3-42f7-9ae1-5d6c324cc925" - }, - { - "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nSending messages through social media platforms to individuals identified as a target. These messages may include malicious attachments or links to malicious sites or they may be designed to establish communications for future actions. (Citation: APT1) (Citation: Nemucod Facebook)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Extremely hard to identify (in the launch phase) what message via social media is hostile versus what is not. Increased use of encrypted communications increases the difficulty average defender's have in detecting use of this technique.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Sending messages to individuals identified as a target follows normal tradecraft for using social media.", - "value": "Targeted social media phishing - PRE-T1143", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1143" - ], - "external_id": "PRE-T1143", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:launch" - ] - }, - "uuid": "eb517589-eefc-480e-b8e3-7a8b1066f6f1" - }, - { - "description": "The adversary can obtain an Apple iOS enterprise distribution key pair and certificate and use it to distribute malicious apps directly to Apple iOS devices without the need to publish the apps to the Apple App Store (where the apps could potentially be detected). (Citation: Apple Developer Enterprise Porgram Apps) (Citation: Fruit vs Zombies) (Citation: WIRELURKER) (Citation: Sideloading Change)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: Starting in iOS 9, Apple has changed the user interface when installing apps to better indicate to users the potential implications of installing apps signed by an enterprise distribution key rather than from Apple's App Store and to make it more difficult for users to inadvertently install these apps. Additionally, enterprise management controls are available that can be imposed to prevent installing these apps. Also, enterprise mobility management / mobile device management (EMM/MDM) systems can be used to scan for the presence of undesired apps on enterprise mobile devices.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Apple requires a DUNS number, corporate documentation, and $299 to obtain an enterprise distribution certificate. Additionally, Apple revokes certificates if they discover malicious use. However, the enrollment information could be falsified to Apple by an adversary, or an adversary could steal an existing enterprise distribution certificate (and the corresponding private key) from a business that already possesses one.", - "value": "Obtain Apple iOS enterprise distribution key pair and certificate - PRE-T1169", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1169" - ], - "external_id": "PRE-T1169", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:persona-development" - ] - }, - "uuid": "d58f3996-e293-4f69-a2c8-0e1851cb8297" - }, - { - "description": "Infrastructure services includes the hardware, software, and network resources required to operate a communications environment. This infrastructure can be managed by a 3rd party rather than being managed by the owning organization. (Citation: FFIECAwareness) (Citation: Zetter2015Threats)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: The data is passive in nature or not controlled by the defender, so it is hard to identify when an adversary is getting or analyzing the data.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Based on what the 3rd party infrastructure is, there are many tell tail signs which indicate it is hosted by a 3rd party, such as ASN data, MX or CNAME pointers or IP addresses", - "value": "Determine 3rd party infrastructure services - PRE-T1037", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1037" - ], - "external_id": "PRE-T1037", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:technical-information-gathering" - ] - }, - "uuid": "856a9371-4f0f-4ea9-946e-f3144204240f" - }, - { - "description": "As with legitimate development efforts, different skill sets may be required for different phases of an attack. The skills needed may be located in house, can be developed, or may need to be contracted out. (Citation: APT1)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Recruitment is, by its nature, either clandestine or off the record.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Like target organizations, adversary organizations are competing to identify and hire top technical talent. Training less technical staff is also a viable option.", - "value": "Identify resources required to build capabilities - PRE-T1125", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1125" - ], - "external_id": "PRE-T1125", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:build-capabilities" - ] - }, - "uuid": "c9fb4451-729d-4771-b205-52c1829f949c" - }, - { - "description": "A form of social engineering designed build trust and to lay the foundation for future interactions or attacks. (Citation: BlackHatRobinSage)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Users have the ability to detect and report non-authenticated individuals requesting to follow, friend or connect to a target. However the rigidity in validating the users is not typically followed by standard users.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Connecting with \"friends\" is a fundamental requirement for social media - without it, social media is worthless. An adversary can easily create a profile and request targets to validate the requests.", - "value": "Friend/Follow/Connect to targets of interest - PRE-T1141", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1141" - ], - "external_id": "PRE-T1141", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:stage-capabilities" - ] - }, - "uuid": "eacd1efe-ee30-4b03-b58f-5b3b1adfe45d" - }, - { - "description": "Use of removable media as part of the Launch phase requires an adversary to determine type, format, and content of the media and associated malware. (Citation: BadUSB)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Adversary will likely use code repositories, but development will be performed on their local systems.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Several exploit repositories and tool suites exist for re-use and tailoring.", - "value": "Create infected removable media - PRE-T1132", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1132" - ], - "external_id": "PRE-T1132", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:build-capabilities" - ] - }, - "uuid": "eacadff4-164b-451c-bacc-7b29ebfd0c3f" - }, - { - "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nDNS (cache) poisoning is the corruption of an Internet server's domain name system table by replacing an Internet address with that of another, rogue address. When a Web user seeks the page with that address, the request is redirected by the rogue entry in the table to a different address. (Citation: Google DNS Poisoning) (Citation: DNS Poisoning China) (Citation: Mexico Modem DNS Poison)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: Tracking multiple DNS infrastructures will likely require multiple tools/services, more advanced analytics, and mature detection/response capabilities in order to be effective. Few defenders demonstrate the mature processes to immediately detect and mitigate against the use of this technique.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Adversary poisons DNS entry to redirect traffic designated for one site to route to an adversary controlled resource.", - "value": "DNS poisoning - PRE-T1159", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1159" - ], - "external_id": "PRE-T1159", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:launch" - ] - }, - "uuid": "76c9e8cb-52e1-4ddc-80d4-5f7231842e06" - }, - { - "description": "An adversary can attempt to identify web defensive services as [https://www.cloudflare.com/ CloudFlare], [https://github.com/jjxtra/Windows-IP-Ban-Service IPBan], and [https://www.snort.org/ Snort]. This may be done by passively detecting services, like [https://www.cloudflare.com/ CloudFlare] routing, or actively, such as by purposefully tripping security defenses. (Citation: NMAP WAF NSE)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Active service detection may trigger an alert. Passive service enumeration is not detected.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Adversary can passively detect services (e.g., [https://www.cloudflare.com/ CloudFlare] routing) or actively detect services (e.g., by purposefully tripping security defenses)", - "value": "Identify web defensive services - PRE-T1033", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1033" - ], - "external_id": "PRE-T1033", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:technical-information-gathering" - ] - }, - "uuid": "288b3cc3-f4da-4250-ab8c-d8b5dbed94ca" - }, - { - "description": "An adversary may analyze technical scanning results to identify weaknesses in the configuration or architecture of a victim network. These weaknesses could include architectural flaws, misconfigurations, or improper security controls. (Citation: FireEyeAPT28)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: This can be done offline after the data has been collected.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Many of the common tools highlight these weakness automatically.", - "value": "Analyze architecture and configuration posture - PRE-T1065", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1065" - ], - "external_id": "PRE-T1065", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:technical-weakness-identification" - ] - }, - "uuid": "87775365-2081-4b6e-99bd-48a3b8f36563" - }, - { - "description": "A wide variety of cloud, virtual private services, hosting, compute, and storage solutions are available. Additionally botnets are available for rent or purchase. Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down. (Citation: LUCKYCAT2012)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: 3rd party services highly leveraged by legitimate services, hard to distinguish from background noise. While an adversary can use their own infrastructure, most know this is a sure- re way to get caught. To add degrees of separation, they can buy or rent from another adversary or accomplice.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Wide range of 3rd party services for hosting, rotating, or moving C2, static data, exploits, exfiltration, etc.", - "value": "Acquire and/or use 3rd party infrastructure services - PRE-T1084", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1084" - ], - "external_id": "PRE-T1084", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:adversary-opsec" - ] - }, - "uuid": "286cc500-4291-45c2-99a1-e760db176402" - }, - { - "description": "The approach or attack vector outlines the specifics behind how the adversary would like to attack the target. As additional information is known through the other phases of PRE-ATT&CK, an adversary may update the approach or attack vector. (Citation: CyberAdversaryBehavior) (Citation: WITCHCOVEN2015) (Citation: JP3-60) (Citation: JP3-12 (R)) (Citation: DoD Cyber 2015)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. May change for special use cases or adversary and defender overlays.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: This is the normal adversary targeting cycle where they utilize our poor OPSEC practices to their advantage.", - "value": "Determine approach/attack vector - PRE-T1022", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1022" - ], - "external_id": "PRE-T1022", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:target-selection" - ] - }, - "uuid": "d45fe3c2-0688-43b9-ac07-7eb86f575e93" - }, - { - "description": "If an adversary can identify which security tools a victim is using they may be able to identify ways around those tools. (Citation: CrowdStrike Putter Panda)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Public source external to the defender's organization.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Requires in-depth research and potentially other intrusions, requires unbounded amount of work to possibly find a return on investment", - "value": "Research visibility gap of security vendors - PRE-T1067", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1067" - ], - "external_id": "PRE-T1067", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:technical-weakness-identification" - ] - }, - "uuid": "b26babc7-9127-4bd5-9750-5e49748c9be3" - }, - { - "description": "Business processes, such as who typically communicates with who, or what the supply chain is for a particular part, provide opportunities for social engineering or other (Citation: Warwick2015)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Social engineering and other attempts to learn about business practices and processes would not immediately be associated with an impending cyber event.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: To get any kind of fidelity into business processes would require insider access. Basic processes could be mapped, but understanding where in the organization these processes take place and who to target during any given phase of the process would generally be difficult.", - "value": "Analyze business processes - PRE-T1078", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1078" - ], - "external_id": "PRE-T1078", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:organizational-weakness-identification" - ] - }, - "uuid": "57619ab3-f6a5-43c8-8dd1-b0b8a986a870" - }, - { - "description": "Physical access may be required for certain types of adversarial actions. (Citation: CyberPhysicalAssessment) (Citation: CriticalInfrastructureAssessment)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Physical security is often unaware of implications of physical access to network. However, some organizations have thorough physical security measures that would log and report attempted incursions, perimeter breaches, unusual RF at a site, etc.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Social engineering and OSINT are still generally successful. Physical locations of offices/sites are easily determined. Monitoring for other sites of interest, such as backup storage vendors, is also easy to accomplish.", - "value": "Assess security posture of physical locations - PRE-T1079", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1079" - ], - "external_id": "PRE-T1079", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:organizational-weakness-identification" - ] - }, - "uuid": "31a57c70-6709-4d06-a473-c3df1f74c1d4" - }, - { - "description": "Configure and setup booter/stressor services, often intended for server stress testing, to enable denial of service attacks. (Citation: Krebs-Anna) (Citation: Krebs-Booter) (Citation: Krebs-Bazaar)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Purchase of booster services is not observable; potentially can trace booster service used to origin of sale, yet not before attack is executed. Furthermore, subscription does not automatically mean foul intention.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Easily accessible and used to launch DDoS attacks by even novice Internet users, and can be purchased from providers for a nominal fee, some of which even accept credit cards and PayPal payments to do.", - "value": "Obtain booter/stressor subscription - PRE-T1173", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1173" - ], - "external_id": "PRE-T1173", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:establish-&-maintain-infrastructure" - ] - }, - "uuid": "3d1488a6-59e6-455a-8b80-78b53edc33fe" - }, - { - "description": "An adversary will assess collected information such as software/hardware versions, vulnerabilities, patch level, etc. They will analyze technical scanning results to identify weaknesses in the confirmation or architecture. (Citation: SurveyDetectionStrategies) (Citation: CyberReconPaper) (Citation: RSA-APTRecon) (Citation: FireEyeAPT28)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: This can be done offline after the data has been collected.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Many of the common tools highlight these weaknesses automatically. Adversary can \"dry run\" against the target using known exploits or burner devices to determine key identifiers of software, hardware, and services.", - "value": "Analyze data collected - PRE-T1064", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1064" - ], - "external_id": "PRE-T1064", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:technical-weakness-identification" - ] - }, - "uuid": "773950e1-090c-488b-a480-9ff236312e31" - }, - { - "description": "Software applications will be built using different technologies, languages, and dependencies. This information may reveal vulnerabilities or opportunities to an adversary. (Citation: CommonApplicationAttacks) (Citation: WebApplicationSecurity) (Citation: SANSTop25)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Impossible to differentiate between an adversary and a normal user when accessing a site to determine the languages/technologies used. If active scanning tools are employed, then the defender has the ability to detect. However, this is typically not acted upon due to the large volume of this type of traffic and it will likely not prompt the defender to take any actionable defense. Defender review of access logs may provide some insight based on trends or patterns.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Basic interaction with the site provides insight into the programming languages/technologies used for a given web site. Additionally many of the active scanning tools will also provide some insight into this information.", - "value": "Enumerate externally facing software applications technologies, languages, and dependencies - PRE-T1038", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1038" - ], - "external_id": "PRE-T1038", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:technical-information-gathering" - ] - }, - "uuid": "ef6197fd-a58a-4006-bfd6-1d7765d8409d" - }, - { - "description": "Analysts may receive Key Intelligence Topics (KITs) and Key Intelligence Questions (KIQs) from leadership or key decision makers and generate intelligence requirements to articulate intricacies of information required on a topic or question. (Citation: Herring1999)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", - "value": "Generate analyst intelligence requirements - PRE-T1011", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1011" - ], - "external_id": "PRE-T1011", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:priority-definition-planning" - ] - }, - "uuid": "e754fa49-2db1-416b-92db-7f886decd099" - }, - { - "description": "Redirecting a communication request from one address and port number combination to another. May be set up to obfuscate the final location of communications that will occur in later stages of an attack. (Citation: SecureWorks HTRAN Analysis)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Infrastructure is (typically) outside of control/visibility of defender and as such as tools are staged for specific campaigns, it will not be observable to those being attacked.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Adversary has control of the infrastructure and will likely be able to add/remove tools to infrastructure, whether acquired via hacking or standard computer acquisition (e.g., [https://aws.amazon.com AWS], VPS providers).", - "value": "Port redirector - PRE-T1140", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1140" - ], - "external_id": "PRE-T1140", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:stage-capabilities" - ] - }, - "uuid": "13ff5307-b650-405a-9664-d8076930b2bf" - }, - { - "description": "Understanding an organizations business processes and tempo may allow an adversary to more effectively craft social engineering attempts or to better hide technical actions, such as those that generate network traffic. (Citation: Scasny2015) (Citation: Infosec-osint)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Current or previous employees may divulge information on the Internet. If insiders are used, the defender may have policies or tools in place to detect loss of this data or knowledge.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: In some cases, this requires some insider knowledge or specialized access to learn when critical operations occur in a corporation. For publicly traded US corporations, there is a lot of open source information about their financial reporting obligations (per SEC). Companies announce their annual shareholder meeting and their quarter phone calls with investors. Information such as this can help the adversary to glean certain aspects of the business processes and/or rhythm.", - "value": "Identify business processes/tempo - PRE-T1057", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1057" - ], - "external_id": "PRE-T1057", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:organizational-information-gathering" - ] - }, - "uuid": "1f82ef59-b7da-4cd3-a41c-2e80f80f084f" - }, - { - "description": "Delivery systems are the infrastructure used by the adversary to host malware or other tools used during exploitation. Building and configuring delivery systems may include multiple activities such as registering domain names, renting hosting space, or configuring previously exploited environments. (Citation: APT1)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: It is detectable once deployed to the public Internet, used for adversarial purposes, discovered, and reported to defenders.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: It is easy to create and burn infrastructure. Otherwise, blacklisting would be more successful for defenders.", - "value": "Build and configure delivery systems - PRE-T1124", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1124" - ], - "external_id": "PRE-T1124", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:build-capabilities" - ] - }, - "uuid": "15ef4da5-3b93-4bb1-a39a-5396661956d3" - }, - { - "description": "Personnel internally to a company may have non-electronic specialized access, authorities, or privilege that make them an attractive target for an adversary. One example of this is an individual with financial authority to authorize large transactions. An adversary who compromises this individual might be able to subvert large dollar transfers. (Citation: RSA-APTRecon)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: The layers of data required and potential gaps of information to map a specific person to an authority or privilege on a network requires access to resources that may not tip off a defender.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Requires an adversary to undergo an intensive research process. It is resource intensive or requires special data access. May be easier for certain specialty use cases.", - "value": "Identify personnel with an authority/privilege - PRE-T1048", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1048" - ], - "external_id": "PRE-T1048", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:people-information-gathering" - ] - }, - "uuid": "762771c2-3675-4535-88e9-b1f891758974" - }, - { - "description": "An adversary may research available open source information about a target commonly found on social media sites such as [https://www.facebook.com Facebook], [https://www.instagram.com Instagram], or [https://www.pinterest.com Pinterest]. Social media is public by design and provides insight into the interests and potentially inherent weaknesses of a target for exploitation by the adversary. (Citation: RSA-APTRecon)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Searching publicly available sources that cannot be monitored by a defender.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Very public by design. Application of privacy settings is not a panacea.", - "value": "Mine social media - PRE-T1050", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1050" - ], - "external_id": "PRE-T1050", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:people-information-gathering" - ] - }, - "uuid": "695b1cce-57d7-49ae-a2af-820d50153f12" - }, - { - "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nCredential pharming a form of attack designed to steal users' credential by redirecting users to fraudulent websites. Pharming can be conducted either by changing the hosts file on a victim's computer or by exploitation of a vulnerability in DNS server software. (Citation: DriveByPharming) (Citation: GoogleDrive Phishing)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Fidelity of networking monitoring must be able to detect when traffic is diverted to non-normal sources at a site level. It is possible to identify some methods of pharming, but detection capabilities are limited and not commonly implemented.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Although it can be difficult to spoof/redirect content to a hostile service via DNS poisoning or MiTM attacks, current malware such as Zeus is able to successfully pharm credentials and end users are not well-versed in checking for certificate mismatches.", - "value": "Credential pharming - PRE-T1151", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1151" - ], - "external_id": "PRE-T1151", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:launch" - ] - }, - "uuid": "38a6d2f5-d948-4235-bb91-bb01604448b4" - }, - { - "description": "Leadership identifies gap areas that generate a compelling need to generate a Key Intelligence Topic (KIT) or Key Intelligence Question (KIQ). (Citation: ODNIIntegration) (Citation: ICD115)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", - "value": "Identify gap areas - PRE-T1002", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1002" - ], - "external_id": "PRE-T1002", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:priority-definition-planning" - ] - }, - "uuid": "d778cb83-2292-4995-b006-d38f52bc1e64" - }, - { - "description": "Google and Apple provide Google Cloud Messaging and Apple Push Notification Service, respectively, services designed to enable efficient communication between third-party mobile app backend servers and the mobile apps running on individual devices. These services maintain an encrypted connection between every mobile device and Google or Apple that cannot easily be inspected and must be allowed to traverse networks as part of normal device operation. These services could be used by adversaries for communication to compromised mobile devices. (Citation: Securelist Mobile Malware 2013) (Citation: DroydSeuss)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: These services are heavily utilized by mainstream mobile app developers. High volume of communications makes it extremely hard for a defender to distinguish between legitimate and adversary communications.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: These are free services provided by Google and Apple to app developers, and information on how to use them is readily available.", - "value": "OS-vendor provided communication channels - PRE-T1167", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1167" - ], - "external_id": "PRE-T1167", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:adversary-opsec" - ] - }, - "uuid": "5436571f-2332-4b51-b7ed-0bc822fe02c2" - }, - { - "description": "Job postings, on either company sites, or in other forums, provide information on organizational structure, needs, and gaps in an organization. This may give an adversary an indication of weakness in an organization (such as under-resourced IT shop). Job postings can also provide information on an organizations structure which could be valuable in social engineering attempts. (Citation: JobPostingThreat) (Citation: RSA-APTRecon)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Public source external to the defender's organization.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Very public by design.", - "value": "Identify job postings and needs/gaps - PRE-T1055", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1055" - ], - "external_id": "PRE-T1055", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:organizational-information-gathering" - ] - }, - "uuid": "7718e92f-b011-4f88-b822-ae245a1de407" - }, - { - "description": "Social Engineering is the practice of manipulating people in order to get them to divulge information or take an action. (Citation: SEAttackVectors) (Citation: BeachSE2003)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: No technical means to detect an adversary collecting information about a target. Any detection would be based upon strong OPSEC policy implementation.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Very effective technique for the adversary that does not require any formal training and relies upon finding just one person who exhibits poor judgement.", - "value": "Conduct social engineering - PRE-T1056", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1056" - ], - "external_id": "PRE-T1056", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:organizational-information-gathering" - ] - }, - "uuid": "a757670d-d600-48d9-8ae9-601d42c184a5" - }, - { - "description": "Supply chains include the people, processes, and technologies used to move a product or service from a supplier to a consumer. Understanding supply chains may provide an adversary with opportunities to exploit organizational relationships. (Citation: SmithSupplyChain) (Citation: CERT-UKSupplyChain)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Searching publicly available sources that cannot be monitored by a defender.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Requires an intensive process. May be easier in certain industries where there are a limited number of suppliers (e.g., SCADA).", - "value": "Identify supply chains - PRE-T1053", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1053" - ], - "external_id": "PRE-T1053", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:organizational-information-gathering" - ] - }, - "uuid": "7860e21e-7514-4a3f-8a9d-56405ccfdb0c" - }, - { - "description": "Analysts identify gap areas that generate a compelling need to generate a Key Intelligence Topic (KIT) or Key Intelligence Question (KIQ). (Citation: BrighthubGapAnalysis) (Citation: ICD115) (Citation: JP2-01)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", - "value": "Identify analyst level gaps - PRE-T1010", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1010" - ], - "external_id": "PRE-T1010", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:priority-definition-planning" - ] - }, - "uuid": "0fad2267-9f46-4ebb-91b5-d543243732cb" - }, - { - "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nInstead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it for some or all of the attack cycle. (Citation: WateringHole2014) (Citation: FireEye Operation SnowMan)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Defender will not have visibility on 3rd party sites unless target is successfully enticed to visit one.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Commonly used technique currently (e.g., [https://www.wordpress.com WordPress] sites) as precursor activity to launching attack against intended target (e.g., acquiring botnet or layers of proxies for reducing attribution possibilities).", - "value": "Compromise 3rd party infrastructure to support delivery - PRE-T1111", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1111" - ], - "external_id": "PRE-T1111", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:establish-&-maintain-infrastructure" - ] - }, - "uuid": "e51398e6-53dc-4e9f-a323-e54683d8672b" - }, - { - "description": "Obfuscation is hiding the day-to-day building and testing of new tools, chat servers, etc. (Citation: LUCKYCAT2012)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Difficult, but defender is well aware of technique and attempts to find discrepancies.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Adversary has a variety of solutions, ranging in difficulty, that can be employed (e.g., BGP hijacking, tunneling, reflection, multi-hop, etc.)\nAdversary can also use misattributable credentials to obtain servers, build environment, [https://aws.amazon.com Amazon Web Services] (AWS) accounts, etc.", - "value": "Obfuscate infrastructure - PRE-T1086", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1086" - ], - "external_id": "PRE-T1086", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:adversary-opsec" - ] - }, - "uuid": "e6ca2820-a564-4b74-b42a-b6bdf052e5b6" - }, - { - "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nExploits spread through advertising (malvertising) involve injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages. (Citation: TPMalvertising)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Although some commercial technologies are being advertised which claim to detect malvertising, it largely spreads unknowingly because it doesn't always require an action by a user.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: An adversary can deploy exploits via malvertising using multiple mechanisms. Such mechanisms include an image ad that is infected, redirection, or using social engineering to get the end user to install the malicious software themselves.", - "value": "Deploy exploit using advertising - PRE-T1157", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1157" - ], - "external_id": "PRE-T1157", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:launch" - ] - }, - "uuid": "d72c0bc0-3007-418c-842c-328027ebdbc1" - }, - { - "description": "A network topology is the arrangement of the various elements of a network (e.g., servers, workstations, printers, routers, firewalls, etc.). Mapping a network allows an adversary to understand how the elements are connected or related. (Citation: man traceroute) (Citation: Shodan Tutorial)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Network mapping techniques/tools typically generate benign traffic that does not require further investigation by a defender since there is no actionable defense to execute. Defender review of access logs may provide some insight based on trends or patterns.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Various available tools and data sources for scouting and detecting network topologies.", - "value": "Map network topology - PRE-T1029", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1029" - ], - "external_id": "PRE-T1029", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:technical-information-gathering" - ] - }, - "uuid": "cdfdb0cd-a839-403c-9dd6-8a85d8c5c73d" - }, - { - "description": "Obfuscation is the act of creating communications that are more difficult to understand. Encryption transforms the communications such that it requires a key to reverse the encryption. (Citation: FireEyeAPT28)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Techniques and signatures are hard to detect. Advanced communications and exfiltration channels are nearly indistinguishable from background noise.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Known approaches include the use of cryptography for communications, rotating drops sites (such as random list of chat fora), and one-time [https://aws.amazon.com/s3/ Simple Storage Service (S3)] buckets, etc. All require sophisticated knowledge, infrastructure, and funding.", - "value": "Obfuscation or cryptography - PRE-T1090", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1090" - ], - "external_id": "PRE-T1090", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:adversary-opsec" - ] - }, - "uuid": "c2ffd229-11bb-4fd8-9208-edbe97b14c93" - }, - { - "description": "The adversary can use account credentials or signing keys of an existing mobile app developer to publish malicious updates of existing mobile apps to an application store, or to abuse the developer's identity and reputation to publish new malicious apps. Many mobile devices are configured to automatically install new versions of already-installed apps. (Citation: Fraudenlent Apps Stolen Dev Credentials)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Possible to detect compromised credentials if alerting from a service provider is enabled and acted upon by the individual.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: The difficulty of obtaining useful developer credentials may vary. Well-organized, professional app developers whose credentials or signing keys would be the most useful to an adversary because of the large install bases of their apps, would likely strongly protect their credentials and signing keys. Less-organized app developers may not protect their credentials and signing keys as strongly, but the credentials and signing keys would also be less useful to an adversary. These less-organized app developers may reuse passwords across sites, fail to turn on multi-factor authentication features when available, or store signing keys in unprotected locations.", - "value": "Choose pre-compromised mobile app developer account credentials or signing keys - PRE-T1168", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1168" - ], - "external_id": "PRE-T1168", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:persona-development" - ] - }, - "uuid": "7a265bf0-6acc-4f43-8b22-2e58b443e62e" - }, - { - "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nEmails with text only phishing messages do not contain any attachments or links to websites. They are designed to get a user to take a follow on action such as calling a phone number or wiring money. They can also be used to elicit an email response to confirm existence of an account or user. (Citation: Paypal Phone Scam)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: End user training and awareness is the primary defense for flagging a plain text email so the end user does not respond or take any requested action (e.g., calling a designated number).\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Sending messages with text only should be accepted in most cases (e.g., not being filtered based on source, content).", - "value": "Spear phishing messages with text only - PRE-T1145", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1145" - ], - "external_id": "PRE-T1145", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:launch" - ] - }, - "uuid": "2fc04aa5-48c1-49ec-919a-b88241ef1d17" - }, - { - "description": "Callbacks are malware communications seeking instructions. An adversary will test their malware to ensure the appropriate instructions are conveyed and the callback software can be reached. (Citation: LeeBeaconing)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Adversary controls the test and defender likely has no visibility.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Adversary controls or acquires all pieces of infrastructure and can test outside of defender's visibility.", - "value": "Test callback functionality - PRE-T1133", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1133" - ], - "external_id": "PRE-T1133", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:test-capabilities" - ] - }, - "uuid": "0649fc36-72a0-40a0-a2f9-3fc7e3231ad6" - }, - { - "description": "Technical blogs and forums provide a way for technical staff to ask for assistance or troubleshoot problems. In doing so they may reveal information such as operating system (OS), network devices, or applications in use. (Citation: FunAndSun2012)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Cannot detect access to public sites.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Success is dependent upon the existence of detailed technical specifications for target network posted in blogs/forums. Poor OPSEC practices result in an adversary gleaning a lot of sensitive information about configurations and/or issues encountered.", - "value": "Mine technical blogs/forums - PRE-T1034", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1034" - ], - "external_id": "PRE-T1034", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:technical-information-gathering" - ] - }, - "uuid": "a54a7708-8f64-45f3-ad51-1abf976986a0" - }, - { - "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nUsers may be performing legitimate activity but using media that is compromised (e.g., using a USB drive that comes with malware installed during manufacture or supply). Upon insertion in the system the media auto-runs and the malware executes without further action by the user. (Citation: WSUSpect2015)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Environments without extensive endpoint sensing capabilities do not typically collect this level of detailed information.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Autoruns with USB keys and CDs traditionally were always on (e.g., [http://windows.microsoft.com Windows] 7 is now an exception with a new policy of limiting the always on nature of Autoruns), ensuring and automated system completes a requested action. Specialized use cases exist where automated systems are specifically designed against automatically performing certain actions (e.g., USB/CD insertion and automatically running is disabled in certain environments).", - "value": "Automated system performs requested action - PRE-T1161", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1161" - ], - "external_id": "PRE-T1161", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:compromise" - ] - }, - "uuid": "0e6abb17-0f81-4988-9fd2-4ba0b673d729" - }, - { - "description": "A payload is the part of the malware which performs a malicious action. The adversary may re-use payloads when the needed capability is already available. (Citation: SonyDestover)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Adversary will likely use code repositories, but detecting an adversary acquiring a payload would require the defender to be monitoring the code repository where the payload is stored. If the adversary re-uses payloads, this allows the defender to create signatures to detect using these known indicators of compromise (e.g., hashes).\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Several exploit repositories and tool suites exist for re-use and tailoring.", - "value": "Obtain/re-use payloads - PRE-T1123", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1123" - ], - "external_id": "PRE-T1123", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:build-capabilities" - ] - }, - "uuid": "27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768" - }, - { - "description": "Passive scanning is the act of looking at existing network traffic in order to identify information about the communications system. (Citation: SurveyDetectionStrategies) (Citation: CyberReconPaper)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Generates no network traffic that would enable detection.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Easy to do but it requires a vantage point conducive to accessing this data.", - "value": "Conduct passive scanning - PRE-T1030", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1030" - ], - "external_id": "PRE-T1030", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:technical-information-gathering" - ] - }, - "uuid": "a7c620e5-cbc9-41b2-9695-418ef560f16c" - }, - { - "description": "Social media provides insight into the target's affiliations with groups and organizations. Certification information can explain their technical associations and professional associations. Personal information can provide data for exploitation or even blackmail. (Citation: Scasny2015)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Public sources are external to the defender's organization. Some social media sites have an option to show you when users are looking at your profile, but an adversary can evade this tracking depending on how they conduct the searches.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Social and business relationship information for an individual can be found by examining their social media contacts (e.g., [https://www.facebook.com Facebook] and [https://www.linkedin.com LinkedIn]). Social media also provides insight into the target's affiliations with groups and organizations. Finally, certification information can explain their technical associations and professional associations.", - "value": "Analyze social and business relationships, interests, and affiliations - PRE-T1072", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1072" - ], - "external_id": "PRE-T1072", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:people-weakness-identification" - ] - }, - "uuid": "ee40d054-6e83-4302-88dc-a3af98821d8d" - }, - { - "description": "Technical network hiding techniques are methods of modifying traffic to evade network signature detection or to utilize misattribution techniques. Examples include channel/IP/VLAN hopping, mimicking legitimate operations, or seeding with misinformation. (Citation: HAMMERTOSS2015)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Unless defender is dissecting protocols or performing network signature analysis on any protocol deviations/patterns, this technique is largely undetected.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Some of the hiding techniques require special accesses (network, proximity, physical, etc.) and/or may rely on knowledge of how the defender operates and/or awareness on what visibility the defender has and how it is obtained", - "value": "Network-based hiding techniques - PRE-T1092", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1092" - ], - "external_id": "PRE-T1092", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:adversary-opsec" - ] - }, - "uuid": "90884cdb-31dd-431c-87db-9cc7e03191e5" - }, - { - "description": "Once a persona has been developed an adversary will use it to create connections to targets of interest. These connections may be direct or may include trying to connect through others. (Citation: NEWSCASTER2014) (Citation: BlackHatRobinSage)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Unless there is some threat intelligence reporting, these users are hard to differentiate.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: The nature of social media is such that the adversary naturally connects to a target of interest without suspicion, given the purpose of the platform is to promote connections between individuals. Performing activities like typical users, but with specific intent in mind.", - "value": "Friend/Follow/Connect to targets of interest - PRE-T1121", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1121" - ], - "external_id": "PRE-T1121", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:persona-development" - ] - }, - "uuid": "103d72e6-7e0d-4b3a-9373-c38567305c33" - }, - { - "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nRemovable media containing malware can be injected in to a supply chain at large or small scale. It can also be physically placed for someone to find or can be sent to someone in a more targeted manner. The intent is to have the user utilize the removable media on a system where the adversary is trying to gain access. (Citation: USBMalwareAttacks) (Citation: FPDefendNewDomain) (Citation: ParkingLotUSB)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: From a technical perspective, detection of an adversary disseminating removable media is not possible as there is no technical element involved until the compromise phase. Most facilities generally do not perform extensive physical security patrols, which would be necessary in order to promptly identify an adversary deploying removable media to be used in an attack.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Commonly executed technique by penetration testers to gain access to networks via end users who are innately trusting of newly found or available technology.", - "value": "Disseminate removable media - PRE-T1156", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1156" - ], - "external_id": "PRE-T1156", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:stage-capabilities" - ] - }, - "uuid": "2f442206-2983-4fc2-93fd-0a828e026412" - }, - { - "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nReplacing a legitimate binary with malware can be accomplished either by replacing a binary on a legitimate download site or standing up a fake or alternative site with the malicious binary. The intent is to have a user download and run the malicious binary thereby executing malware. (Citation: FSecureICS)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: On the host end user system, integrity checking (e.g., hash verification, code signing enforcement), application whitelisting, sandboxing, or behavioral-based/heuristic-based systems are most likely to be successful in detecting this technique. On the source webserver, detecting binary changes is easy to detect if performed.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Requires the adversary to replace a binary on a website where users will download the binary (e.g., patch, firmware update, software application) as innately trusted. The additional challenge is the reduced set of vendor-trusted websites that are vulnerable.", - "value": "Replace legitimate binary with malware - PRE-T1155", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1155" - ], - "external_id": "PRE-T1155", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:launch" - ] - }, - "uuid": "0d759854-9b69-438c-8325-74b03cc80cf0" - }, - { - "description": "Data sets can be anything from Security Exchange Commission (SEC) filings to public phone numbers. Many datasets are now either publicly available for free or can be purchased from a variety of data vendors. Open source intelligence (OSINT) is intelligence gathered from publicly available sources. This can include both information gathered on-line as well as in the physical world. (Citation: SANSThreatProfile) (Citation: Infosec-osint) (Citation: isight-osint)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: This activity is indistinguishable from legitimate business uses and easy to obtain.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Large quantities of data exists on people, organizations and technologies whether divulged wittingly or collected as part of doing business on the Internet (unbeknownst to the user/company). Search engine and database indexing companies continuously mine this information and make it available to anyone who queries for it.", - "value": "Acquire OSINT data sets and information - PRE-T1054", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1054" - ], - "external_id": "PRE-T1054", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:organizational-information-gathering" - ] - }, - "uuid": "028ad431-84c5-4eb7-a364-2b797c234f88" - }, - { - "description": "An adversary may secure and protect their infrastructure just as defenders do. This could include the use of VPNs, security software, logging and monitoring, passwords, or other defensive measures. (Citation: KrebsTerracottaVPN)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Indistinguishable from standard security practices employed by legitimate operators.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Adversary benefits from our own advances, techniques, and software when securing and protecting their own development infrastructure.", - "value": "Secure and protect infrastructure - PRE-T1094", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1094" - ], - "external_id": "PRE-T1094", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:adversary-opsec" - ] - }, - "uuid": "cc0faf66-4df2-4328-9c9c-b0ca5de915ad" - }, - { - "description": "Firmware is permanent software programmed into the read-only memory of a device. As with other types of software, firmware may be updated over time and have multiple versions. (Citation: Abdelnur Advanced Fingerprinting)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: No easy way for defenders to detect when an adversary collects this information.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Depending upon the target device, there are variable ways for an adversary to determine the firmware version. In some cases, this information can be derived from easily obtained information. For example, in [http://www.cisco.com Cisco] devices, the firmware version is easily determined once the device model and OS version is known since it is included in the release notes.", - "value": "Determine firmware version - PRE-T1035", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1035" - ], - "external_id": "PRE-T1035", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:technical-information-gathering" - ] - }, - "uuid": "6baf6388-d49f-4804-86a4-5837240555cd" - }, - { - "description": "Leadership derives Key Intelligence Topics (KITs) and Key Intelligence Questions (KIQs) from the areas of most interest to them. KITs are an expression of management's intelligence needs with respect to early warning, strategic and operational decisions, knowing the competition, and understanding the competitive situation. KIQs are the critical questions aligned by KIT which provide the basis for collection plans, create a context for analytic work, and/or identify necessary external operations. (Citation: Herring1999)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", - "value": "Develop KITs/KIQs - PRE-T1004", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1004" - ], - "external_id": "PRE-T1004", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:priority-definition-planning" - ] - }, - "uuid": "6063b486-a247-499b-976a-9de16f4e83bc" - }, - { - "description": "Common Vulnerability Enumeration (CVE) is a dictionary of publicly known information about security vulnerabilities and exposures. An adversary can use this information to target specific software that may be vulnerable. (Citation: WeaponsVulnerable) (Citation: KasperskyCarbanak)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Public source external to the defender's organization.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Using standard headers/fingerprints from normal traffic, it is often trivial to identify the SW or HW the target is running, which can be correlated against known CVEs and exploit packages.", - "value": "Research relevant vulnerabilities/CVEs - PRE-T1068", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1068" - ], - "external_id": "PRE-T1068", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:technical-weakness-identification" - ] - }, - "uuid": "abd5bed1-4c12-45de-a623-ab8dc4ff862a" - }, - { - "description": "A wide variety of cloud, virtual private services, hosting, compute, and storage solutions are available as 3rd party infrastructure services. These services could provide an adversary with another avenue of approach or compromise. (Citation: LUCKYCAT2012) (Citation: Schneier-cloud) (Citation: Computerworld-suppliers)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Adversary searches publicly available sources and may find this information on the 3rd party web site listing new customers/clients.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Press releases may reveal this information particularly when it is an expected cost savings or improvement for scalability/reliability.", - "value": "Determine 3rd party infrastructure services - PRE-T1061", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1061" - ], - "external_id": "PRE-T1061", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:organizational-information-gathering" - ] - }, - "uuid": "dfa4eaf4-50d9-49de-89e9-d33f579f3e05" - }, - { - "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nA technique that takes advantage of flaws in client-side applications without targeting specific users. For example, an exploit placed on an often widely used public web site intended for drive-by delivery to whomever visits the site. (Citation: CitizenLabGreatCannon)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Defensive technologies exist to scan web content before delivery to the requested end user. However, this is not fool proof as some sites encrypt web communications and the adversary constantly moves to sites not previously flagged as malicious thus defeating this defense. Host-based defenses can also aid in detection/mitigation as well as detection by the web site that got compromised.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Commonly executed technique to place an exploit on an often widely used public web site intended for driveby delivery.", - "value": "Untargeted client-side exploitation - PRE-T1147", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1147" - ], - "external_id": "PRE-T1147", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:launch" - ] - }, - "uuid": "2ec57bf1-fcc3-4c19-9516-79b7fde483af" - }, - { - "description": "Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it for some or all of the attack cycle. (Citation: WateringHole2014) (Citation: FireEye Operation SnowMan)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Defender will not have visibility on 3rd party sites unless target is successfully enticed to visit one.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Commonly used technique currently (e.g., [https://www.wordpress.com WordPress] sites) as precursor activity to launching attack against intended target (e.g., acquiring botnet or layers of proxies for reducing attribution possibilities).", - "value": "Compromise 3rd party infrastructure to support delivery - PRE-T1089", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1089" - ], - "external_id": "PRE-T1089", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:adversary-opsec" - ] - }, - "uuid": "4900fabf-1142-4c1f-92f5-0b590e049077" - }, - { - "description": "Email addresses, logon credentials, and other forms of online identification typically share a common format. This makes guessing other credentials within the same domain easier. For example if a known email address is first.last@company.com it is likely that others in the company will have an email in the same format. (Citation: RSA-APTRecon)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Easily determined and not intended to be protected information. Publicly collected and shared repositories of email addresses exist.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Scraping of known email addresses from the target will likely reveal the target standard for address/username format. This information is easily discoverable.", - "value": "Discover target logon/email address format - PRE-T1032", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1032" - ], - "external_id": "PRE-T1032", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:technical-information-gathering" - ] - }, - "uuid": "ef0f816a-d561-4953-84c6-2a2936c96957" - }, - { - "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nThe use of software, data, or commands to take advantage of a weakness in a computer system or program in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. (Citation: GoogleCrawlerSQLInj)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: If the application and network are designed well, the defender should be able to utilize logging and application logic to catch and deflect SQL injection attacks.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Launching a SQL injection attack is not overly complex and a commonly used technique. This technique, however, requires finding a vulnerable application.", - "value": "Exploit public-facing application - PRE-T1154", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1154" - ], - "external_id": "PRE-T1154", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:launch" - ] - }, - "uuid": "8a64f743-acaa-49d5-9d3d-ae5616a3876f" - }, - { - "description": "Key Intelligence Topics (KITs) and Key Intelligence Questions (KIQs) may be further subdivided to focus on political, economic, diplomatic, military, financial, or intellectual property categories. An adversary may specify KITs or KIQs in this manner in order to understand how the information they are pursuing can have multiple uses and to consider all aspects of the types of information they need to target for a particular purpose. (Citation: CompetitiveIntelligence) (Citation: CompetitiveIntelligence)KIT.\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", - "value": "Assess KITs/KIQs benefits - PRE-T1006", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1006" - ], - "external_id": "PRE-T1006", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:priority-definition-planning" - ] - }, - "uuid": "ae85ba2f-27ea-42d9-b42a-0fe89ee19ed5" - }, - { - "description": "Obfuscation is hiding the day-to-day building and testing of new tools, chat servers, etc. (Citation: DellComfooMasters)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: While possible to detect given a significant sample size, depending on how the unique identifier is used detection may be difficult as similar patterns may be employed elsewhere (e.g., content hosting providers, account reset URLs).\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: An adversary can easily generate pseudo-random identifiers to associate with a specific target, include the indicator as part of a URL and then identify which target was successful.", - "value": "Obfuscate operational infrastructure - PRE-T1095", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1095" - ], - "external_id": "PRE-T1095", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:adversary-opsec" - ] - }, - "uuid": "9d234df0-2344-4db4-bc0f-8de9c6c071a7" - }, - { - "description": "Malware may perform differently on different platforms (computer vs handheld) and different operating systems ([http://www.ubuntu.com Ubuntu] vs [http://www.apple.com/osx/ OS X]), and versions ([http://windows.microsoft.com Windows] 7 vs 10) so malicious actors will test their malware in the environment(s) where they most expect it to be executed. (Citation: BypassMalwareDefense)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Adversary controls the test and defender likely has no visibility.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Adversary can simulate most environments (e.g., variable operating systems, patch levels, application versions) with details available from other techniques.", - "value": "Test malware in various execution environments - PRE-T1134", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1134" - ], - "external_id": "PRE-T1134", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:test-capabilities" - ] - }, - "uuid": "e042a41b-5ecf-4f3a-8f1f-1b528c534772" - }, - { - "description": "Determining if a \"corporate\" help desk exists, the degree of access and control it has, and whether there are \"edge\" units that may have different support processes and standards. (Citation: SANSCentratlizeManagement)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: No technical means to detect an adversary collecting information about a target. Any detection would be based upon strong OPSEC policy implementation.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Requires an adversary to undergo a research process to learn the internal workings of an organization. An adversary can do this by social engineering individuals in the company by claiming to need to find information for the help desk, or through social engineering of former employees or business partners.", - "value": "Determine centralization of IT management - PRE-T1062", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1062" - ], - "external_id": "PRE-T1062", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:organizational-information-gathering" - ] - }, - "uuid": "a7dff5d5-99f9-4a7e-ac54-a64113c28121" - }, - { - "description": "An adversary can test physical access options in preparation for the actual attack. This could range from observing behaviors and noting security precautions to actually attempting access. (Citation: OCIAC Pre Incident Indicators) (Citation: NewsAgencySpy)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Defender often install badging, cameras, security guards or other detection techniques for physical security and monitoring.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Requires a physical presence in the space being entered and increased risk of being detected/detained (e.g., recorded on video camera)", - "value": "Test physical access - PRE-T1137", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1137" - ], - "external_id": "PRE-T1137", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:test-capabilities" - ] - }, - "uuid": "18bfa01c-9fa9-409f-91f5-4a2822609d81" - }, - { - "description": "Code signing is the process of digitally signing executables or scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Users may trust a signed piece of code more than an signed piece of code even if they don't know who issued the certificate or who the author is. (Citation: Adobe Code Signing Cert)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Defender will not know what certificates an adversary acquires from a 3rd party. Defender will not know prior to public disclosure if a 3rd party has had their certificate compromised.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: It is trivial to purchase code signing certificates within an organization; many exist and are available at reasonable cost. It is complex to factor or steal 3rd party code signing certificates for use in malicious mechanisms", - "value": "Acquire or compromise 3rd party signing certificates - PRE-T1087", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1087" - ], - "external_id": "PRE-T1087", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:adversary-opsec" - ] - }, - "uuid": "e5164428-03ca-4336-a9a7-4d9ea1417e59" - }, - { - "description": "Leadership assesses the areas of most interest to them and generates Key Intelligence Topics (KIT) or Key Intelligence Questions (KIQ). For example, an adversary knows from open and closed source reporting that cyber is of interest, resulting in it being a KIT. (Citation: ODNIIntegration)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", - "value": "Assess leadership areas of interest - PRE-T1001", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1001" - ], - "external_id": "PRE-T1001", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:priority-definition-planning" - ] - }, - "uuid": "d3999268-740f-467e-a075-c82e2d04be62" - }, - { - "description": "Client configurations information such as the operating system and web browser, along with additional information such as version or language, are often transmitted as part of web browsing communications. This can be accomplished in several ways including use of a compromised web site to collect details on visiting computers. (Citation: UnseenWorldOfCookies) (Citation: Panopticlick)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Typical information collected as part of accessing web sites (e.g., operating system, browser version, basic configurations).\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Basic web scripting capability to collect information of interest on users of interest. Requires a compromised web site and the users of interest to navigate there.", - "value": "Enumerate client configurations - PRE-T1039", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1039" - ], - "external_id": "PRE-T1039", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:technical-information-gathering" - ] - }, - "uuid": "78ae433b-289d-4c8d-b8c1-f8de0b7f9090" - }, - { - "description": "Every domain registrar maintains a publicly viewable database that displays contact information for every registered domain. Private 'whois' services display alternative information, such as their own company data, rather than the owner of the domain. (Citation: APT1)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Algorithmically possible to detect COTS service usage or use of non-specific mailing addresses (PO Boxes, drop sites, etc.)\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Commercially available or easy to set up and/or register using a disposable email account.", - "value": "Private whois services - PRE-T1082", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1082" - ], - "external_id": "PRE-T1082", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:adversary-opsec" - ] - }, - "uuid": "3160347f-11ac-44a3-9640-a648b3c17a8f" - }, - { - "description": "Once generated, Key Intelligence Topics (KITs), Key Intelligence Questions (KIQs), and/or intelligence requirements are assigned to applicable agencies and/or personnel. For example, an adversary may decide nuclear energy requirements should be assigned to a specific organization based on their mission. (Citation: AnalystsAndPolicymaking) (Citation: JP2-01)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", - "value": "Assign KITs, KIQs, and/or intelligence requirements - PRE-T1015", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1015" - ], - "external_id": "PRE-T1015", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:priority-definition-direction" - ] - }, - "uuid": "4fad17d3-8f42-449d-ac4b-dbb4c486127d" - }, - { - "description": "Personnel internally to a company may belong to a group or maintain a role with electronic specialized access, authorities, or privilege that make them an attractive target for an adversary. One example of this is a system administrator. (Citation: RSA-APTRecon)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Searching publicly available sources that cannot be monitored by a defender.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Requires an adversary to undergo an intensive research process. It is resource intensive or requires special data access. May be easier for certain specialty use cases.", - "value": "Identify groups/roles - PRE-T1047", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1047" - ], - "external_id": "PRE-T1047", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:people-information-gathering" - ] - }, - "uuid": "89a79d91-53e0-4ef5-ba28-558cb8b01f76" - }, - { - "description": "After compromise, an adversary may utilize additional tools to facilitate their end goals. This may include tools to further explore the system, move laterally within a network, exfiltrate data, or destroy data. (Citation: SofacyHits)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Adversary will likely use code repositories, but development will be performed on their local systems.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Post compromise tool development is a standard part of the adversary's protocol in developing the necessary tools required to completely conduct an attack.", - "value": "Post compromise tool development - PRE-T1130", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1130" - ], - "external_id": "PRE-T1130", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:build-capabilities" - ] - }, - "uuid": "df42286d-dfbd-4455-bc9d-aef52ac29aa7" - }, - { - "description": "There is usually a delay between when a vulnerability or exploit is discovered and when it is made public. An adversary may target the systems of those known to research vulnerabilities in order to gain that knowledge for use during a different attack. (Citation: TempertonDarkHotel)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: The compromise of unknown vulnerabilities would provide little attack and warning against a defender, rendering it highly challenging to detect.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Finding, attacking, and compromising a 3rd party or closed vulnerability entity is challenging, because those containing the vulnerabilities should be very aware of attacks on their environments have a heightened awareness.", - "value": "Compromise 3rd party or closed-source vulnerability/exploit information - PRE-T1131", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1131" - ], - "external_id": "PRE-T1131", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:build-capabilities" - ] - }, - "uuid": "5a68c603-d7f9-4535-927e-ab56819eaa85" - }, - { - "description": "Open source intelligence (OSINT) is intelligence gathered from publicly available sources. This can include both information gathered on-line, such as from search engines, as well as in the physical world. (Citation: RSA-APTRecon)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: This activity is indistinguishable from legitimate business uses and easy to obtain. Direct access to the selected target is not required for the adversary to conduct this technique. There is a limited ability to detect this by looking at referrer fields on local web site accesses (e.g., a person who has accessed your web servers from [https://www.shodan.io Shodan]).\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Possible to gather technical intelligence about Internet accessible systems/devices by obtaining various commercial data sets and supporting business intelligence tools for ease of analysis. Commercial data set examples include advertising content delivery networks, Internet mapping/traffic collections, system fingerprinting data sets, device fingerprinting data sets, etc.", - "value": "Acquire OSINT data sets and information - PRE-T1024", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1024" - ], - "external_id": "PRE-T1024", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:technical-information-gathering" - ] - }, - "uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b" - }, - { - "description": "A wide variety of 3rd party software services are available (e.g., [https://twitter.com Twitter], [https://www.dropbox.com Dropbox], [https://www.google.com/docs/about/ GoogleDocs]). Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down. (Citation: LUCKYCAT2012) (Citation: Nemucod Facebook)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Defender will not have visibility over account creation for 3rd party software services.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: 3rd party services like these listed are freely available.", - "value": "Acquire and/or use 3rd party software services - PRE-T1085", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1085" - ], - "external_id": "PRE-T1085", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:adversary-opsec" - ] - }, - "uuid": "1a295f87-af63-4d94-b130-039d6221fb11" - }, - { - "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nUpon successful compromise the adversary may implement methods for confirming success including communication to a command and control server, exfiltration of data, or a verifiable intended effect such as a publicly accessible resource being inaccessible or a web page being defaced. (Citation: FireEye Malware Stages) (Citation: APTNetworkTrafficAnalysis)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Current commercial tools and sensitive analytics can be used to detect communications to command and control servers or data exfiltration.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Certainty of the confirmation of compromise is not guaranteed unless the adversary sees communication to a command and control server, exfiltration of data, or an intended effect occur.", - "value": "Confirmation of launched compromise achieved - PRE-T1160", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1160" - ], - "external_id": "PRE-T1160", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:compromise" - ] - }, - "uuid": "f4c5d1d9-8f0e-46f1-a9fa-f9a440926046" - }, - { - "description": "Job postings, on either company sites, or in other forums, provide information on organizational structure and often provide contact information for someone within the organization. This may give an adversary information on people within the organization which could be valuable in social engineering attempts. (Citation: JobPostingThreat)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Public source external to the defender's organization.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Very public by design.", - "value": "Identify job postings and needs/gaps - PRE-T1044", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1044" - ], - "external_id": "PRE-T1044", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:people-information-gathering" - ] - }, - "uuid": "0722cd65-0c83-4c89-9502-539198467ab1" - }, - { - "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nSocial Engineering is the practice of manipulating people in order to get them to divulge information or take an action. Human Intelligence (HUMINT) is intelligence collected and provided by human sources. (Citation: 17millionScam) (Citation: UbiquityEmailScam)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Assuming an average company does not train its employees to be aware of social engineering techniques, it is not possible to detect the adversary's use unless a highly motivated or paranoid employee informs security. This assessment flips to a 1 in cases of environments where security trains employees to be vigilant or in specialized industries where competitive intelligence and business intelligence train employees to be highly aware. Most likely more complex for an adversary to detect as methods move to physical or non traditionally monitored mechanisms (such as phone calls outside of call centers). Furthermore, the content of such an interaction may be lost due to lack of collection.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Assuming an average adversary whose focus is social engineering, it is not difficult for an adversary. Assuming a HUMINT operation and specialized circumstances, the adversary difficulty becomes 1. Social engineering can be easily done remotely via email or phone. In contrast, HUMINT operations typically would require physical contact at some point in the process, increasing the difficulty.", - "value": "Conduct social engineering or HUMINT operation - PRE-T1153", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1153" - ], - "external_id": "PRE-T1153", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:launch" - ] - }, - "uuid": "b79a1960-d0be-4b51-bb62-b27e91e1dea0" - }, - { - "description": "A wide variety of 3rd party software services are available (e.g., [https://twitter.com Twitter], [https://www.dropbox.com Dropbox], [https://www.google.com/docs/about/ GoogleDocs]). Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down. (Citation: LOWBALL2015)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Defender will not have visibility over account creation for 3rd party software services.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: 3rd party services like these listed are freely available.", - "value": "Acquire and/or use 3rd party software services - PRE-T1107", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1107" - ], - "external_id": "PRE-T1107", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:establish-&-maintain-infrastructure" - ] - }, - "uuid": "488da8ed-2887-4ef6-a39a-5b69bc6682c6" - }, - { - "description": "An adversary can probe a victim's network to determine configurations. The configurations may provide opportunities to route traffic through the network in an undetected or less detectable way. (Citation: OSFingerprinting2014)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: This can be done offline after the data has been collected.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Analyze network traffic to determine security filtering policies, packets dropped, etc.", - "value": "Analyze hardware/software security defensive capabilities - PRE-T1071", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1071" - ], - "external_id": "PRE-T1071", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:technical-weakness-identification" - ] - }, - "uuid": "a1e8d61b-22e1-4983-8485-96420152ecd8" - }, - { - "description": "Dynamic DNS is a automated method to rapidly update the domain name system mapping of hostnames to IPs. (Citation: FireEyeSupplyChain)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Defender will not know at first use what is valid or hostile traffic without more context.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: It is relatively easy to subscribe to dynamic DNS providers or find ways to get different IP addresses from a cloud provider.", - "value": "Dynamic DNS - PRE-T1110", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1110" - ], - "external_id": "PRE-T1110", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:establish-&-maintain-infrastructure" - ] - }, - "uuid": "54eb2bab-125f-4d1c-b999-0c692860bafe" - }, - { - "description": "An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. The adversary may need to discover new exploits when existing exploits are no longer relevant to the environment they are trying to compromise. An adversary may monitor exploit provider forums to understand the state of existing, as well as newly discovered, exploits. (Citation: EquationQA)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Public source external to the defender's organization.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Many public sources exist for this information.", - "value": "Discover new exploits and monitor exploit-provider forums - PRE-T1127", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1127" - ], - "external_id": "PRE-T1127", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:build-capabilities" - ] - }, - "uuid": "82bbd209-f516-45e0-9542-4ffbbc2a8717" - }, - { - "description": "For attacks incorporating social engineering the utilization of an on-line persona is important. Utilizing an existing persona with compromised accounts may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. (Citation: AnonHBGary) (Citation: Hacked Social Media Accounts)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Possible to detect compromised credentials if alerting from a service provider is enabled and acted upon by the individual.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: It is relatively easy and low cost to purchase compromised credentials. Mining social media sites offers open source information about a particular target. Most users tend to reuse passwords across sites and are not paranoid enough to check and see if spoofed sites from their persona exist across current social media.", - "value": "Choose pre-compromised persona and affiliated accounts - PRE-T1120", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1120" - ], - "external_id": "PRE-T1120", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:persona-development" - ] - }, - "uuid": "9a8c47f6-ae69-4044-917d-4b1602af64d9" - }, - { - "description": "Open source intelligence (OSINT) provides free, readily available information about a target while providing the target no indication they are of interest. Such information can assist an adversary in crafting a successful approach for compromise. (Citation: RSA-APTRecon)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: This activity is indistinguishable from legitimate business uses and easy to obtain.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Possible to gather digital intelligence about a person is easily aided by social networking sites, free/for fee people search engines, and publicly available information (e.g., county databases on tickets/DUIs).", - "value": "Acquire OSINT data sets and information - PRE-T1043", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1043" - ], - "external_id": "PRE-T1043", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:people-information-gathering" - ] - }, - "uuid": "2b9a666e-bd59-4f67-9031-ed41b428e04a" - }, - { - "description": "The attempt to identify people of interest or with an inherent weakness for direct or indirect targeting to determine an approach to compromise a person or organization. Such targets may include individuals with poor OPSEC practices or those who have a trusted relationship with the intended target. (Citation: RSA-APTRecon) (Citation: Scasny2015)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Common defenses protecting against poor OPSEC practices are traditionally more policy-based in nature rather than technical. Policy-based mitigations are generally more difficult to enforce and track violations, making it more difficult that this technique can be detected by common defenses.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Specialty cases enable an adversary to use key words in order to search social media and identify personnel with poor OPSEC practices who may have access to specialized information which would make them a target of interest. In addition, the open nature of social media leads to a tendency among individuals to overshare, encouraging poor OPSEC and increasing the ease by which an adversary can identify interesting targets.", - "value": "Identify people of interest - PRE-T1046", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1046" - ], - "external_id": "PRE-T1046", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:people-information-gathering" - ] - }, - "uuid": "0c0f075b-5d69-43f2-90df-d9ad18f44624" - }, - { - "description": "Network trusts enable communications between different networks with specific accesses and permissions. Network trusts could include the implementation of domain trusts or the use of virtual private networks (VPNs). (Citation: CuckoosEgg) (Citation: CuckoosEgg)Wikipedia (Citation: KGBComputerMe)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: This is not easily performed remotely and therefore not a detectable event. If the adversary can sniff traffic to deduce trust relations, this is a passive activity and not detectable.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Determining trust relationships once internal to a network is trivial. Simple tools like trace route can show evidence of firewalls or VPNs and then hosts on the either side of the firewall indicating a different trusted network. Active Directory command line tools can also identify separate trusted networks.\n\nIf completely external to a network, sniffing traffic (if possible) could also reveal the communications protocols that could be guessed to be a trusted network connection (e.g., IPsec, maybe SSL, etc.) though this is error-prone. \n\nWith no other access, this is hard for an adversary to do completely from a remote vantage point.", - "value": "Determine external network trust dependencies - PRE-T1036", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1036" - ], - "external_id": "PRE-T1036", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:technical-information-gathering" - ] - }, - "uuid": "a2fc93cd-e371-4755-9305-2615b6753d91" - }, - { - "description": "An adversary undergoes an iterative target selection process that may begin either broadly and narrow down into specifics (strategic to tactical) or narrowly and expand outward (tactical to strategic). As part of this process, an adversary may determine a high level target they wish to attack. One example of this may be a particular country, government, or commercial sector. (Citation: CyberAdversaryBehavior) (Citation: JP3-60) (Citation: JP3-12 (R)) (Citation: DoD Cyber 2015)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. May change for special use cases or adversary and defender overlays.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: This is the normal adversary targeting cycle where they utilize our poor OPSEC practices to their advantage.", - "value": "Determine strategic target - PRE-T1018", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1018" - ], - "external_id": "PRE-T1018", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:target-selection" - ] - }, - "uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877" - }, - { - "description": "Analyze strengths and weaknesses of the target for potential areas of where to focus compromise efforts. (Citation: FakeLinkedIn)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: This can be done offline after the data has been collected.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Job postings and hiring requisitions have to be made public for contractors and many times have the name of the organization being supported. In addition, they outline the skills needed to do a particular job, which can provide insight into the technical structure and organization of a target.", - "value": "Analyze organizational skillsets and deficiencies - PRE-T1066", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1066" - ], - "external_id": "PRE-T1066", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:technical-weakness-identification" - ] - }, - "uuid": "092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc" - }, - { - "description": "If going from strategic down to tactical or vice versa, an adversary would next consider the operational element. For example, the specific company within an industry or agency within a government. (Citation: CyberAdversaryBehavior) (Citation: JP3-60) (Citation: JP3-12 (R)) (Citation: DoD Cyber 2015)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. May change for special use cases or adversary and defender overlays.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: This is the normal adversary targeting cycle where they utilize our poor OPSEC practices to their advantage.", - "value": "Determine operational element - PRE-T1019", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1019" - ], - "external_id": "PRE-T1019", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:target-selection" - ] - }, - "uuid": "c860af4a-376e-46d7-afbf-262c41012227" - }, - { - "description": "An adversary can test their planned method of attack against existing security products such as email filters or intrusion detection sensors (IDS). (Citation: WiredVirusTotal)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Use of sites like [https://www.virustotal.com VirusTotal] to test signature detection often occurs to test detection. Defender can also look for newly added uploads as a precursor to an adversary's launch of an attack.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Current open source technologies and websites exist to facilitate adversary testing of malware against signatures.", - "value": "Test signature detection for file upload/email filters - PRE-T1138", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1138" - ], - "external_id": "PRE-T1138", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:test-capabilities" - ] - }, - "uuid": "c9ac5715-ee5c-4380-baf4-6f12e304ca93" - }, - { - "description": "From a tactical viewpoint, an adversary could potentially have a primary and secondary level target. The primary target represents the highest level tactical element the adversary wishes to attack. For example, the corporate network within a corporation or the division within an agency. (Citation: CyberAdversaryBehavior) (Citation: JP3-60) (Citation: JP3-12 (R)) (Citation: DoD Cyber 2015)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. May change for special use cases or adversary and defender overlays.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: This is the normal adversary targeting cycle where they utilize our poor OPSEC practices to their advantage.", - "value": "Determine highest level tactical element - PRE-T1020", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1020" - ], - "external_id": "PRE-T1020", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:target-selection" - ] - }, - "uuid": "dc7dfc9f-be1b-4e6e-a2e6-9a9bb2400ec9" - }, - { - "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nA technique used to compromise a specific group of end users by taking advantage of flaws in client-side applications. For example, infecting websites that members of a targeted group are known to visit with the goal to infect a targeted user's computer. (Citation: RSASEThreat) (Citation: WikiStagefright) (Citation: ForbesSecurityWeek) (Citation: StrongPity-waterhole)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Defensive technologies exist to scan web content before delivery to the requested end user. However, this is not foolproof as some sites encrypt web communications and the adversary constantly moves to sites not previously flagged as malicious thus defeating this defense. Host-based defenses can also aid in detection/mitigation as well as detection by the web site that got compromised. The added challenge for a conditional watering hole is the reduced scope and likely reduced ability to detect or be informed. Determining deltas in content (e.g., differences files type/size/number/hashes) downloaded could also aid in detection.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Commonly executed technique to place an exploit on an often widely used public web site intended for driveby delivery. The additional challenge is the reduced set of options for web sites to compromise since the set is reduced to those often visited by targets of interest.", - "value": "Targeted client-side exploitation - PRE-T1148", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1148" - ], - "external_id": "PRE-T1148", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:launch" - ] - }, - "uuid": "72923cae-6c8c-4da2-8f48-b73389529c25" - }, - { - "description": "Supply chains include the people, processes, and technologies used to move a product or service from a supplier to a consumer. Understanding supply chains may provide an adversary with opportunities to exploit the people, their positions, and relationships, that are part of the supply chain. (Citation: SmithSupplyChain) (Citation: CERT-UKSupplyChain)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Searching publicly available sources that cannot be monitored by a defender.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Requires an intensive process to obtain the full picture. It is possible to obtain basic information/some aspects via OSINT. May be easier in certain industries where there are a limited number of suppliers (e.g., SCADA).", - "value": "Identify supply chains - PRE-T1042", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1042" - ], - "external_id": "PRE-T1042", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:people-information-gathering" - ] - }, - "uuid": "59369f72-3005-4e54-9095-3d00efcece73" - }, - { - "description": "An adversary needs the necessary skills to set up procured equipment and software to create their desired infrastructure. (Citation: KasperskyRedOctober)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Defender will not have visibility on 3rd party sites unless target is successfully enticed to visit one.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Skills are common to majority of computer scientists and \"hackers\". Can be easily obtained through contracting if not organic to adversary's organization.", - "value": "Install and configure hardware, network, and systems - PRE-T1113", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1113" - ], - "external_id": "PRE-T1113", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:establish-&-maintain-infrastructure" - ] - }, - "uuid": "73e394e5-3d8a-40d1-ab8c-a1b4ea9db424" - }, - { - "description": "Host based hiding techniques are designed to allow an adversary to remain undetected on a machine upon which they have taken action. They may do this through the use of static linking of binaries, polymorphic code, exploiting weakness in file formats, parsers, or self-deleting code. (Citation: VirutAP)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Techniques are difficult to detect and might occur in uncommon use-cases (e.g., patching, anti-malware, anti-exploitation software).\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Some of the host-based hiding techniques require advanced knowledge combined with an understanding and awareness of the target's environment (e.g., exploiting weaknesses in file formats, parsers and detection capabilities).", - "value": "Host-based hiding techniques - PRE-T1091", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1091" - ], - "external_id": "PRE-T1091", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:adversary-opsec" - ] - }, - "uuid": "6f088e84-37b2-44de-8df3-393908f2d77b" - }, - { - "description": "Physical locality information may be used by an adversary to shape social engineering attempts (language, culture, events, weather, etc.) or to plan for physical actions such as dumpster diving or attempting to access a facility. (Citation: RSA-APTRecon)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Adversary searches publicly available sources that list physical locations that cannot be monitored by a defender or are not necessarily monitored (e.g., all IP addresses touching their public web space listing physical locations).\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Most corporations now list their locations on public facing websites. Some challenge still exists to find covert or sensitive locations.", - "value": "Determine physical locations - PRE-T1059", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1059" - ], - "external_id": "PRE-T1059", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:organizational-information-gathering" - ] - }, - "uuid": "2011ffeb-8003-41ef-b962-9d1cbfa35e6d" - }, - { - "description": "Leadership conducts a cost/benefit analysis that generates a compelling need for information gathering which triggers a Key Intelligence Toptic (KIT) or Key Intelligence Question (KIQ). For example, an adversary compares the cost of cyber intrusions with the expected benefits from increased intelligence collection on cyber adversaries. (Citation: LowenthalCh4) (Citation: KIT-Herring)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", - "value": "Conduct cost/benefit analysis - PRE-T1003", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1003" - ], - "external_id": "PRE-T1003", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:priority-definition-planning" - ] - }, - "uuid": "51bca707-a806-49bf-91e0-03885b0ac85c" - }, - { - "description": "Applicable agencies and/or personnel receive intelligence requirements and evaluate them to determine sub-requirements related to topics, questions, or requirements. For example, an adversary's nuclear energy requirements may be further divided into nuclear facilities versus nuclear warhead capabilities. (Citation: AnalystsAndPolicymaking)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", - "value": "Receive KITs/KIQs and determine requirements - PRE-T1016", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1016" - ], - "external_id": "PRE-T1016", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:priority-definition-direction" - ] - }, - "uuid": "acfcbe7a-4dbc-4471-be2b-134faf479e3e" - }, - { - "description": "Outsourcing, the arrangement of one company providing goods or services to another company for something that could be done in-house, provides another avenue for an adversary to target. Businesses often have networks, portals, or other technical connections between themselves and their outsourced/partner organizations that could be exploited. Additionally, outsourced/partner organization information could provide opportunities for phishing. (Citation: Scasny2015) (Citation: OPM Breach)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Much of this analysis can be done using the target's open source website, which is purposely designed to be informational and may not have extensive visitor tracking capabilities.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Analyzing business relationships from information gathering may provide insight into outsourced capabilities. In certain industries, outsourced capabilities or close business partnerships may be advertised on corporate websites.", - "value": "Analyze presence of outsourced capabilities - PRE-T1080", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1080" - ], - "external_id": "PRE-T1080", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:organizational-weakness-identification" - ] - }, - "uuid": "34450117-d1d5-417c-bb74-4359fc6551ca" - }, - { - "description": "Implementation plans specify how the goals of the strategic plan will be executed. (Citation: ChinaCollectionPlan) (Citation: OrderOfBattle)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", - "value": "Create implementation plan - PRE-T1009", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1009" - ], - "external_id": "PRE-T1009", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:priority-definition-planning" - ] - }, - "uuid": "b355817c-cf63-43b4-94a4-05e9645fa910" - }, - { - "description": "Using alternative payment options allows an adversary to hide their activities. Options include crypto currencies, barter systems, pre-paid cards or shell accounts. (Citation: Goodin300InBitcoins)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Defender likely will not have access to payment information. Monitoring crypto-currency or barter boards is resource intensive and not fully automatable.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Easy to use pre-paid cards or shell accounts to pay for services online. Crypto currencies and barter systems can avoid use of trace-able bank or credit apparatus.", - "value": "Non-traditional or less attributable payment options - PRE-T1093", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1093" - ], - "external_id": "PRE-T1093", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:adversary-opsec" - ] - }, - "uuid": "b79e8a3f-a109-47c2-a0e3-564955590a3d" - }, - { - "description": "In addition to a target's social media presence may exist a larger digital footprint, such as accounts and credentials on e-commerce sites or usernames and logins for email. An adversary familiar with a target's username can mine to determine the target's larger digital footprint via publicly available sources. (Citation: DigitalFootprint) (Citation: trendmicro-vtech)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Searching publicly available sources that cannot be monitored by a defender.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Information readily available through searches", - "value": "Aggregate individual's digital footprint - PRE-T1052", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1052" - ], - "external_id": "PRE-T1052", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:people-information-gathering" - ] - }, - "uuid": "b3f36317-3940-4d71-968f-e11ac1bf6a31" - }, - { - "description": "An adversary may identify sensitive personnel information not typically posted on a social media site, such as address, marital status, financial history, and law enforcement infractions. This could be conducted by searching public records that are frequently available for free or at a low cost online. (Citation: RSA-APTRecon)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Searching publicly available sources that cannot be monitored by a defender.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: This type of information is useful to understand the individual and their ability to be blackmailed. Searching public records is easy and most information can be purchased for a low cost if the adversary really wants it.", - "value": "Identify sensitive personnel information - PRE-T1051", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1051" - ], - "external_id": "PRE-T1051", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:people-information-gathering" - ] - }, - "uuid": "7dae871c-effc-444b-9962-4b7efefe7d40" - }, - { - "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nThrough social engineering or other methods, an adversary can get users to perform physical actions that provide access to an adversary. This could include providing a password over the phone or inserting a 'found' CD or USB into a system. (Citation: AnonHBGary) (Citation: CSOInsideOutside)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Non-hypersensing environments do not typically collect this level of detailed information.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Ill-informed users insert devices into their network that they randomly find, despite training educating them why this is not a wise idea.", - "value": "Human performs requested action of physical nature - PRE-T1162", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1162" - ], - "external_id": "PRE-T1162", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:compromise" - ] - }, - "uuid": "fb39384c-00e4-414a-88af-e80c4904e0b8" - }, - { - "description": "During mergers, divestitures, or other period of change in joint infrastructure or business processes there may be an opportunity for exploitation. During this type of churn, unusual requests, or other non standard practices may not be as noticeable. (Citation: RossiMergers) (Citation: MeidlHealthMergers)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Most of this activity would target partners and business processes. Partners would not report. Difficult to tie this activity to a cyber attack.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Mapping joint infrastructure and business processes is difficult without insider knowledge or SIGINT capability. While a merger creates and opportunity to exploit potentially cumbersome or sloppy business processes, advance notice of a merger is difficult; merger information is typically close-hold until the deal is done.", - "value": "Assess opportunities created by business deals - PRE-T1076", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1076" - ], - "external_id": "PRE-T1076", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:organizational-weakness-identification" - ] - }, - "uuid": "e2aa077d-60c9-4de5-b015-a9c382877cd9" - }, - { - "description": "The process of gathering domain account credentials in order to silently create subdomains pointed at malicious servers without tipping off the actual owner. (Citation: CiscoAngler) (Citation: ProofpointDomainShadowing)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: Detection of this technique requires individuals to monitor their domain registrant accounts routinely. In addition, defenders have had success with blacklisting sites or IP addresses, but an adversary can defeat this by rotating either the subdomains or the IP addresses associated with the campaign.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: To successfully conduct this attack, an adversary usually phishes the individual behind the domain registrant account, logs in with credentials, and creates a large amount of subdomains.", - "value": "Shadow DNS - PRE-T1117", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1117" - ], - "external_id": "PRE-T1117", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:establish-&-maintain-infrastructure" - ] - }, - "uuid": "3f157dee-74f0-41fc-801e-f837b8985b0a" - }, - { - "description": "A payload is the part of the malware which performs a malicious action. The adversary may create custom payloads when none exist with the needed capability or when targeting a specific environment. (Citation: APT1)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: It is likely that an adversary will create and develop payloads on inaccessible or unknown networks for OPSEC reasons.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Specialized tools exist for research, development, and testing of virus/malware payloads.", - "value": "Create custom payloads - PRE-T1122", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1122" - ], - "external_id": "PRE-T1122", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:build-capabilities" - ] - }, - "uuid": "fddd81e9-dd3d-477e-9773-4fb8ae227234" - }, - { - "description": "Social Engineering is the practice of manipulating people in order to get them to divulge information or take an action. (Citation: SEAttackVectors) (Citation: BeachSE2003)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: No technical means to detect an adversary collecting information about a target. Any detection would be based upon strong OPSEC policy implementation.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Very effective technique for the adversary that does not require any formal training and relies upon finding just one person who exhibits poor judgement.", - "value": "Conduct social engineering - PRE-T1045", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1045" - ], - "external_id": "PRE-T1045", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:people-information-gathering" - ] - }, - "uuid": "af358cad-eb71-4e91-a752-236edc237dae" - }, - { - "description": "Certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. Acquiring a certificate for a domain name similar to one that is expected to be trusted may allow an adversary to trick a user in to trusting the domain (e.g., vvachovia instead of [https://www.wellsfargo.com/about/corporate/wachovia/ Wachovia] -- homoglyphs). (Citation: SubvertSSL) (Citation: PaypalScam)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Defender can monitor for domains similar to popular sites (possibly leverage [https://www.alexa.com Alexa] top ''N'' lists as starting point).\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: SSL certificates are readily available at little to no cost.", - "value": "SSL certificate acquisition for domain - PRE-T1114", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1114" - ], - "external_id": "PRE-T1114", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:establish-&-maintain-infrastructure" - ] - }, - "uuid": "e34b9ca1-8778-41a3-bba5-8edaab4076dc" - }, - { - "description": "An adversary can run their code on systems with cyber security protections, such as antivirus products, in place to see if their code is detected. They can also test their malware on freely available public services. (Citation: MalwareQAZirtest)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Adversary controls the testing and can ensure data does not leak with proper OPSEC on testing.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Adversary has the ability to procure products and not have reporting return to vendors or can choose to use freely available services", - "value": "Test malware to evade detection - PRE-T1136", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1136" - ], - "external_id": "PRE-T1136", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:test-capabilities" - ] - }, - "uuid": "8b57a8f1-9cbc-4b95-b162-cc2a1add94f2" - }, - { - "description": "An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. The adversary may use or modify existing exploits when those exploits are still relevant to the environment they are trying to compromise. (Citation: NYTStuxnet) (Citation: NationsBuying)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Adversary will likely use code repositories, but development will be performed on their local systems.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Several exploit repositories and tool suites exist for re-use and tailoring.", - "value": "Build or acquire exploits - PRE-T1126", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1126" - ], - "external_id": "PRE-T1126", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:build-capabilities" - ] - }, - "uuid": "4886e3c2-468b-4e26-b7e5-2031d995d13a" - }, - { - "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nIf an adversary can gain physical access to the target's environment they can introduce a variety of devices that provide compromise mechanisms. This could include installing keyboard loggers, adding routing/wireless equipment, or connecting computing devices. (Citation: Credit Card Skimmers)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: This varies depending on the amount of monitoring within the environment. Highly secure environments might have more innate monitoring and catch an adversary doing this more easily.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: This likely requires the adversary to have close or insider access to introduce the mechanism of compromise.", - "value": "Unauthorized user introduces compromise delivery mechanism - PRE-T1164", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1164" - ], - "external_id": "PRE-T1164", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:compromise" - ] - }, - "uuid": "b3253d9e-ba11-430f-b5a3-4db844ce5413" - }, - { - "description": "Certain types of traffic (e.g., Twitter14, HTTP) are more commonly used than others. Utilizing more common protocols and software may make an adversary's traffic more difficult to distinguish from legitimate traffic. (Citation: symantecNITRO)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: High level of entropy in communications. High volume of communications makes it extremely hard for a defender to distinguish between legitimate and adversary communications.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to decipher or to make the communication less conspicuous.", - "value": "Common, high volume protocols and software - PRE-T1098", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1098" - ], - "external_id": "PRE-T1098", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:adversary-opsec" - ] - }, - "uuid": "0c592c79-29a7-4a94-81a4-c87eae3aead6" - }, - { - "description": "Certain types of traffic (e.g., DNS tunneling, header inject) allow for user-defined fields. These fields can then be used to hide data. In addition to hiding data in network protocols, steganography techniques can be used to hide data in images or other file formats. Detection can be difficult unless a particular signature is already known. (Citation: BotnetsDNSC2) (Citation: HAMMERTOSS2015) (Citation: DNS-Tunnel)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Unless defender is dissecting protocols or performing network signature analysis on any protocol deviations/patterns, this technique is largely undetected.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: This technique requires a more advanced protocol understanding and testing to insert covert communication into legitimate protocol fields.", - "value": "Data Hiding - PRE-T1097", - "meta": { - "refs": [ - "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1097" - ], - "external_id": "PRE-T1097", - "kill_chain": [ - "mitre-pre-attack:enterprise-attack:adversary-opsec" - ] - }, - "uuid": "1ff8b824-5287-4583-ab6a-013bf36d4864" - } - ] -} + "name": "Pre Attack - Attack Pattern", + "type": "mitre-pre-attack-attack-pattern", + "description": "ATT&CK tactic", + "version": 3, + "source": "https://github.com/mitre/cti", + "uuid": "03c13bec-1708-11e8-92a0-a747c0787089", + "authors": [ + "MITRE" + ], + "values": [ + { + "description": "Many mobile devices are configured to only allow applications to be installed from the mainstream vendor app stores (e.g., Apple App Store and Google Play Store). An adversary can submit multiple code samples to these stores deliberately designed to probe the stores' security analysis capabilities, with the goal of determining effective techniques to place malicious applications in the stores that could then be delivered to targeted devices. (Citation: Android Bouncer) (Citation: Adventures in BouncerLand) (Citation: Jekyll on iOS) (Citation: Fruit vs Zombies)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: The app store operators (e.g., Apple and Google) may detect the attempts, but it would not be observable to those being attacked.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: An adversary can submit code remotely using throwaway accounts, although a registration fee may need to be paid for each new account (e.g., $99 for Apple and $25 for Google Play Store).", + "value": "Test ability to evade automated mobile application security analysis performed by app stores - PRE-T1170", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1170" + ], + "external_id": "PRE-T1170", + "kill_chain": [ + "mitre-pre-attack:pre-attack:test-capabilities" + ] + }, + "uuid": "c9e85b80-39e8-42df-b275-86a2afcea9e8" + }, + { + "description": "Obfuscation is hiding the day-to-day building and testing of new tools, chat servers, etc. (Citation: FireEyeAPT17)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Defender will generally not have visibility into their infrastructure.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Building and testing infrastructure and obfuscating it to protect it against intrusions are a standard part of the adversary process in preparing to conduct an operation against a target.", + "value": "Obfuscate infrastructure - PRE-T1108", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1108" + ], + "external_id": "PRE-T1108", + "kill_chain": [ + "mitre-pre-attack:pre-attack:establish-&-maintain-infrastructure" + ] + }, + "uuid": "72c8d526-1247-42d4-919c-6d7a31ca8f39" + }, + { + "description": "Backup infrastructure allows an adversary to recover from environmental and system failures. It also facilitates recovery or movement to other infrastructure if the primary infrastructure is discovered or otherwise is no longer viable. (Citation: LUCKYCAT2012)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Infrastructure is (typically) outside of control/visibility of defender and as such as tools are staged for specific campaigns, it will not be obvious to those being attacked.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: The adversary has control of the infrastructure and will likely be able to add/remove tools to infrastructure, whether acquired via hacking or standard computer acquisition (e.g., [https://aws.amazon.com AWS], commercial storage solutions).", + "value": "Create backup infrastructure - PRE-T1116", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1116" + ], + "external_id": "PRE-T1116", + "kill_chain": [ + "mitre-pre-attack:pre-attack:establish-&-maintain-infrastructure" + ] + }, + "uuid": "a425598d-7c19-40f7-9aa3-ac20f0d5c2b2" + }, + { + "description": "An adversary may assess a target's operational security (OPSEC) practices in order to identify targeting options. A target may share different information in different settings or be more of less cautious in different environments. (Citation: Scasny2015) (Citation: EverstineAirStrikes)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Defender does not have access to information stored outside of defenders scope or visibility (e.g., log data for Facebook is not easily accessible). Defender has very infrequent visibility into an adversary's more detailed TTPs for developing people targets.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Information is out in the open for items that are available - part of this is ease of use for consumers to support the expected networking use case. OSINT can provide many avenues to gather intel which contain weaknesses. Developing and refining the methodology to exploit weak human targets has been done for years (e.g., spies).", + "value": "Assess targeting options - PRE-T1073", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1073" + ], + "external_id": "PRE-T1073", + "kill_chain": [ + "mitre-pre-attack:pre-attack:people-weakness-identification" + ] + }, + "uuid": "d69c3e06-8311-4093-8e3e-0a8e06b15d92" + }, + { + "description": "Analysts may receive intelligence requirements from leadership and begin research process to satisfy a requirement. Part of this process may include delineating between needs and wants and thinking through all the possible aspects associating with satisfying a requirement. (Citation: FBIIntelligencePrimer)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", + "value": "Receive operator KITs/KIQs tasking - PRE-T1012", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1012" + ], + "external_id": "PRE-T1012", + "kill_chain": [ + "mitre-pre-attack:pre-attack:priority-definition-planning" + ] + }, + "uuid": "7863b7f1-c18a-4aad-a6cf-4aa6d8797531" + }, + { + "description": "An adversary will require some physical hardware and software. They may only need a lightweight set-up if most of their activities will take place using on-line infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems. (Citation: NYTStuxnet)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Outside of highly specific or rare HW, nearly impossible to detect and track.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Ease and availability of current hardware and software, mobile phones (cash and go phones), and additional online technology simplifies adversary process to achieve this technique (and possibly without traceability). The adversary has control of the infrastructure and will likely be able to add/remove tools to infrastructure, whether acquired via hacking or standard computer acquisition (e.g., [https://aws.amazon.com AWS], VPS).", + "value": "Procure required equipment and software - PRE-T1112", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1112" + ], + "external_id": "PRE-T1112", + "kill_chain": [ + "mitre-pre-attack:pre-attack:establish-&-maintain-infrastructure" + ] + }, + "uuid": "2141aea0-cf38-49aa-9e51-ac34092bc30a" + }, + { + "description": "Security defensive capabilities are designed to stop or limit unauthorized network traffic or other types of accesses. (Citation: OSFingerprinting2014) (Citation: NMAP WAF NSE)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Technically, the defender has the ability to detect. However, this is typically not performed as this type of traffic would likely not prompt the defender to take any actionable defense. In addition, this would require the defender to closely review their access logs for any suspicious activity (if the activity is even logged).\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: The adversary will have some insight into defenses based on dropped traffic or filtered responses. It is more difficult to pinpoint which defenses are implemented (e.g., [https://www.fireeye.com FireEye] WMPS, [https://www.hpe.com Hewlett Packard Enterprise] Tipping Point IPS).", + "value": "Identify security defensive capabilities - PRE-T1040", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1040" + ], + "external_id": "PRE-T1040", + "kill_chain": [ + "mitre-pre-attack:pre-attack:technical-information-gathering" + ] + }, + "uuid": "04e93ca1-8415-4a46-8549-73b7c84f8dc3" + }, + { + "description": "Leadership or key decision makers may derive specific intelligence requirements from Key Intelligence Topics (KITs) or Key Intelligence Questions (KIQs). Specific intelligence requirements assist analysts in gathering information to establish a baseline of information about a topic or question and collection managers to clarify the types of information that should be collected to satisfy the requirement. (Citation: LowenthalCh4) (Citation: Heffter)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", + "value": "Derive intelligence requirements - PRE-T1007", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1007" + ], + "external_id": "PRE-T1007", + "kill_chain": [ + "mitre-pre-attack:pre-attack:priority-definition-planning" + ] + }, + "uuid": "15d5eaa4-597a-47fd-a692-f2bed434d904" + }, + { + "description": "The use of algorithms in malware to periodically generate a large number of domain names which function as rendezvous points for malware command and control servers. (Citation: DamballaDGA) (Citation: DambballaDGACyberCriminals)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: It is possible to detect the use of DGAs; however, defenders have largely not been successful at mitigating the domains because they are generally registered less than an hour before they are used and disposed of within 24 hours.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: This technique does not require a significant amount of sophistication while still being highly effective. It was popularized by the Conficker worms but is prevalent in crimeware such as Murofet and BankPatch.", + "value": "Domain Generation Algorithms (DGA) - PRE-T1100", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1100" + ], + "external_id": "PRE-T1100", + "kill_chain": [ + "mitre-pre-attack:pre-attack:adversary-opsec" + ] + }, + "uuid": "274164c6-4297-42d4-84b5-2369e51013fe" + }, + { + "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nThe utilization of resources not owned by the adversary to launch exploits or operations. This includes utilizing equipment that was previously compromised or leveraging access gained by other methods (such as compromising an employee at a business partner location). (Citation: CitizenLabGreatCannon)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: While possible to detect, it requires a broader vantage point than is typical that provides increased insight and conducts extensive data analysis and correlation between events.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Conducting technique requires either nation-state level capabilities or large amounts of financing to coordinate multiple 3rd party resources to gain desired insight.", + "value": "Leverage compromised 3rd party resources - PRE-T1152", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1152" + ], + "external_id": "PRE-T1152", + "kill_chain": [ + "mitre-pre-attack:pre-attack:launch" + ] + }, + "uuid": "2c8a9df4-52a9-4770-94b3-5e95ab7d59f9" + }, + { + "description": "Execution of code and network communications often result in logging or other system or network forensic artifacts. An adversary can run their code to identify what is recorded under different conditions. This may result in changes to their code or adding additional actions (such as deleting a record from a log) to the code. (Citation: EDB-39007) (Citation: infosec-covering-tracks)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Adversary controls the test and defender likely has no visibility.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Adversary has full control of environment to determine what level of auditing and traces exist on a system after execution.", + "value": "Review logs and residual traces - PRE-T1135", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1135" + ], + "external_id": "PRE-T1135", + "kill_chain": [ + "mitre-pre-attack:pre-attack:test-capabilities" + ] + }, + "uuid": "a16e4004-caac-4a0b-acd5-486f8fda1665" + }, + { + "description": "Job postings, on either company sites, or in other forums, provide information on organizational structure and often provide contact information for someone within the organization. This may give an adversary information on technologies within the organization which could be valuable in attack or provide insight in to possible security weaknesses or limitations in detection or protection mechanisms. (Citation: JobPostingThreat)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Impossible to differentiate between an adversary and a normal user when accessing open/public information.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Publicly posted information by design. Providing too much detail in the job posting could aid the adversary in learning more about the target's environment and possible technical weaknesses/deficiencies.", + "value": "Identify job postings and needs/gaps - PRE-T1025", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1025" + ], + "external_id": "PRE-T1025", + "kill_chain": [ + "mitre-pre-attack:pre-attack:technical-information-gathering" + ] + }, + "uuid": "c721b235-679a-4d76-9ae9-e08921fccf84" + }, + { + "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nEmails with malicious attachments are designed to get a user to open/execute the attachment in order to deliver malware payloads. (Citation: APT1)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Many technologies exist to scan content and/or emulate a workstation prior to the target receiving and executing the attachment (detonation chambers) in order to reduce malicious emails and attachments being delivered to the intended target. However, encryption continues to be a stumbling block. In addition, there are a variety of commercial technologies available that enable users to screen for phishing messages and which are designed to enhance email security.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Sending the emails is the simple part, ensuring they make it to the target (e.g., not being filtered) may be challenging. Over time, an adversary refines their techniques to minimize detection by making their emails seem legitimate in structure and content.", + "value": "Spear phishing messages with malicious attachments - PRE-T1144", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1144" + ], + "external_id": "PRE-T1144", + "kill_chain": [ + "mitre-pre-attack:pre-attack:launch" + ] + }, + "uuid": "e24a9f99-cb76-42a3-a50b-464668773e97" + }, + { + "description": "Fake certificates can be acquired by legal process or coercion. Or, an adversary can trick a Certificate Authority into issuing a certificate. These fake certificates can be used as a part of Man-in-the-Middle attacks. (Citation: SubvertSSL)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: The certificate authority who is hacked cannot easily see they've been compromised, but [https://www.google.com Google] has caught on to this occurring in previous attacks such as DigiNotar (Citation: DigiNotar2016) and [https://www.verisign.com Verisign].\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: One example of it occurring in the real world is the DigiNotar (Citation: DigiNotar2016) case. To be able to do this usually requires sophisticated skills and is traditionally done by a nation state to spy on its citizens.", + "value": "SSL certificate acquisition for trust breaking - PRE-T1115", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1115" + ], + "external_id": "PRE-T1115", + "kill_chain": [ + "mitre-pre-attack:pre-attack:establish-&-maintain-infrastructure" + ] + }, + "uuid": "54a42187-a20c-4e4e-ba31-8d15c9e1f57f" + }, + { + "description": "Proxies act as an intermediary for clients seeking resources from other systems. Using a proxy may make it more difficult to track back the origin of a network communication. (Citation: APT1)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Defenders with standard capabilities will traditionally be able to see the first hop but not all the subsequent earlier hops an adversary takes to be able to conduct reconnaissance.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Proxies are readily available for the adversary with both free and cost-based options available.", + "value": "Proxy/protocol relays - PRE-T1081", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1081" + ], + "external_id": "PRE-T1081", + "kill_chain": [ + "mitre-pre-attack:pre-attack:adversary-opsec" + ] + }, + "uuid": "b14f6692-b613-44bb-9f30-8381a5ff10d5" + }, + { + "description": "Domain Names are the human readable names used to represent one or more IP addresses. IP addresses are the unique identifier of computing devices on a network. Both pieces of information are valuable to an adversary who is looking to understand the structure of a network. (Citation: RSA-APTRecon)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Public or easily obtainable information by design.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: AS and IANA data are easily available, existing research tools.", + "value": "Determine domain and IP address space - PRE-T1027", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1027" + ], + "external_id": "PRE-T1027", + "kill_chain": [ + "mitre-pre-attack:pre-attack:technical-information-gathering" + ] + }, + "uuid": "23ecb7e0-0340-43d9-80a5-8971fe866ddf" + }, + { + "description": "A remote access tool (RAT) is a piece of software that allows a remote user to control a system as if they had physical access to that system. An adversary may utilize existing RATs, modify existing RATs, or create their own RAT. (Citation: ActiveMalwareEnergy)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Adversary will likely use code repositories, but development will be performed on their local systems.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Many successful RATs exist for re-use/tailoring in addition to those an adversary may choose to build from scratch. The adversary's capabilities, target sensitivity, and needs will likely determine whether a previous RAT is modified for use a new one is built from scratch.", + "value": "Remote access tool development - PRE-T1128", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1128" + ], + "external_id": "PRE-T1128", + "kill_chain": [ + "mitre-pre-attack:pre-attack:build-capabilities" + ] + }, + "uuid": "9755ecdc-deb0-40e6-af49-713cb0f8ed92" + }, + { + "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nA technique to push an [https://www.apple.com/ios iOS] or [https://www.android.com Android] MMS-type message to the target which does not require interaction on the part of the target to be successful. (Citation: BlackHat Stagefright) (Citation: WikiStagefright)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: For non-corporate cellular devices not joined to the corporate network, it is not possible to detect an adversary's use of the technique because messages traverse networks outside of the control of the employer. For corporate cellular devices which are joined to the corporate network, monitoring of messages and ability to patch against push attacks is possible, assuming they are fully monitored.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Easily executed technique to push an MMS-type message to the target which does not require interaction on the part of the target to be successful.", + "value": "Push-notification client-side exploit - PRE-T1150", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1150" + ], + "external_id": "PRE-T1150", + "kill_chain": [ + "mitre-pre-attack:pre-attack:launch" + ] + }, + "uuid": "702dc95d-3266-42dc-9eef-4a19e2445148" + }, + { + "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nClicking on links in email, opening attachments, or visiting websites that result in drive by downloads can all result in compromise due to users performing actions of a cyber nature. (Citation: AnonHBGary)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Some environments have anti-spearphishing mechanisms to detect or block the link before it reaches the user.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Users unwittingly click on spearphishing links frequently, despite training designed to educate about the perils of spearphishing.", + "value": "Authorized user performs requested cyber action - PRE-T1163", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1163" + ], + "external_id": "PRE-T1163", + "kill_chain": [ + "mitre-pre-attack:pre-attack:compromise" + ] + }, + "uuid": "0440f60f-9056-4791-a740-8eae96eb61fa" + }, + { + "description": "Once they have been created, intelligence requirements, Key Intelligence Topics (KITs), and Key Intelligence Questions (KIQs) are submitted into a central management system. (Citation: ICD204) (Citation: KIT-Herring)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", + "value": "Submit KITs, KIQs, and intelligence requirements - PRE-T1014", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1014" + ], + "external_id": "PRE-T1014", + "kill_chain": [ + "mitre-pre-attack:pre-attack:priority-definition-direction" + ] + }, + "uuid": "03da0598-ed46-4a73-bf43-0313b3522400" + }, + { + "description": "The use of credentials by an adversary with the intent to hide their true identity and/or portray them self as another person or entity. An adversary may use misattributable credentials in an attack to convince a victim that credentials are legitimate and trustworthy when this is not actually the case. (Citation: FakeSSLCerts)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: If a previous incident identified the credentials used by an adversary, defenders can potentially use these credentials to track the adversary through reuse of the same credentials.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: An adversary can easily create and use misattributable credentials to obtain servers, build environment, [https://aws.amazon.com AWS] accounts, etc. Many service providers require some form of identifiable information such as a phone number or email address, but there are several avenues to acquire these consistent with the misattributable identity.", + "value": "Misattributable credentials - PRE-T1099", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1099" + ], + "external_id": "PRE-T1099", + "kill_chain": [ + "mitre-pre-attack:pre-attack:adversary-opsec" + ] + }, + "uuid": "31fa5b03-1ede-4fab-8a68-ed831fcf4899" + }, + { + "description": "Strategic plans outline the mission, vision, and goals for an adversary at a high level in relation to the key partners, topics, and functions the adversary carries out. (Citation: KPMGChina5Year) (Citation: China5YearPlans) (Citation: ChinaUN)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", + "value": "Create strategic plan - PRE-T1008", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1008" + ], + "external_id": "PRE-T1008", + "kill_chain": [ + "mitre-pre-attack:pre-attack:priority-definition-planning" + ] + }, + "uuid": "ec739e26-d097-4804-b04a-54dd81ff11e0" + }, + { + "description": "Once a 3rd party vendor has been identified as being of interest it can be probed for vulnerabilities just like the main target would be. (Citation: Zetter2015Threats) (Citation: WSJTargetBreach)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: 3rd parties would most likely not report network scans to their partners. Target network would not know that their 3rd party partners were being used as a vector.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: The difficult part is enumerating all 3rd parties. Finding major partners would not be difficult. Significantly easier with insider knowledge. Vulnerability scanning the 3rd party networks is trivial.", + "value": "Assess vulnerability of 3rd party vendors - PRE-T1075", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1075" + ], + "external_id": "PRE-T1075", + "kill_chain": [ + "mitre-pre-attack:pre-attack:organizational-weakness-identification" + ] + }, + "uuid": "1def484d-2343-470d-8925-88f45b5f9615" + }, + { + "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nAttempt to use default vendor credentials, brute force credentials, or previously obtained legitimate credentials to authenticate remotely. This access could be to a web portal, through a VPN, or in a phone app. (Citation: Remote Access Healthcare) (Citation: RDP Point of Sale)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: This is possible with diligent monitoring of login anomalies, expected user behavior/location. If the adversary uses legitimate credentials, it may go undetected.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Attempt to use default vendor credentials, brute force credentials, or previously obtained legitimate credentials. This is increasingly difficult to obtain access when two-factor authentication mechanisms are employed.", + "value": "Authentication attempt - PRE-T1158", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1158" + ], + "external_id": "PRE-T1158", + "kill_chain": [ + "mitre-pre-attack:pre-attack:launch" + ] + }, + "uuid": "4dfb98ea-03cc-4a9c-a3a7-b22e14f126c4" + }, + { + "description": "Domain Registration Hijacking is the act of changing the registration of a domain name without the permission of the original registrant. (Citation: ICANNDomainNameHijacking)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Generally not easily detectable unless domain registrar provides alerting on any updates.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Requires adversary to gain access to an email account for person listed as the domain registrar/POC. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or take advantage of renewal process gaps.", + "value": "Domain registration hijacking - PRE-T1103", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1103" + ], + "external_id": "PRE-T1103", + "kill_chain": [ + "mitre-pre-attack:pre-attack:establish-&-maintain-infrastructure" + ] + }, + "uuid": "aadaee0d-794c-4642-8293-7ec22a99fb1a" + }, + { + "description": "Analyze strengths and weaknesses of the target for potential areas of where to focus compromise efforts. (Citation: FakeLinkedIn)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: This can be done offline after the data has been collected.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Analyze strengths and weaknesses of the target for potential areas of where to focus compromise efforts.", + "value": "Analyze organizational skillsets and deficiencies - PRE-T1077", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1077" + ], + "external_id": "PRE-T1077", + "kill_chain": [ + "mitre-pre-attack:pre-attack:organizational-weakness-identification" + ] + }, + "uuid": "7baccb84-356c-4e89-8c5d-58e701f033fc" + }, + { + "description": "Active scanning is the act of sending transmissions to end nodes, and analyzing the responses, in order to identify information about the communications system. (Citation: RSA-APTRecon)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: This technique is an expected and voluminous activity when on the Internet. Active scanning techniques/tools typically generate benign traffic that does not require further investigation by a defender since there is no actionable defense to execute. The high volume of this activity makes it burdensome for any defender to chase and therefore often ignored.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Various available tools and data sources for scouting and detecting address, routing, version numbers, patch levels, protocols/services running, etc.", + "value": "Conduct active scanning - PRE-T1031", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1031" + ], + "external_id": "PRE-T1031", + "kill_chain": [ + "mitre-pre-attack:pre-attack:technical-information-gathering" + ] + }, + "uuid": "7f2d3da6-7e34-44a3-9e7f-905455339726" + }, + { + "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nA technique used to compromise victims wherein the victims visit a compromised website that redirects their browser to a malicious web site, such as an exploit kit's landing page. The exploit kit landing page will probe the victim's operating system, web browser, or other software to find an exploitable vulnerability to infect the victim. (Citation: GeorgeDriveBy) (Citation: BellDriveBy)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: With the use of malware detonation chambers (e.g., for web or email traffic), this improves detection. Encryption and other techniques reduces the efficacy of these defenses.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Placing an exploit on a public web site for driveby types of delivery is not impossible. However, gaining access to a web site with high enough traffic to meet specific objectives could be the challenge.", + "value": "Unconditional client-side exploitation/Injected Website/Driveby - PRE-T1149", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1149" + ], + "external_id": "PRE-T1149", + "kill_chain": [ + "mitre-pre-attack:pre-attack:launch" + ] + }, + "uuid": "58d0b955-ae3d-424a-a537-2804dab38793" + }, + { + "description": "An adversary can test the detections of malicious emails or files by using publicly available services, such as virus total, to see if their files or emails cause an alert. They can also use similar services that are not openly available and don't publicly publish results or they can test on their own internal infrastructure. (Citation: WiredVirusTotal)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: If using a common service like [https://www.virustotal.com VirusTotal], it is possible to detect. If the adversary uses a hostile, less well-known service, the defender would not be aware.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Easy to automate upload/email of a wide range of data packages.", + "value": "Test signature detection - PRE-T1069", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1069" + ], + "external_id": "PRE-T1069", + "kill_chain": [ + "mitre-pre-attack:pre-attack:technical-weakness-identification" + ] + }, + "uuid": "57061a8a-d7c5-42a9-be60-f79526b95bf6" + }, + { + "description": "A technique in which a fully qualified domain name has multiple IP addresses assigned to it which are swapped with extreme frequency, using a combination of round robin IP address and short Time-To-Live (TTL) for a DNS resource record. (Citation: HoneynetFastFlux) (Citation: MisnomerFastFlux) (Citation: MehtaFastFluxPt1) (Citation: MehtaFastFluxPt2)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: In general, detecting usage of fast flux DNS is difficult due to web traffic load balancing that services client requests quickly. In single flux cases only IP addresses change for static domain names. In double flux cases, nothing is static. Defenders such as IPS, domain registrars, and service providers are likely in the best position for detection.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Fast flux is generally simple for an adversary to set up and offers several advantages. Such advantages include limited audit trails for defenders to find, ease of operation for an adversary to maintain, and support for main nodes.", + "value": "Fast Flux DNS - PRE-T1102", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1102" + ], + "external_id": "PRE-T1102", + "kill_chain": [ + "mitre-pre-attack:pre-attack:adversary-opsec" + ] + }, + "uuid": "248cbfdd-fec4-451b-b2a9-e46d4b268e30" + }, + { + "description": "Social Engineering is the practice of manipulating people in order to get them to divulge information or take an action. (Citation: SEAttackVectors) (Citation: BeachSE2003)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: No technical means to detect an adversary collecting technical information about a target. Any detection would be based upon strong OPSEC policy implementation.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Very effective technique for the adversary that does not require any formal training and relies upon finding just one person who exhibits poor judgement.", + "value": "Conduct social engineering - PRE-T1026", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1026" + ], + "external_id": "PRE-T1026", + "kill_chain": [ + "mitre-pre-attack:pre-attack:technical-information-gathering" + ] + }, + "uuid": "74a3288e-eee9-4f8e-973a-fbc128e033f1" + }, + { + "description": "A wide variety of cloud, virtual private services, hosting, compute, and storage solutions are available. Additionally botnets are available for rent or purchase. Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down. (Citation: TrendmicroHideoutsLease)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Hard to differentiate from standard business operations.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Wide variety of cloud/VPS/hosting/compute/storage solutions available for adversary to acquire freely or at a low cost.", + "value": "Acquire and/or use 3rd party infrastructure services - PRE-T1106", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1106" + ], + "external_id": "PRE-T1106", + "kill_chain": [ + "mitre-pre-attack:pre-attack:establish-&-maintain-infrastructure" + ] + }, + "uuid": "795c1a92-3a26-453e-b99a-6a566aa94dc6" + }, + { + "description": "Obfuscation is the act of creating code that is more difficult to understand. Encoding transforms the code using a publicly available format. Encryption transforms the code such that it requires a key to reverse the encryption. (Citation: CylanceOpCleaver)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Detecting encryption is easy, decrypting/deobfuscating is hard.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Various solutions exist for the adversary to use. This technique is commonly used to prevent attribution and evade detection.", + "value": "Obfuscate or encrypt code - PRE-T1096", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1096" + ], + "external_id": "PRE-T1096", + "kill_chain": [ + "mitre-pre-attack:pre-attack:adversary-opsec" + ] + }, + "uuid": "357e137c-7589-4af1-895c-3fbad35ea4d2" + }, + { + "description": "Understanding organizational skillsets and deficiencies could provide insight in to weakness in defenses, or opportunities for exploitation. (Citation: FakeLinkedIn)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: No access to who is consuming the job postings to know what is being observed.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Job postings have to be made public for contractors and many times have the name of the organization being supported.", + "value": "Analyze organizational skillsets and deficiencies - PRE-T1074", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1074" + ], + "external_id": "PRE-T1074", + "kill_chain": [ + "mitre-pre-attack:pre-attack:people-weakness-identification" + ] + }, + "uuid": "96eb59d1-6c46-44bb-bfcd-56be02a00d41" + }, + { + "description": "An adversary could distribute malicious software development tools (e.g., compiler) that hide malicious behavior in software built using the tools. (Citation: PA XcodeGhost) (Citation: Reflections on Trusting Trust)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Developers could check a hash or signature of their development tools to ensure that they match expected values (e.g., Apple provides instructions of how to do so for its Xcode developer tool), but developers may not always do so.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: The adversary would need to either replace the tools provided at the official download location or influence developers to download the tools from an adversary-controlled third-party download location. Desktop operating systems (e.g., Windows, macOS) are increasingly encouraging use of vendor-provided official app stores to distribute software, which utilize code signing and increase the difficulty of replacing development tools with malicious versions.", + "value": "Distribute malicious software development tools - PRE-T1171", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1171" + ], + "external_id": "PRE-T1171", + "kill_chain": [ + "mitre-pre-attack:pre-attack:stage-capabilities" + ] + }, + "uuid": "d2c4206a-a431-4494-834d-52944a79e9f4" + }, + { + "description": "Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Users may trust a signed piece of code more than an signed piece of code even if they don't know who issued the certificate or who the author is. (Citation: DiginotarCompromise)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Defender will not know what certificates an adversary acquires from a 3rd party. Defender will not know prior to public disclosure if a 3rd party has had their certificate compromised.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: It is trivial to purchase code signing certificates within an organization; many exist and are available at reasonable cost. It is complex to factor or steal 3rd party code signing certificates for use in malicious mechanisms", + "value": "Acquire or compromise 3rd party signing certificates - PRE-T1109", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1109" + ], + "external_id": "PRE-T1109", + "kill_chain": [ + "mitre-pre-attack:pre-attack:establish-&-maintain-infrastructure" + ] + }, + "uuid": "03f4a766-7a21-4b5e-9ccf-e0cf422ab983" + }, + { + "description": "Both newly built personas and pre-compromised personas may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos. (Citation: NEWSCASTER2014) (Citation: BlackHatRobinSage) (Citation: RobinSageInterview)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Unless there is some threat intelligence reporting, these users are hard to differentiate.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: The only difference between an adversary conducting this technique and a typical user, is the adversary's intent - to target an individual for compromise.", + "value": "Develop social network persona digital footprint - PRE-T1119", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1119" + ], + "external_id": "PRE-T1119", + "kill_chain": [ + "mitre-pre-attack:pre-attack:persona-development" + ] + }, + "uuid": "271e6d40-e191-421a-8f87-a8102452c201" + }, + { + "description": "A technique used by the adversary similar to Dynamic DNS with the exception that the use of multiple DNS infrastructures likely have whois records. (Citation: KrebsStLouisFed)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: This is by design captured in public registration logs. Various tools and services exist to track/query/monitor domain name registration information. However, tracking multiple DNS infrastructures will likely require multiple tools/services or more advanced analytics.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Requires more planning, but feasible.", + "value": "Use multiple DNS infrastructures - PRE-T1104", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1104" + ], + "external_id": "PRE-T1104", + "kill_chain": [ + "mitre-pre-attack:pre-attack:establish-&-maintain-infrastructure" + ] + }, + "uuid": "616238cb-990b-4c71-8f50-d8b10ed8ce6b" + }, + { + "description": "Many applications use third-party software libraries, often without full knowledge of the behavior of the libraries by the application developer. For example, mobile applications often incorporate advertising libraries to generate revenue for the application developer. Vulnerabilities in these third-party libraries could potentially be exploited in any application that uses the library, and even if the vulnerabilities are fixed, many applications may still use older, vulnerable versions of the library. (Citation: Flexera News Vulnerabilities) (Citation: Android Security Review 2015) (Citation: Android Multidex RCE)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: Open source software has great appeal mostly due to the time savings and that it is free. However, using this code without assessing it's security is akin to blindly executing third party software. Companies often do not dedicate the time to appropriately detect and scan for vulnerabilities. The mainstream mobile application stores scan applications for some known vulnerabilities. For example, Google's Android Application Security Improvement Program identifies and alerts developers to vulnerabilities present in their applications from use of the Vungle, Apache Cordova, WebView SSL, GnuTLS, and Vitamio third-party libraries. However, these scans are not likely to cover all vulnerable libraries, developers may not always act on the results, and the results may not be made available to impacted end users of the applications.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Developers commonly use open source libraries such that where an adversary can easily discover known vulnerabilities and create exploits. It is also generally easy to decompile arbitrary mobile applications to determine what libraries they use, and similarly use this information to correlate against known CVEs and exploit packages.", + "value": "Identify vulnerabilities in third-party software libraries - PRE-T1166", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1166" + ], + "external_id": "PRE-T1166", + "kill_chain": [ + "mitre-pre-attack:pre-attack:technical-weakness-identification" + ] + }, + "uuid": "ad124f84-52d2-40e3-95dd-cfdd44eae6ef" + }, + { + "description": "DNS Calc is a technique in which the octets of an IP address are used to calculate the port for command and control servers from an initial DNS request. (Citation: CrowdstrikeNumberedPanda) (Citation: FireEyeDarwinsAPTGroup) (Citation: Rapid7G20Espionage)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: There are not currently available tools that provide the ability to conduct this calculation to detect this type of activity.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: This technique assists the adversary in bypassing egress filtering designed to prevent unauthorized communication. It has been used by APT12, but not otherwise widely reported. Some botnets are hardcoded to be able to use this technique.", + "value": "DNSCalc - PRE-T1101", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1101" + ], + "external_id": "PRE-T1101", + "kill_chain": [ + "mitre-pre-attack:pre-attack:adversary-opsec" + ] + }, + "uuid": "7823039f-e2d5-4997-853c-ec983631206b" + }, + { + "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nExternally facing systems allow connections from outside the network as a normal course of operations. Externally facing systems may include, but are not limited to, websites, web portals, email, DNS, FTP, VPN concentrators, and boarder routers and firewalls. These systems could be in a demilitarized zone (DMZ) or may be within other parts of the internal environment. (Citation: CylanceOpCleaver) (Citation: DailyTechAntiSec)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Most DMZs are monitored but are also designed so that if they are compromised, the damage/risk is limited.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: DMZ environments are specifically designed to be isolated because one assumes they will ultimately be compromised by the adversary.", + "value": "Compromise of externally facing system - PRE-T1165", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1165" + ], + "external_id": "PRE-T1165", + "kill_chain": [ + "mitre-pre-attack:pre-attack:compromise" + ] + }, + "uuid": "4aeafdb3-eb0b-4e8e-b93f-95cd499088b4" + }, + { + "description": "Supply chains include the people, processes, and technologies used to move a product or service from a supplier to a consumer. Understanding supply chains may provide an adversary with opportunities to exploit the technology or interconnections that are part of the supply chain. (Citation: SmithSupplyChain) (Citation: CERT-UKSupplyChain) (Citation: RSA-supply-chain)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Difficult, if not impossible to detect, because the adversary may collect this information from external sources that cannot be monitored by a defender.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Supply chain diversity of sourcing increases adversary difficulty with accurate mapping. Industry practice has moved towards agile sourcing.", + "value": "Identify supply chains - PRE-T1023", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1023" + ], + "external_id": "PRE-T1023", + "kill_chain": [ + "mitre-pre-attack:pre-attack:technical-information-gathering" + ] + }, + "uuid": "78e41091-d10d-4001-b202-89612892b6ff" + }, + { + "description": "Dumpster diving is looking through waste for information on technology, people, and/or organizational items of interest. (Citation: FriedDumpsters)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Strong physical security and monitoring will detect this behavior if performed on premises.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Not difficult if waste is placed in an unsecured or minimally secured area before collection.", + "value": "Dumpster dive - PRE-T1063", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1063" + ], + "external_id": "PRE-T1063", + "kill_chain": [ + "mitre-pre-attack:pre-attack:organizational-information-gathering" + ] + }, + "uuid": "6c79d654-6506-4f33-b48f-c80babdcc52d" + }, + { + "description": "For a computing resource to be accessible to the public, domain names and IP addresses must be registered with an authorized organization. (Citation: Google Domains WHOIS) (Citation: FunAndSun2012) (Citation: Scasny2015)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Open access to DNS registration/routing information is inherent in Internet architecture.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Proliferation of DNS information makes registration information functionally freely available.", + "value": "Obtain domain/IP registration information - PRE-T1028", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1028" + ], + "external_id": "PRE-T1028", + "kill_chain": [ + "mitre-pre-attack:pre-attack:technical-information-gathering" + ] + }, + "uuid": "46017368-6e09-412b-a29c-385be201cc03" + }, + { + "description": "Business relationship information may be used by an adversary to shape social engineering attempts (exploiting who a target expects to hear from) or to plan for technical actions such as exploiting network trust relationship. (Citation: 11StepsAttackers)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Exception to the rule is if the adversary tips off the target that others have been asking about the relationship with them.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Requires an intensive process. In some industries, business relationships may be public in order to generate business, but this is not the case for all industries and all relationships.", + "value": "Identify business relationships - PRE-T1060", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1060" + ], + "external_id": "PRE-T1060", + "kill_chain": [ + "mitre-pre-attack:pre-attack:organizational-information-gathering" + ] + }, + "uuid": "73e7d7d5-1782-4cd0-a4d7-00c7ec051c2a" + }, + { + "description": "Anonymity services reduce the amount of information available that can be used to track an adversary's activities. Multiple options are available to hide activity, limit tracking, and increase anonymity. (Citation: TOR Design) (Citation: Stratfor2012)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Depends on service. Some are easy to detect, but are hard to trace (e.g., [https://torproject.org TOR]).\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Easy access to anonymizers, quasi-anonymous services like remailers, [https://torproject.org TOR], relays, burner phones, etc.", + "value": "Anonymity services - PRE-T1083", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1083" + ], + "external_id": "PRE-T1083", + "kill_chain": [ + "mitre-pre-attack:pre-attack:adversary-opsec" + ] + }, + "uuid": "d3dca536-8bf0-4e43-97c1-44a2353c3d69" + }, + { + "description": "Command and Control (C2 or C&C) is a method by which the adversary communicates with malware. An adversary may use a variety of protocols and methods to execute C2 such as a centralized server, peer to peer, IRC, compromised web sites, or even social media. (Citation: HAMMERTOSS2015)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Adversary will likely use code repositories, but development will be performed on their local systems.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: C2 over commonly used and permitted protocols provides the necessary cover and access.", + "value": "C2 protocol development - PRE-T1129", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1129" + ], + "external_id": "PRE-T1129", + "kill_chain": [ + "mitre-pre-attack:pre-attack:build-capabilities" + ] + }, + "uuid": "8e211ec9-5dfc-4915-aff4-84d5908f0336" + }, + { + "description": "For attacks incorporating social engineering the utilization of an on-line persona is important. These personas may be fictitious or impersonate real people. The persona may exist on a single site or across multiple sites ([https://www.facebook.com Facebook], [https://www.linkedin.com LinkedIn], [https://twitter.com Twitter], [https://plus.google.com Google+], etc.). (Citation: NEWSCASTER2014) (Citation: BlackHatRobinSage) (Citation: RobinSageInterview)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Unless there is some threat intelligence reporting, these users are hard to differentiate.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Performing activities like typical users, but with specific intent in mind.", + "value": "Build social network persona - PRE-T1118", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1118" + ], + "external_id": "PRE-T1118", + "kill_chain": [ + "mitre-pre-attack:pre-attack:persona-development" + ] + }, + "uuid": "9108e212-1c94-4f8d-be76-1aad9b4c86a4" + }, + { + "description": "Once divided into the most granular parts, analysts work with collection managers to task the collection management system with requirements and sub-requirements. (Citation: Heffter) (Citation: JP2-01)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", + "value": "Task requirements - PRE-T1017", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1017" + ], + "external_id": "PRE-T1017", + "kill_chain": [ + "mitre-pre-attack:pre-attack:priority-definition-direction" + ] + }, + "uuid": "b93bd611-da4e-4c84-a40f-325b712bed67" + }, + { + "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nSpearphishing for information is a specific variant of spearphishing. Spearphishing for information is different from other forms of spearphishing in that it it doesn't leverage malicious code. All forms of spearphishing are elctronically delivered social engineering targeted at a specific individual, company, or industry. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials, without involving malicious code. Spearphishing for information frequently involves masquerading as a source with a reason to collect information (such as a system administrator or a bank) and providing a user with a website link to visit. The given website often closely resembles a legitimate site in appearance and has a URL containing elements from the real site. From the fake website, information is gathered in web forms and sent to the attacker. Spearphishing for information may also try to obtain information directly through the exchange of emails, instant messengers or other electronic conversation means. (Citation: ATTACKREF GRIZZLY STEPPE JAR)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: Depending on the specific method of phishing, the detections can vary. For emails, filtering based on DKIP+SPF or header analysis can help detect when the email sender is spoofed. When it comes to following links, network intrusion detection systems (NIDS), firewalls, removing links, exploding shortened links, proxy monitoring, blocking uncategorized sites, and site reputation based filtering can all provide detection opportunities.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Sending emails is trivial, and, over time, an adversary can refine their technique to minimize detection by making their emails seem legitimate in structure and content.", + "value": "Spearphishing for Information - PRE-T1174", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1174" + ], + "external_id": "PRE-T1174", + "kill_chain": [ + "mitre-pre-attack:pre-attack:technical-information-gathering" + ] + }, + "uuid": "b182f29c-2505-4b32-a000-0440ef189f59" + }, + { + "description": "Domain Names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free. (Citation: PWCSofacy2014)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: This is by design captured in public registration logs. Various tools and services exist to track/query/monitor domain name registration information.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Proliferation of DNS TLDs and registrars. Adversary may choose domains that are similar to legitimate domains (aka \"domain typosquatting\" or homoglyphs).", + "value": "Buy domain name - PRE-T1105", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1105" + ], + "external_id": "PRE-T1105", + "kill_chain": [ + "mitre-pre-attack:pre-attack:establish-&-maintain-infrastructure" + ] + }, + "uuid": "45242287-2964-4a3e-9373-159fad4d8195" + }, + { + "description": "Technology usage patterns include identifying if users work offsite, connect remotely, or other possibly less restricted/secured access techniques. (Citation: SANSRemoteAccess)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Physical observations, OSINT for remote access instructions, and other techniques are not detectable.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Determine if users work offsite, connect remotely, or other possibly less restricted/secured access techniques.", + "value": "Identify technology usage patterns - PRE-T1041", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1041" + ], + "external_id": "PRE-T1041", + "kill_chain": [ + "mitre-pre-attack:pre-attack:technical-information-gathering" + ] + }, + "uuid": "194bff4f-c218-40df-bea3-1ace715de8dd" + }, + { + "description": "Business relationship information includes the associates of a target and may be discovered via social media sites such as [https://www.linkedin.com LinkedIn] or public press releases announcing new partnerships between organizations or people (such as key hire announcements in industry articles). This information may be used by an adversary to shape social engineering attempts (exploiting who a target expects to hear from) or to plan for technical actions such as exploiting network trust relationship. (Citation: RSA-APTRecon) (Citation: Scasny2015)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Searching publicly available sources that cannot be monitored by a defender. Much of this information is widely known and difficult to obscure.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Made easier by today's current social media.", + "value": "Identify business relationships - PRE-T1049", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1049" + ], + "external_id": "PRE-T1049", + "kill_chain": [ + "mitre-pre-attack:pre-attack:people-information-gathering" + ] + }, + "uuid": "5b6ce031-bb86-407a-9984-2b9700ac4549" + }, + { + "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nMany mobile devices are configured to only allow applications to be installed from the mainstream vendor app stores (e.g., Apple App Store and Google Play Store). These app stores scan submitted applications for malicious behavior. However, applications can evade these scans by downloading and executing new code at runtime that was not included in the original application package. (Citation: Fruit vs Zombies) (Citation: Android Hax) (Citation: Execute This!) (Citation: HT Fake News App) (Citation: Anywhere Computing kill 2FA) (Citation: Android Security Review 2015)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: Third-party mobile application security analysis services exist that scan for use of these techniques in iOS and Android applications. Additionally, Google specifically calls out the ability to \"identify attacks that require connection to a server and dynamic downloading of code\" in its Android Security 2015 Year in Review report. However, many applications use these techniques as part of their legitimate operation, increasing the difficulty of detecting or preventing malicious use.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Runtime code execution techniques and examples of their use are widely documented on both Apple iOS and Android.", + "value": "Runtime code download and execution - PRE-T1172", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1172" + ], + "external_id": "PRE-T1172", + "kill_chain": [ + "mitre-pre-attack:pre-attack:launch" + ] + }, + "uuid": "41086474-e6de-4fac-bb69-640db7fdf3d2" + }, + { + "description": "Analysts assess current information available against requirements that outline needs and wants as part of the research baselining process to begin satisfying a requirement. (Citation: CyberAdvertisingChar) (Citation: CIATradecraft) (Citation: ForensicAdversaryModeling) (Citation: CyberAdversaryBehavior)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", + "value": "Assess current holdings, needs, and wants - PRE-T1013", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1013" + ], + "external_id": "PRE-T1013", + "kill_chain": [ + "mitre-pre-attack:pre-attack:priority-definition-planning" + ] + }, + "uuid": "8e927b19-04a6-4aaa-a42f-4f0a53411d27" + }, + { + "description": "Templates and branding materials may be used by an adversary to add authenticity to social engineering message. (Citation: Scasny2015)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Adversary may download templates or branding from publicly available presentations that the defender can't monitor.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Some branding information is publicly available when a corporation publishes their briefings to the internet which provides insight into branding information and template materials. An exhaustive list of templating and branding is likely not available on the internet.", + "value": "Obtain templates/branding materials - PRE-T1058", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1058" + ], + "external_id": "PRE-T1058", + "kill_chain": [ + "mitre-pre-attack:pre-attack:organizational-information-gathering" + ] + }, + "uuid": "68b45999-bb0c-4829-bbd0-75d6dac57c94" + }, + { + "description": "Dynamic DNS is a method of automatically updating a name in the DNS system. Providers offer this rapid reconfiguration of IPs to hostnames as a service. (Citation: DellMirage2012)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Defender will not know at first use what is valid or hostile traffic without more context. It is possible, however, for defenders to see if the PTR record for an address is hosted by a known DDNS provider. There is potential to assign some level of risk based on this.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Flexible and re-configurable command and control servers, along with deniable ownership and reduced cost of ownership.", + "value": "Dynamic DNS - PRE-T1088", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1088" + ], + "external_id": "PRE-T1088", + "kill_chain": [ + "mitre-pre-attack:pre-attack:adversary-opsec" + ] + }, + "uuid": "20a66013-8dab-4ca3-a67d-766c842c561c" + }, + { + "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nEmails with malicious links are designed to get a user to click on the link in order to deliver malware payloads. (Citation: GoogleDrive Phishing) (Citation: RSASEThreat)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Defenders can implement mechanisms to analyze links and identify levels of concerns. However, the adversary has the advantage of creating new links or finding ways to obfuscate the link so that common detection lists can not identify it. Detection of a malicious link could be identified once the file has been downloaded.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Sending emails is trivial and expected. The adversary needs to ensure links don't get tampered, removed, or flagged as a previously black-listed site.", + "value": "Spear phishing messages with malicious links - PRE-T1146", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1146" + ], + "external_id": "PRE-T1146", + "kill_chain": [ + "mitre-pre-attack:pre-attack:launch" + ] + }, + "uuid": "489a7797-01c3-4706-8cd1-ec56a9db3adc" + }, + { + "description": "During production and distribution, the placement of software, firmware, or a CPU chip in a computer, handheld, or other electronic device that enables an adversary to gain illegal entrance. (Citation: McDRecall) (Citation: SeagateMaxtor)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: The number of elements and components in a supply chain of HW or SW is vast and detecting an implant is complex for SW, but more complex for HW.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Access to the supply chain by an adversary can be a challenging endeavor, depending on what element is attempting to be subverted.", + "value": "Hardware or software supply chain implant - PRE-T1142", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1142" + ], + "external_id": "PRE-T1142", + "kill_chain": [ + "mitre-pre-attack:pre-attack:stage-capabilities" + ] + }, + "uuid": "388f3a5c-2cdd-466c-9159-b507fa429fcd" + }, + { + "description": "The secondary level tactical element the adversary seeks to attack is the specific network or area of a network that is vulnerable to attack. Within the corporate network example, the secondary level tactical element might be a SQL server or a domain controller with a known vulnerability. (Citation: CyberAdversaryBehavior) (Citation: JP3-60) (Citation: JP3-12 (R)) (Citation: DoD Cyber 2015)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. May change for special use cases or adversary and defender overlays.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: This is the normal adversary targeting cycle where they utilize our poor OPSEC practices to their advantage.", + "value": "Determine secondary level tactical element - PRE-T1021", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1021" + ], + "external_id": "PRE-T1021", + "kill_chain": [ + "mitre-pre-attack:pre-attack:target-selection" + ] + }, + "uuid": "b9148981-152a-4a19-95c1-962803f5c9af" + }, + { + "description": "An adversary may stage software and tools for use during later stages of an attack. The software and tools may be placed on systems legitimately in use by the adversary or may be placed on previously compromised infrastructure. (Citation: APT1) (Citation: RedOctober)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Infrastructure is (typically) outside of control/visibility of defender and as such as tools are staged for specific campaigns, it will not be observable to those being attacked.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Adversary has control of the infrastructure and will likely be able to add/remove tools to infrastructure, whether acquired via hacking or standard computer acquisition (e.g., [https://aws.amazon.com AWS], VPS providers).", + "value": "Upload, install, and configure software/tools - PRE-T1139", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1139" + ], + "external_id": "PRE-T1139", + "kill_chain": [ + "mitre-pre-attack:pre-attack:stage-capabilities" + ] + }, + "uuid": "e8471f43-2742-4fd7-9af7-8ed1330ada37" + }, + { + "description": "Leadership organizes Key Intelligence Topics (KITs) and Key Intelligence Questions (KIQs) into three types of categories and creates more if necessary. An example of a description of key players KIT would be when an adversary assesses the cyber defensive capabilities of a nation-state threat actor. (Citation: Herring1999)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", + "value": "Assign KITs/KIQs into categories - PRE-T1005", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1005" + ], + "external_id": "PRE-T1005", + "kill_chain": [ + "mitre-pre-attack:pre-attack:priority-definition-planning" + ] + }, + "uuid": "a86a21a4-6304-4df3-aa6d-08114c47d48f" + }, + { + "description": "An adversary can probe a victim's network to determine configurations. The configurations may provide opportunities to route traffic through the network in an undetected or less detectable way. (Citation: Li2014ExploitKits) (Citation: RecurlyGHOST)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: This can be done offline after the data has been collected.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Analyze technical scanning results to identify weaknesses in the configuration or architecture. Many of the common tools highlight these weakness automatically (e.g., software security scanning tools or published vulnerabilities about commonly used libraries).", + "value": "Analyze application security posture - PRE-T1070", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1070" + ], + "external_id": "PRE-T1070", + "kill_chain": [ + "mitre-pre-attack:pre-attack:technical-weakness-identification" + ] + }, + "uuid": "fe421ab9-c8f3-42f7-9ae1-5d6c324cc925" + }, + { + "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nSending messages through social media platforms to individuals identified as a target. These messages may include malicious attachments or links to malicious sites or they may be designed to establish communications for future actions. (Citation: APT1) (Citation: Nemucod Facebook)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Extremely hard to identify (in the launch phase) what message via social media is hostile versus what is not. Increased use of encrypted communications increases the difficulty average defender's have in detecting use of this technique.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Sending messages to individuals identified as a target follows normal tradecraft for using social media.", + "value": "Targeted social media phishing - PRE-T1143", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1143" + ], + "external_id": "PRE-T1143", + "kill_chain": [ + "mitre-pre-attack:pre-attack:launch" + ] + }, + "uuid": "eb517589-eefc-480e-b8e3-7a8b1066f6f1" + }, + { + "description": "The adversary can obtain an Apple iOS enterprise distribution key pair and certificate and use it to distribute malicious apps directly to Apple iOS devices without the need to publish the apps to the Apple App Store (where the apps could potentially be detected). (Citation: Apple Developer Enterprise Porgram Apps) (Citation: Fruit vs Zombies) (Citation: WIRELURKER) (Citation: Sideloading Change)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: Starting in iOS 9, Apple has changed the user interface when installing apps to better indicate to users the potential implications of installing apps signed by an enterprise distribution key rather than from Apple's App Store and to make it more difficult for users to inadvertently install these apps. Additionally, enterprise management controls are available that can be imposed to prevent installing these apps. Also, enterprise mobility management / mobile device management (EMM/MDM) systems can be used to scan for the presence of undesired apps on enterprise mobile devices.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Apple requires a DUNS number, corporate documentation, and $299 to obtain an enterprise distribution certificate. Additionally, Apple revokes certificates if they discover malicious use. However, the enrollment information could be falsified to Apple by an adversary, or an adversary could steal an existing enterprise distribution certificate (and the corresponding private key) from a business that already possesses one.", + "value": "Obtain Apple iOS enterprise distribution key pair and certificate - PRE-T1169", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1169" + ], + "external_id": "PRE-T1169", + "kill_chain": [ + "mitre-pre-attack:pre-attack:persona-development" + ] + }, + "uuid": "d58f3996-e293-4f69-a2c8-0e1851cb8297" + }, + { + "description": "Infrastructure services includes the hardware, software, and network resources required to operate a communications environment. This infrastructure can be managed by a 3rd party rather than being managed by the owning organization. (Citation: FFIECAwareness) (Citation: Zetter2015Threats)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: The data is passive in nature or not controlled by the defender, so it is hard to identify when an adversary is getting or analyzing the data.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Based on what the 3rd party infrastructure is, there are many tell tail signs which indicate it is hosted by a 3rd party, such as ASN data, MX or CNAME pointers or IP addresses", + "value": "Determine 3rd party infrastructure services - PRE-T1037", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1037" + ], + "external_id": "PRE-T1037", + "kill_chain": [ + "mitre-pre-attack:pre-attack:technical-information-gathering" + ] + }, + "uuid": "856a9371-4f0f-4ea9-946e-f3144204240f" + }, + { + "description": "As with legitimate development efforts, different skill sets may be required for different phases of an attack. The skills needed may be located in house, can be developed, or may need to be contracted out. (Citation: APT1)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Recruitment is, by its nature, either clandestine or off the record.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Like target organizations, adversary organizations are competing to identify and hire top technical talent. Training less technical staff is also a viable option.", + "value": "Identify resources required to build capabilities - PRE-T1125", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1125" + ], + "external_id": "PRE-T1125", + "kill_chain": [ + "mitre-pre-attack:pre-attack:build-capabilities" + ] + }, + "uuid": "c9fb4451-729d-4771-b205-52c1829f949c" + }, + { + "description": "A form of social engineering designed build trust and to lay the foundation for future interactions or attacks. (Citation: BlackHatRobinSage)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Users have the ability to detect and report non-authenticated individuals requesting to follow, friend or connect to a target. However the rigidity in validating the users is not typically followed by standard users.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Connecting with \"friends\" is a fundamental requirement for social media - without it, social media is worthless. An adversary can easily create a profile and request targets to validate the requests.", + "value": "Friend/Follow/Connect to targets of interest - PRE-T1141", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1141" + ], + "external_id": "PRE-T1141", + "kill_chain": [ + "mitre-pre-attack:pre-attack:stage-capabilities" + ] + }, + "uuid": "eacd1efe-ee30-4b03-b58f-5b3b1adfe45d" + }, + { + "description": "Use of removable media as part of the Launch phase requires an adversary to determine type, format, and content of the media and associated malware. (Citation: BadUSB)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Adversary will likely use code repositories, but development will be performed on their local systems.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Several exploit repositories and tool suites exist for re-use and tailoring.", + "value": "Create infected removable media - PRE-T1132", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1132" + ], + "external_id": "PRE-T1132", + "kill_chain": [ + "mitre-pre-attack:pre-attack:build-capabilities" + ] + }, + "uuid": "eacadff4-164b-451c-bacc-7b29ebfd0c3f" + }, + { + "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nDNS (cache) poisoning is the corruption of an Internet server's domain name system table by replacing an Internet address with that of another, rogue address. When a Web user seeks the page with that address, the request is redirected by the rogue entry in the table to a different address. (Citation: Google DNS Poisoning) (Citation: DNS Poisoning China) (Citation: Mexico Modem DNS Poison)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: Tracking multiple DNS infrastructures will likely require multiple tools/services, more advanced analytics, and mature detection/response capabilities in order to be effective. Few defenders demonstrate the mature processes to immediately detect and mitigate against the use of this technique.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Adversary poisons DNS entry to redirect traffic designated for one site to route to an adversary controlled resource.", + "value": "DNS poisoning - PRE-T1159", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1159" + ], + "external_id": "PRE-T1159", + "kill_chain": [ + "mitre-pre-attack:pre-attack:launch" + ] + }, + "uuid": "76c9e8cb-52e1-4ddc-80d4-5f7231842e06" + }, + { + "description": "An adversary can attempt to identify web defensive services as [https://www.cloudflare.com/ CloudFlare], [https://github.com/jjxtra/Windows-IP-Ban-Service IPBan], and [https://www.snort.org/ Snort]. This may be done by passively detecting services, like [https://www.cloudflare.com/ CloudFlare] routing, or actively, such as by purposefully tripping security defenses. (Citation: NMAP WAF NSE)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Active service detection may trigger an alert. Passive service enumeration is not detected.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Adversary can passively detect services (e.g., [https://www.cloudflare.com/ CloudFlare] routing) or actively detect services (e.g., by purposefully tripping security defenses)", + "value": "Identify web defensive services - PRE-T1033", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1033" + ], + "external_id": "PRE-T1033", + "kill_chain": [ + "mitre-pre-attack:pre-attack:technical-information-gathering" + ] + }, + "uuid": "288b3cc3-f4da-4250-ab8c-d8b5dbed94ca" + }, + { + "description": "An adversary may analyze technical scanning results to identify weaknesses in the configuration or architecture of a victim network. These weaknesses could include architectural flaws, misconfigurations, or improper security controls. (Citation: FireEyeAPT28)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: This can be done offline after the data has been collected.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Many of the common tools highlight these weakness automatically.", + "value": "Analyze architecture and configuration posture - PRE-T1065", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1065" + ], + "external_id": "PRE-T1065", + "kill_chain": [ + "mitre-pre-attack:pre-attack:technical-weakness-identification" + ] + }, + "uuid": "87775365-2081-4b6e-99bd-48a3b8f36563" + }, + { + "description": "A wide variety of cloud, virtual private services, hosting, compute, and storage solutions are available. Additionally botnets are available for rent or purchase. Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down. (Citation: LUCKYCAT2012)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: 3rd party services highly leveraged by legitimate services, hard to distinguish from background noise. While an adversary can use their own infrastructure, most know this is a sure- re way to get caught. To add degrees of separation, they can buy or rent from another adversary or accomplice.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Wide range of 3rd party services for hosting, rotating, or moving C2, static data, exploits, exfiltration, etc.", + "value": "Acquire and/or use 3rd party infrastructure services - PRE-T1084", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1084" + ], + "external_id": "PRE-T1084", + "kill_chain": [ + "mitre-pre-attack:pre-attack:adversary-opsec" + ] + }, + "uuid": "286cc500-4291-45c2-99a1-e760db176402" + }, + { + "description": "The approach or attack vector outlines the specifics behind how the adversary would like to attack the target. As additional information is known through the other phases of PRE-ATT&CK, an adversary may update the approach or attack vector. (Citation: CyberAdversaryBehavior) (Citation: WITCHCOVEN2015) (Citation: JP3-60) (Citation: JP3-12 (R)) (Citation: DoD Cyber 2015)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. May change for special use cases or adversary and defender overlays.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: This is the normal adversary targeting cycle where they utilize our poor OPSEC practices to their advantage.", + "value": "Determine approach/attack vector - PRE-T1022", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1022" + ], + "external_id": "PRE-T1022", + "kill_chain": [ + "mitre-pre-attack:pre-attack:target-selection" + ] + }, + "uuid": "d45fe3c2-0688-43b9-ac07-7eb86f575e93" + }, + { + "description": "If an adversary can identify which security tools a victim is using they may be able to identify ways around those tools. (Citation: CrowdStrike Putter Panda)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Public source external to the defender's organization.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Requires in-depth research and potentially other intrusions, requires unbounded amount of work to possibly find a return on investment", + "value": "Research visibility gap of security vendors - PRE-T1067", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1067" + ], + "external_id": "PRE-T1067", + "kill_chain": [ + "mitre-pre-attack:pre-attack:technical-weakness-identification" + ] + }, + "uuid": "b26babc7-9127-4bd5-9750-5e49748c9be3" + }, + { + "description": "Business processes, such as who typically communicates with who, or what the supply chain is for a particular part, provide opportunities for social engineering or other (Citation: Warwick2015)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Social engineering and other attempts to learn about business practices and processes would not immediately be associated with an impending cyber event.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: To get any kind of fidelity into business processes would require insider access. Basic processes could be mapped, but understanding where in the organization these processes take place and who to target during any given phase of the process would generally be difficult.", + "value": "Analyze business processes - PRE-T1078", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1078" + ], + "external_id": "PRE-T1078", + "kill_chain": [ + "mitre-pre-attack:pre-attack:organizational-weakness-identification" + ] + }, + "uuid": "57619ab3-f6a5-43c8-8dd1-b0b8a986a870" + }, + { + "description": "Physical access may be required for certain types of adversarial actions. (Citation: CyberPhysicalAssessment) (Citation: CriticalInfrastructureAssessment)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Physical security is often unaware of implications of physical access to network. However, some organizations have thorough physical security measures that would log and report attempted incursions, perimeter breaches, unusual RF at a site, etc.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Social engineering and OSINT are still generally successful. Physical locations of offices/sites are easily determined. Monitoring for other sites of interest, such as backup storage vendors, is also easy to accomplish.", + "value": "Assess security posture of physical locations - PRE-T1079", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1079" + ], + "external_id": "PRE-T1079", + "kill_chain": [ + "mitre-pre-attack:pre-attack:organizational-weakness-identification" + ] + }, + "uuid": "31a57c70-6709-4d06-a473-c3df1f74c1d4" + }, + { + "description": "Configure and setup booter/stressor services, often intended for server stress testing, to enable denial of service attacks. (Citation: Krebs-Anna) (Citation: Krebs-Booter) (Citation: Krebs-Bazaar)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Purchase of booster services is not observable; potentially can trace booster service used to origin of sale, yet not before attack is executed. Furthermore, subscription does not automatically mean foul intention.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Easily accessible and used to launch DDoS attacks by even novice Internet users, and can be purchased from providers for a nominal fee, some of which even accept credit cards and PayPal payments to do.", + "value": "Obtain booter/stressor subscription - PRE-T1173", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1173" + ], + "external_id": "PRE-T1173", + "kill_chain": [ + "mitre-pre-attack:pre-attack:establish-&-maintain-infrastructure" + ] + }, + "uuid": "3d1488a6-59e6-455a-8b80-78b53edc33fe" + }, + { + "description": "An adversary will assess collected information such as software/hardware versions, vulnerabilities, patch level, etc. They will analyze technical scanning results to identify weaknesses in the confirmation or architecture. (Citation: SurveyDetectionStrategies) (Citation: CyberReconPaper) (Citation: RSA-APTRecon) (Citation: FireEyeAPT28)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: This can be done offline after the data has been collected.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Many of the common tools highlight these weaknesses automatically. Adversary can \"dry run\" against the target using known exploits or burner devices to determine key identifiers of software, hardware, and services.", + "value": "Analyze data collected - PRE-T1064", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1064" + ], + "external_id": "PRE-T1064", + "kill_chain": [ + "mitre-pre-attack:pre-attack:technical-weakness-identification" + ] + }, + "uuid": "773950e1-090c-488b-a480-9ff236312e31" + }, + { + "description": "Software applications will be built using different technologies, languages, and dependencies. This information may reveal vulnerabilities or opportunities to an adversary. (Citation: CommonApplicationAttacks) (Citation: WebApplicationSecurity) (Citation: SANSTop25)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Impossible to differentiate between an adversary and a normal user when accessing a site to determine the languages/technologies used. If active scanning tools are employed, then the defender has the ability to detect. However, this is typically not acted upon due to the large volume of this type of traffic and it will likely not prompt the defender to take any actionable defense. Defender review of access logs may provide some insight based on trends or patterns.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Basic interaction with the site provides insight into the programming languages/technologies used for a given web site. Additionally many of the active scanning tools will also provide some insight into this information.", + "value": "Enumerate externally facing software applications technologies, languages, and dependencies - PRE-T1038", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1038" + ], + "external_id": "PRE-T1038", + "kill_chain": [ + "mitre-pre-attack:pre-attack:technical-information-gathering" + ] + }, + "uuid": "ef6197fd-a58a-4006-bfd6-1d7765d8409d" + }, + { + "description": "Analysts may receive Key Intelligence Topics (KITs) and Key Intelligence Questions (KIQs) from leadership or key decision makers and generate intelligence requirements to articulate intricacies of information required on a topic or question. (Citation: Herring1999)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", + "value": "Generate analyst intelligence requirements - PRE-T1011", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1011" + ], + "external_id": "PRE-T1011", + "kill_chain": [ + "mitre-pre-attack:pre-attack:priority-definition-planning" + ] + }, + "uuid": "e754fa49-2db1-416b-92db-7f886decd099" + }, + { + "description": "Redirecting a communication request from one address and port number combination to another. May be set up to obfuscate the final location of communications that will occur in later stages of an attack. (Citation: SecureWorks HTRAN Analysis)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Infrastructure is (typically) outside of control/visibility of defender and as such as tools are staged for specific campaigns, it will not be observable to those being attacked.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Adversary has control of the infrastructure and will likely be able to add/remove tools to infrastructure, whether acquired via hacking or standard computer acquisition (e.g., [https://aws.amazon.com AWS], VPS providers).", + "value": "Port redirector - PRE-T1140", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1140" + ], + "external_id": "PRE-T1140", + "kill_chain": [ + "mitre-pre-attack:pre-attack:stage-capabilities" + ] + }, + "uuid": "13ff5307-b650-405a-9664-d8076930b2bf" + }, + { + "description": "Understanding an organizations business processes and tempo may allow an adversary to more effectively craft social engineering attempts or to better hide technical actions, such as those that generate network traffic. (Citation: Scasny2015) (Citation: Infosec-osint)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Current or previous employees may divulge information on the Internet. If insiders are used, the defender may have policies or tools in place to detect loss of this data or knowledge.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: In some cases, this requires some insider knowledge or specialized access to learn when critical operations occur in a corporation. For publicly traded US corporations, there is a lot of open source information about their financial reporting obligations (per SEC). Companies announce their annual shareholder meeting and their quarter phone calls with investors. Information such as this can help the adversary to glean certain aspects of the business processes and/or rhythm.", + "value": "Identify business processes/tempo - PRE-T1057", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1057" + ], + "external_id": "PRE-T1057", + "kill_chain": [ + "mitre-pre-attack:pre-attack:organizational-information-gathering" + ] + }, + "uuid": "1f82ef59-b7da-4cd3-a41c-2e80f80f084f" + }, + { + "description": "Delivery systems are the infrastructure used by the adversary to host malware or other tools used during exploitation. Building and configuring delivery systems may include multiple activities such as registering domain names, renting hosting space, or configuring previously exploited environments. (Citation: APT1)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: It is detectable once deployed to the public Internet, used for adversarial purposes, discovered, and reported to defenders.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: It is easy to create and burn infrastructure. Otherwise, blacklisting would be more successful for defenders.", + "value": "Build and configure delivery systems - PRE-T1124", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1124" + ], + "external_id": "PRE-T1124", + "kill_chain": [ + "mitre-pre-attack:pre-attack:build-capabilities" + ] + }, + "uuid": "15ef4da5-3b93-4bb1-a39a-5396661956d3" + }, + { + "description": "Personnel internally to a company may have non-electronic specialized access, authorities, or privilege that make them an attractive target for an adversary. One example of this is an individual with financial authority to authorize large transactions. An adversary who compromises this individual might be able to subvert large dollar transfers. (Citation: RSA-APTRecon)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: The layers of data required and potential gaps of information to map a specific person to an authority or privilege on a network requires access to resources that may not tip off a defender.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Requires an adversary to undergo an intensive research process. It is resource intensive or requires special data access. May be easier for certain specialty use cases.", + "value": "Identify personnel with an authority/privilege - PRE-T1048", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1048" + ], + "external_id": "PRE-T1048", + "kill_chain": [ + "mitre-pre-attack:pre-attack:people-information-gathering" + ] + }, + "uuid": "762771c2-3675-4535-88e9-b1f891758974" + }, + { + "description": "An adversary may research available open source information about a target commonly found on social media sites such as [https://www.facebook.com Facebook], [https://www.instagram.com Instagram], or [https://www.pinterest.com Pinterest]. Social media is public by design and provides insight into the interests and potentially inherent weaknesses of a target for exploitation by the adversary. (Citation: RSA-APTRecon)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Searching publicly available sources that cannot be monitored by a defender.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Very public by design. Application of privacy settings is not a panacea.", + "value": "Mine social media - PRE-T1050", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1050" + ], + "external_id": "PRE-T1050", + "kill_chain": [ + "mitre-pre-attack:pre-attack:people-information-gathering" + ] + }, + "uuid": "695b1cce-57d7-49ae-a2af-820d50153f12" + }, + { + "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nCredential pharming a form of attack designed to steal users' credential by redirecting users to fraudulent websites. Pharming can be conducted either by changing the hosts file on a victim's computer or by exploitation of a vulnerability in DNS server software. (Citation: DriveByPharming) (Citation: GoogleDrive Phishing)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Fidelity of networking monitoring must be able to detect when traffic is diverted to non-normal sources at a site level. It is possible to identify some methods of pharming, but detection capabilities are limited and not commonly implemented.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Although it can be difficult to spoof/redirect content to a hostile service via DNS poisoning or MiTM attacks, current malware such as Zeus is able to successfully pharm credentials and end users are not well-versed in checking for certificate mismatches.", + "value": "Credential pharming - PRE-T1151", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1151" + ], + "external_id": "PRE-T1151", + "kill_chain": [ + "mitre-pre-attack:pre-attack:launch" + ] + }, + "uuid": "38a6d2f5-d948-4235-bb91-bb01604448b4" + }, + { + "description": "Leadership identifies gap areas that generate a compelling need to generate a Key Intelligence Topic (KIT) or Key Intelligence Question (KIQ). (Citation: ODNIIntegration) (Citation: ICD115)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", + "value": "Identify gap areas - PRE-T1002", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1002" + ], + "external_id": "PRE-T1002", + "kill_chain": [ + "mitre-pre-attack:pre-attack:priority-definition-planning" + ] + }, + "uuid": "d778cb83-2292-4995-b006-d38f52bc1e64" + }, + { + "description": "Google and Apple provide Google Cloud Messaging and Apple Push Notification Service, respectively, services designed to enable efficient communication between third-party mobile app backend servers and the mobile apps running on individual devices. These services maintain an encrypted connection between every mobile device and Google or Apple that cannot easily be inspected and must be allowed to traverse networks as part of normal device operation. These services could be used by adversaries for communication to compromised mobile devices. (Citation: Securelist Mobile Malware 2013) (Citation: DroydSeuss)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: These services are heavily utilized by mainstream mobile app developers. High volume of communications makes it extremely hard for a defender to distinguish between legitimate and adversary communications.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: These are free services provided by Google and Apple to app developers, and information on how to use them is readily available.", + "value": "OS-vendor provided communication channels - PRE-T1167", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1167" + ], + "external_id": "PRE-T1167", + "kill_chain": [ + "mitre-pre-attack:pre-attack:adversary-opsec" + ] + }, + "uuid": "5436571f-2332-4b51-b7ed-0bc822fe02c2" + }, + { + "description": "Job postings, on either company sites, or in other forums, provide information on organizational structure, needs, and gaps in an organization. This may give an adversary an indication of weakness in an organization (such as under-resourced IT shop). Job postings can also provide information on an organizations structure which could be valuable in social engineering attempts. (Citation: JobPostingThreat) (Citation: RSA-APTRecon)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Public source external to the defender's organization.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Very public by design.", + "value": "Identify job postings and needs/gaps - PRE-T1055", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1055" + ], + "external_id": "PRE-T1055", + "kill_chain": [ + "mitre-pre-attack:pre-attack:organizational-information-gathering" + ] + }, + "uuid": "7718e92f-b011-4f88-b822-ae245a1de407" + }, + { + "description": "Social Engineering is the practice of manipulating people in order to get them to divulge information or take an action. (Citation: SEAttackVectors) (Citation: BeachSE2003)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: No technical means to detect an adversary collecting information about a target. Any detection would be based upon strong OPSEC policy implementation.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Very effective technique for the adversary that does not require any formal training and relies upon finding just one person who exhibits poor judgement.", + "value": "Conduct social engineering - PRE-T1056", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1056" + ], + "external_id": "PRE-T1056", + "kill_chain": [ + "mitre-pre-attack:pre-attack:organizational-information-gathering" + ] + }, + "uuid": "a757670d-d600-48d9-8ae9-601d42c184a5" + }, + { + "description": "Supply chains include the people, processes, and technologies used to move a product or service from a supplier to a consumer. Understanding supply chains may provide an adversary with opportunities to exploit organizational relationships. (Citation: SmithSupplyChain) (Citation: CERT-UKSupplyChain)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Searching publicly available sources that cannot be monitored by a defender.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Requires an intensive process. May be easier in certain industries where there are a limited number of suppliers (e.g., SCADA).", + "value": "Identify supply chains - PRE-T1053", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1053" + ], + "external_id": "PRE-T1053", + "kill_chain": [ + "mitre-pre-attack:pre-attack:organizational-information-gathering" + ] + }, + "uuid": "7860e21e-7514-4a3f-8a9d-56405ccfdb0c" + }, + { + "description": "Analysts identify gap areas that generate a compelling need to generate a Key Intelligence Topic (KIT) or Key Intelligence Question (KIQ). (Citation: BrighthubGapAnalysis) (Citation: ICD115) (Citation: JP2-01)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", + "value": "Identify analyst level gaps - PRE-T1010", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1010" + ], + "external_id": "PRE-T1010", + "kill_chain": [ + "mitre-pre-attack:pre-attack:priority-definition-planning" + ] + }, + "uuid": "0fad2267-9f46-4ebb-91b5-d543243732cb" + }, + { + "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nInstead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it for some or all of the attack cycle. (Citation: WateringHole2014) (Citation: FireEye Operation SnowMan)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Defender will not have visibility on 3rd party sites unless target is successfully enticed to visit one.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Commonly used technique currently (e.g., [https://www.wordpress.com WordPress] sites) as precursor activity to launching attack against intended target (e.g., acquiring botnet or layers of proxies for reducing attribution possibilities).", + "value": "Compromise 3rd party infrastructure to support delivery - PRE-T1111", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1111" + ], + "external_id": "PRE-T1111", + "kill_chain": [ + "mitre-pre-attack:pre-attack:establish-&-maintain-infrastructure" + ] + }, + "uuid": "e51398e6-53dc-4e9f-a323-e54683d8672b" + }, + { + "description": "Obfuscation is hiding the day-to-day building and testing of new tools, chat servers, etc. (Citation: LUCKYCAT2012)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Difficult, but defender is well aware of technique and attempts to find discrepancies.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Adversary has a variety of solutions, ranging in difficulty, that can be employed (e.g., BGP hijacking, tunneling, reflection, multi-hop, etc.)\nAdversary can also use misattributable credentials to obtain servers, build environment, [https://aws.amazon.com Amazon Web Services] (AWS) accounts, etc.", + "value": "Obfuscate infrastructure - PRE-T1086", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1086" + ], + "external_id": "PRE-T1086", + "kill_chain": [ + "mitre-pre-attack:pre-attack:adversary-opsec" + ] + }, + "uuid": "e6ca2820-a564-4b74-b42a-b6bdf052e5b6" + }, + { + "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nExploits spread through advertising (malvertising) involve injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages. (Citation: TPMalvertising)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Although some commercial technologies are being advertised which claim to detect malvertising, it largely spreads unknowingly because it doesn't always require an action by a user.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: An adversary can deploy exploits via malvertising using multiple mechanisms. Such mechanisms include an image ad that is infected, redirection, or using social engineering to get the end user to install the malicious software themselves.", + "value": "Deploy exploit using advertising - PRE-T1157", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1157" + ], + "external_id": "PRE-T1157", + "kill_chain": [ + "mitre-pre-attack:pre-attack:launch" + ] + }, + "uuid": "d72c0bc0-3007-418c-842c-328027ebdbc1" + }, + { + "description": "A network topology is the arrangement of the various elements of a network (e.g., servers, workstations, printers, routers, firewalls, etc.). Mapping a network allows an adversary to understand how the elements are connected or related. (Citation: man traceroute) (Citation: Shodan Tutorial)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Network mapping techniques/tools typically generate benign traffic that does not require further investigation by a defender since there is no actionable defense to execute. Defender review of access logs may provide some insight based on trends or patterns.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Various available tools and data sources for scouting and detecting network topologies.", + "value": "Map network topology - PRE-T1029", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1029" + ], + "external_id": "PRE-T1029", + "kill_chain": [ + "mitre-pre-attack:pre-attack:technical-information-gathering" + ] + }, + "uuid": "cdfdb0cd-a839-403c-9dd6-8a85d8c5c73d" + }, + { + "description": "Obfuscation is the act of creating communications that are more difficult to understand. Encryption transforms the communications such that it requires a key to reverse the encryption. (Citation: FireEyeAPT28)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Techniques and signatures are hard to detect. Advanced communications and exfiltration channels are nearly indistinguishable from background noise.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Known approaches include the use of cryptography for communications, rotating drops sites (such as random list of chat fora), and one-time [https://aws.amazon.com/s3/ Simple Storage Service (S3)] buckets, etc. All require sophisticated knowledge, infrastructure, and funding.", + "value": "Obfuscation or cryptography - PRE-T1090", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1090" + ], + "external_id": "PRE-T1090", + "kill_chain": [ + "mitre-pre-attack:pre-attack:adversary-opsec" + ] + }, + "uuid": "c2ffd229-11bb-4fd8-9208-edbe97b14c93" + }, + { + "description": "The adversary can use account credentials or signing keys of an existing mobile app developer to publish malicious updates of existing mobile apps to an application store, or to abuse the developer's identity and reputation to publish new malicious apps. Many mobile devices are configured to automatically install new versions of already-installed apps. (Citation: Fraudenlent Apps Stolen Dev Credentials)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Possible to detect compromised credentials if alerting from a service provider is enabled and acted upon by the individual.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: The difficulty of obtaining useful developer credentials may vary. Well-organized, professional app developers whose credentials or signing keys would be the most useful to an adversary because of the large install bases of their apps, would likely strongly protect their credentials and signing keys. Less-organized app developers may not protect their credentials and signing keys as strongly, but the credentials and signing keys would also be less useful to an adversary. These less-organized app developers may reuse passwords across sites, fail to turn on multi-factor authentication features when available, or store signing keys in unprotected locations.", + "value": "Choose pre-compromised mobile app developer account credentials or signing keys - PRE-T1168", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1168" + ], + "external_id": "PRE-T1168", + "kill_chain": [ + "mitre-pre-attack:pre-attack:persona-development" + ] + }, + "uuid": "7a265bf0-6acc-4f43-8b22-2e58b443e62e" + }, + { + "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nEmails with text only phishing messages do not contain any attachments or links to websites. They are designed to get a user to take a follow on action such as calling a phone number or wiring money. They can also be used to elicit an email response to confirm existence of an account or user. (Citation: Paypal Phone Scam)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: End user training and awareness is the primary defense for flagging a plain text email so the end user does not respond or take any requested action (e.g., calling a designated number).\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Sending messages with text only should be accepted in most cases (e.g., not being filtered based on source, content).", + "value": "Spear phishing messages with text only - PRE-T1145", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1145" + ], + "external_id": "PRE-T1145", + "kill_chain": [ + "mitre-pre-attack:pre-attack:launch" + ] + }, + "uuid": "2fc04aa5-48c1-49ec-919a-b88241ef1d17" + }, + { + "description": "Callbacks are malware communications seeking instructions. An adversary will test their malware to ensure the appropriate instructions are conveyed and the callback software can be reached. (Citation: LeeBeaconing)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Adversary controls the test and defender likely has no visibility.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Adversary controls or acquires all pieces of infrastructure and can test outside of defender's visibility.", + "value": "Test callback functionality - PRE-T1133", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1133" + ], + "external_id": "PRE-T1133", + "kill_chain": [ + "mitre-pre-attack:pre-attack:test-capabilities" + ] + }, + "uuid": "0649fc36-72a0-40a0-a2f9-3fc7e3231ad6" + }, + { + "description": "Technical blogs and forums provide a way for technical staff to ask for assistance or troubleshoot problems. In doing so they may reveal information such as operating system (OS), network devices, or applications in use. (Citation: FunAndSun2012)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Cannot detect access to public sites.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Success is dependent upon the existence of detailed technical specifications for target network posted in blogs/forums. Poor OPSEC practices result in an adversary gleaning a lot of sensitive information about configurations and/or issues encountered.", + "value": "Mine technical blogs/forums - PRE-T1034", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1034" + ], + "external_id": "PRE-T1034", + "kill_chain": [ + "mitre-pre-attack:pre-attack:technical-information-gathering" + ] + }, + "uuid": "a54a7708-8f64-45f3-ad51-1abf976986a0" + }, + { + "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nUsers may be performing legitimate activity but using media that is compromised (e.g., using a USB drive that comes with malware installed during manufacture or supply). Upon insertion in the system the media auto-runs and the malware executes without further action by the user. (Citation: WSUSpect2015)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Environments without extensive endpoint sensing capabilities do not typically collect this level of detailed information.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Autoruns with USB keys and CDs traditionally were always on (e.g., [http://windows.microsoft.com Windows] 7 is now an exception with a new policy of limiting the always on nature of Autoruns), ensuring and automated system completes a requested action. Specialized use cases exist where automated systems are specifically designed against automatically performing certain actions (e.g., USB/CD insertion and automatically running is disabled in certain environments).", + "value": "Automated system performs requested action - PRE-T1161", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1161" + ], + "external_id": "PRE-T1161", + "kill_chain": [ + "mitre-pre-attack:pre-attack:compromise" + ] + }, + "uuid": "0e6abb17-0f81-4988-9fd2-4ba0b673d729" + }, + { + "description": "A payload is the part of the malware which performs a malicious action. The adversary may re-use payloads when the needed capability is already available. (Citation: SonyDestover)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Adversary will likely use code repositories, but detecting an adversary acquiring a payload would require the defender to be monitoring the code repository where the payload is stored. If the adversary re-uses payloads, this allows the defender to create signatures to detect using these known indicators of compromise (e.g., hashes).\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Several exploit repositories and tool suites exist for re-use and tailoring.", + "value": "Obtain/re-use payloads - PRE-T1123", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1123" + ], + "external_id": "PRE-T1123", + "kill_chain": [ + "mitre-pre-attack:pre-attack:build-capabilities" + ] + }, + "uuid": "27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768" + }, + { + "description": "Passive scanning is the act of looking at existing network traffic in order to identify information about the communications system. (Citation: SurveyDetectionStrategies) (Citation: CyberReconPaper)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Generates no network traffic that would enable detection.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Easy to do but it requires a vantage point conducive to accessing this data.", + "value": "Conduct passive scanning - PRE-T1030", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1030" + ], + "external_id": "PRE-T1030", + "kill_chain": [ + "mitre-pre-attack:pre-attack:technical-information-gathering" + ] + }, + "uuid": "a7c620e5-cbc9-41b2-9695-418ef560f16c" + }, + { + "description": "Social media provides insight into the target's affiliations with groups and organizations. Certification information can explain their technical associations and professional associations. Personal information can provide data for exploitation or even blackmail. (Citation: Scasny2015)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Public sources are external to the defender's organization. Some social media sites have an option to show you when users are looking at your profile, but an adversary can evade this tracking depending on how they conduct the searches.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Social and business relationship information for an individual can be found by examining their social media contacts (e.g., [https://www.facebook.com Facebook] and [https://www.linkedin.com LinkedIn]). Social media also provides insight into the target's affiliations with groups and organizations. Finally, certification information can explain their technical associations and professional associations.", + "value": "Analyze social and business relationships, interests, and affiliations - PRE-T1072", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1072" + ], + "external_id": "PRE-T1072", + "kill_chain": [ + "mitre-pre-attack:pre-attack:people-weakness-identification" + ] + }, + "uuid": "ee40d054-6e83-4302-88dc-a3af98821d8d" + }, + { + "description": "Technical network hiding techniques are methods of modifying traffic to evade network signature detection or to utilize misattribution techniques. Examples include channel/IP/VLAN hopping, mimicking legitimate operations, or seeding with misinformation. (Citation: HAMMERTOSS2015)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Unless defender is dissecting protocols or performing network signature analysis on any protocol deviations/patterns, this technique is largely undetected.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Some of the hiding techniques require special accesses (network, proximity, physical, etc.) and/or may rely on knowledge of how the defender operates and/or awareness on what visibility the defender has and how it is obtained", + "value": "Network-based hiding techniques - PRE-T1092", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1092" + ], + "external_id": "PRE-T1092", + "kill_chain": [ + "mitre-pre-attack:pre-attack:adversary-opsec" + ] + }, + "uuid": "90884cdb-31dd-431c-87db-9cc7e03191e5" + }, + { + "description": "Once a persona has been developed an adversary will use it to create connections to targets of interest. These connections may be direct or may include trying to connect through others. (Citation: NEWSCASTER2014) (Citation: BlackHatRobinSage)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Unless there is some threat intelligence reporting, these users are hard to differentiate.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: The nature of social media is such that the adversary naturally connects to a target of interest without suspicion, given the purpose of the platform is to promote connections between individuals. Performing activities like typical users, but with specific intent in mind.", + "value": "Friend/Follow/Connect to targets of interest - PRE-T1121", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1121" + ], + "external_id": "PRE-T1121", + "kill_chain": [ + "mitre-pre-attack:pre-attack:persona-development" + ] + }, + "uuid": "103d72e6-7e0d-4b3a-9373-c38567305c33" + }, + { + "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nRemovable media containing malware can be injected in to a supply chain at large or small scale. It can also be physically placed for someone to find or can be sent to someone in a more targeted manner. The intent is to have the user utilize the removable media on a system where the adversary is trying to gain access. (Citation: USBMalwareAttacks) (Citation: FPDefendNewDomain) (Citation: ParkingLotUSB)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: From a technical perspective, detection of an adversary disseminating removable media is not possible as there is no technical element involved until the compromise phase. Most facilities generally do not perform extensive physical security patrols, which would be necessary in order to promptly identify an adversary deploying removable media to be used in an attack.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Commonly executed technique by penetration testers to gain access to networks via end users who are innately trusting of newly found or available technology.", + "value": "Disseminate removable media - PRE-T1156", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1156" + ], + "external_id": "PRE-T1156", + "kill_chain": [ + "mitre-pre-attack:pre-attack:stage-capabilities" + ] + }, + "uuid": "2f442206-2983-4fc2-93fd-0a828e026412" + }, + { + "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nReplacing a legitimate binary with malware can be accomplished either by replacing a binary on a legitimate download site or standing up a fake or alternative site with the malicious binary. The intent is to have a user download and run the malicious binary thereby executing malware. (Citation: FSecureICS)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: On the host end user system, integrity checking (e.g., hash verification, code signing enforcement), application whitelisting, sandboxing, or behavioral-based/heuristic-based systems are most likely to be successful in detecting this technique. On the source webserver, detecting binary changes is easy to detect if performed.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Requires the adversary to replace a binary on a website where users will download the binary (e.g., patch, firmware update, software application) as innately trusted. The additional challenge is the reduced set of vendor-trusted websites that are vulnerable.", + "value": "Replace legitimate binary with malware - PRE-T1155", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1155" + ], + "external_id": "PRE-T1155", + "kill_chain": [ + "mitre-pre-attack:pre-attack:launch" + ] + }, + "uuid": "0d759854-9b69-438c-8325-74b03cc80cf0" + }, + { + "description": "Data sets can be anything from Security Exchange Commission (SEC) filings to public phone numbers. Many datasets are now either publicly available for free or can be purchased from a variety of data vendors. Open source intelligence (OSINT) is intelligence gathered from publicly available sources. This can include both information gathered on-line as well as in the physical world. (Citation: SANSThreatProfile) (Citation: Infosec-osint) (Citation: isight-osint)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: This activity is indistinguishable from legitimate business uses and easy to obtain.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Large quantities of data exists on people, organizations and technologies whether divulged wittingly or collected as part of doing business on the Internet (unbeknownst to the user/company). Search engine and database indexing companies continuously mine this information and make it available to anyone who queries for it.", + "value": "Acquire OSINT data sets and information - PRE-T1054", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1054" + ], + "external_id": "PRE-T1054", + "kill_chain": [ + "mitre-pre-attack:pre-attack:organizational-information-gathering" + ] + }, + "uuid": "028ad431-84c5-4eb7-a364-2b797c234f88" + }, + { + "description": "An adversary may secure and protect their infrastructure just as defenders do. This could include the use of VPNs, security software, logging and monitoring, passwords, or other defensive measures. (Citation: KrebsTerracottaVPN)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Indistinguishable from standard security practices employed by legitimate operators.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Adversary benefits from our own advances, techniques, and software when securing and protecting their own development infrastructure.", + "value": "Secure and protect infrastructure - PRE-T1094", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1094" + ], + "external_id": "PRE-T1094", + "kill_chain": [ + "mitre-pre-attack:pre-attack:adversary-opsec" + ] + }, + "uuid": "cc0faf66-4df2-4328-9c9c-b0ca5de915ad" + }, + { + "description": "Firmware is permanent software programmed into the read-only memory of a device. As with other types of software, firmware may be updated over time and have multiple versions. (Citation: Abdelnur Advanced Fingerprinting)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: No easy way for defenders to detect when an adversary collects this information.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Depending upon the target device, there are variable ways for an adversary to determine the firmware version. In some cases, this information can be derived from easily obtained information. For example, in [http://www.cisco.com Cisco] devices, the firmware version is easily determined once the device model and OS version is known since it is included in the release notes.", + "value": "Determine firmware version - PRE-T1035", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1035" + ], + "external_id": "PRE-T1035", + "kill_chain": [ + "mitre-pre-attack:pre-attack:technical-information-gathering" + ] + }, + "uuid": "6baf6388-d49f-4804-86a4-5837240555cd" + }, + { + "description": "Leadership derives Key Intelligence Topics (KITs) and Key Intelligence Questions (KIQs) from the areas of most interest to them. KITs are an expression of management's intelligence needs with respect to early warning, strategic and operational decisions, knowing the competition, and understanding the competitive situation. KIQs are the critical questions aligned by KIT which provide the basis for collection plans, create a context for analytic work, and/or identify necessary external operations. (Citation: Herring1999)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", + "value": "Develop KITs/KIQs - PRE-T1004", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1004" + ], + "external_id": "PRE-T1004", + "kill_chain": [ + "mitre-pre-attack:pre-attack:priority-definition-planning" + ] + }, + "uuid": "6063b486-a247-499b-976a-9de16f4e83bc" + }, + { + "description": "Common Vulnerability Enumeration (CVE) is a dictionary of publicly known information about security vulnerabilities and exposures. An adversary can use this information to target specific software that may be vulnerable. (Citation: WeaponsVulnerable) (Citation: KasperskyCarbanak)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Public source external to the defender's organization.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Using standard headers/fingerprints from normal traffic, it is often trivial to identify the SW or HW the target is running, which can be correlated against known CVEs and exploit packages.", + "value": "Research relevant vulnerabilities/CVEs - PRE-T1068", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1068" + ], + "external_id": "PRE-T1068", + "kill_chain": [ + "mitre-pre-attack:pre-attack:technical-weakness-identification" + ] + }, + "uuid": "abd5bed1-4c12-45de-a623-ab8dc4ff862a" + }, + { + "description": "A wide variety of cloud, virtual private services, hosting, compute, and storage solutions are available as 3rd party infrastructure services. These services could provide an adversary with another avenue of approach or compromise. (Citation: LUCKYCAT2012) (Citation: Schneier-cloud) (Citation: Computerworld-suppliers)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Adversary searches publicly available sources and may find this information on the 3rd party web site listing new customers/clients.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Press releases may reveal this information particularly when it is an expected cost savings or improvement for scalability/reliability.", + "value": "Determine 3rd party infrastructure services - PRE-T1061", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1061" + ], + "external_id": "PRE-T1061", + "kill_chain": [ + "mitre-pre-attack:pre-attack:organizational-information-gathering" + ] + }, + "uuid": "dfa4eaf4-50d9-49de-89e9-d33f579f3e05" + }, + { + "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nA technique that takes advantage of flaws in client-side applications without targeting specific users. For example, an exploit placed on an often widely used public web site intended for drive-by delivery to whomever visits the site. (Citation: CitizenLabGreatCannon)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Defensive technologies exist to scan web content before delivery to the requested end user. However, this is not fool proof as some sites encrypt web communications and the adversary constantly moves to sites not previously flagged as malicious thus defeating this defense. Host-based defenses can also aid in detection/mitigation as well as detection by the web site that got compromised.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Commonly executed technique to place an exploit on an often widely used public web site intended for driveby delivery.", + "value": "Untargeted client-side exploitation - PRE-T1147", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1147" + ], + "external_id": "PRE-T1147", + "kill_chain": [ + "mitre-pre-attack:pre-attack:launch" + ] + }, + "uuid": "2ec57bf1-fcc3-4c19-9516-79b7fde483af" + }, + { + "description": "Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it for some or all of the attack cycle. (Citation: WateringHole2014) (Citation: FireEye Operation SnowMan)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Defender will not have visibility on 3rd party sites unless target is successfully enticed to visit one.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Commonly used technique currently (e.g., [https://www.wordpress.com WordPress] sites) as precursor activity to launching attack against intended target (e.g., acquiring botnet or layers of proxies for reducing attribution possibilities).", + "value": "Compromise 3rd party infrastructure to support delivery - PRE-T1089", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1089" + ], + "external_id": "PRE-T1089", + "kill_chain": [ + "mitre-pre-attack:pre-attack:adversary-opsec" + ] + }, + "uuid": "4900fabf-1142-4c1f-92f5-0b590e049077" + }, + { + "description": "Email addresses, logon credentials, and other forms of online identification typically share a common format. This makes guessing other credentials within the same domain easier. For example if a known email address is first.last@company.com it is likely that others in the company will have an email in the same format. (Citation: RSA-APTRecon)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Easily determined and not intended to be protected information. Publicly collected and shared repositories of email addresses exist.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Scraping of known email addresses from the target will likely reveal the target standard for address/username format. This information is easily discoverable.", + "value": "Discover target logon/email address format - PRE-T1032", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1032" + ], + "external_id": "PRE-T1032", + "kill_chain": [ + "mitre-pre-attack:pre-attack:technical-information-gathering" + ] + }, + "uuid": "ef0f816a-d561-4953-84c6-2a2936c96957" + }, + { + "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nThe use of software, data, or commands to take advantage of a weakness in a computer system or program in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. (Citation: GoogleCrawlerSQLInj)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: If the application and network are designed well, the defender should be able to utilize logging and application logic to catch and deflect SQL injection attacks.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Launching a SQL injection attack is not overly complex and a commonly used technique. This technique, however, requires finding a vulnerable application.", + "value": "Exploit public-facing application - PRE-T1154", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1154" + ], + "external_id": "PRE-T1154", + "kill_chain": [ + "mitre-pre-attack:pre-attack:launch" + ] + }, + "uuid": "8a64f743-acaa-49d5-9d3d-ae5616a3876f" + }, + { + "description": "Key Intelligence Topics (KITs) and Key Intelligence Questions (KIQs) may be further subdivided to focus on political, economic, diplomatic, military, financial, or intellectual property categories. An adversary may specify KITs or KIQs in this manner in order to understand how the information they are pursuing can have multiple uses and to consider all aspects of the types of information they need to target for a particular purpose. (Citation: CompetitiveIntelligence) (Citation: CompetitiveIntelligence)KIT.\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", + "value": "Assess KITs/KIQs benefits - PRE-T1006", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1006" + ], + "external_id": "PRE-T1006", + "kill_chain": [ + "mitre-pre-attack:pre-attack:priority-definition-planning" + ] + }, + "uuid": "ae85ba2f-27ea-42d9-b42a-0fe89ee19ed5" + }, + { + "description": "Obfuscation is hiding the day-to-day building and testing of new tools, chat servers, etc. (Citation: DellComfooMasters)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: While possible to detect given a significant sample size, depending on how the unique identifier is used detection may be difficult as similar patterns may be employed elsewhere (e.g., content hosting providers, account reset URLs).\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: An adversary can easily generate pseudo-random identifiers to associate with a specific target, include the indicator as part of a URL and then identify which target was successful.", + "value": "Obfuscate operational infrastructure - PRE-T1095", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1095" + ], + "external_id": "PRE-T1095", + "kill_chain": [ + "mitre-pre-attack:pre-attack:adversary-opsec" + ] + }, + "uuid": "9d234df0-2344-4db4-bc0f-8de9c6c071a7" + }, + { + "description": "Malware may perform differently on different platforms (computer vs handheld) and different operating systems ([http://www.ubuntu.com Ubuntu] vs [http://www.apple.com/osx/ OS X]), and versions ([http://windows.microsoft.com Windows] 7 vs 10) so malicious actors will test their malware in the environment(s) where they most expect it to be executed. (Citation: BypassMalwareDefense)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Adversary controls the test and defender likely has no visibility.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Adversary can simulate most environments (e.g., variable operating systems, patch levels, application versions) with details available from other techniques.", + "value": "Test malware in various execution environments - PRE-T1134", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1134" + ], + "external_id": "PRE-T1134", + "kill_chain": [ + "mitre-pre-attack:pre-attack:test-capabilities" + ] + }, + "uuid": "e042a41b-5ecf-4f3a-8f1f-1b528c534772" + }, + { + "description": "Determining if a \"corporate\" help desk exists, the degree of access and control it has, and whether there are \"edge\" units that may have different support processes and standards. (Citation: SANSCentratlizeManagement)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: No technical means to detect an adversary collecting information about a target. Any detection would be based upon strong OPSEC policy implementation.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Requires an adversary to undergo a research process to learn the internal workings of an organization. An adversary can do this by social engineering individuals in the company by claiming to need to find information for the help desk, or through social engineering of former employees or business partners.", + "value": "Determine centralization of IT management - PRE-T1062", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1062" + ], + "external_id": "PRE-T1062", + "kill_chain": [ + "mitre-pre-attack:pre-attack:organizational-information-gathering" + ] + }, + "uuid": "a7dff5d5-99f9-4a7e-ac54-a64113c28121" + }, + { + "description": "An adversary can test physical access options in preparation for the actual attack. This could range from observing behaviors and noting security precautions to actually attempting access. (Citation: OCIAC Pre Incident Indicators) (Citation: NewsAgencySpy)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Defender often install badging, cameras, security guards or other detection techniques for physical security and monitoring.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Requires a physical presence in the space being entered and increased risk of being detected/detained (e.g., recorded on video camera)", + "value": "Test physical access - PRE-T1137", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1137" + ], + "external_id": "PRE-T1137", + "kill_chain": [ + "mitre-pre-attack:pre-attack:test-capabilities" + ] + }, + "uuid": "18bfa01c-9fa9-409f-91f5-4a2822609d81" + }, + { + "description": "Code signing is the process of digitally signing executables or scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Users may trust a signed piece of code more than an signed piece of code even if they don't know who issued the certificate or who the author is. (Citation: Adobe Code Signing Cert)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Defender will not know what certificates an adversary acquires from a 3rd party. Defender will not know prior to public disclosure if a 3rd party has had their certificate compromised.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: It is trivial to purchase code signing certificates within an organization; many exist and are available at reasonable cost. It is complex to factor or steal 3rd party code signing certificates for use in malicious mechanisms", + "value": "Acquire or compromise 3rd party signing certificates - PRE-T1087", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1087" + ], + "external_id": "PRE-T1087", + "kill_chain": [ + "mitre-pre-attack:pre-attack:adversary-opsec" + ] + }, + "uuid": "e5164428-03ca-4336-a9a7-4d9ea1417e59" + }, + { + "description": "Leadership assesses the areas of most interest to them and generates Key Intelligence Topics (KIT) or Key Intelligence Questions (KIQ). For example, an adversary knows from open and closed source reporting that cyber is of interest, resulting in it being a KIT. (Citation: ODNIIntegration)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", + "value": "Assess leadership areas of interest - PRE-T1001", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1001" + ], + "external_id": "PRE-T1001", + "kill_chain": [ + "mitre-pre-attack:pre-attack:priority-definition-planning" + ] + }, + "uuid": "d3999268-740f-467e-a075-c82e2d04be62" + }, + { + "description": "Client configurations information such as the operating system and web browser, along with additional information such as version or language, are often transmitted as part of web browsing communications. This can be accomplished in several ways including use of a compromised web site to collect details on visiting computers. (Citation: UnseenWorldOfCookies) (Citation: Panopticlick)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Typical information collected as part of accessing web sites (e.g., operating system, browser version, basic configurations).\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Basic web scripting capability to collect information of interest on users of interest. Requires a compromised web site and the users of interest to navigate there.", + "value": "Enumerate client configurations - PRE-T1039", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1039" + ], + "external_id": "PRE-T1039", + "kill_chain": [ + "mitre-pre-attack:pre-attack:technical-information-gathering" + ] + }, + "uuid": "78ae433b-289d-4c8d-b8c1-f8de0b7f9090" + }, + { + "description": "Every domain registrar maintains a publicly viewable database that displays contact information for every registered domain. Private 'whois' services display alternative information, such as their own company data, rather than the owner of the domain. (Citation: APT1)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Algorithmically possible to detect COTS service usage or use of non-specific mailing addresses (PO Boxes, drop sites, etc.)\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Commercially available or easy to set up and/or register using a disposable email account.", + "value": "Private whois services - PRE-T1082", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1082" + ], + "external_id": "PRE-T1082", + "kill_chain": [ + "mitre-pre-attack:pre-attack:adversary-opsec" + ] + }, + "uuid": "3160347f-11ac-44a3-9640-a648b3c17a8f" + }, + { + "description": "Once generated, Key Intelligence Topics (KITs), Key Intelligence Questions (KIQs), and/or intelligence requirements are assigned to applicable agencies and/or personnel. For example, an adversary may decide nuclear energy requirements should be assigned to a specific organization based on their mission. (Citation: AnalystsAndPolicymaking) (Citation: JP2-01)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", + "value": "Assign KITs, KIQs, and/or intelligence requirements - PRE-T1015", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1015" + ], + "external_id": "PRE-T1015", + "kill_chain": [ + "mitre-pre-attack:pre-attack:priority-definition-direction" + ] + }, + "uuid": "4fad17d3-8f42-449d-ac4b-dbb4c486127d" + }, + { + "description": "Personnel internally to a company may belong to a group or maintain a role with electronic specialized access, authorities, or privilege that make them an attractive target for an adversary. One example of this is a system administrator. (Citation: RSA-APTRecon)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Searching publicly available sources that cannot be monitored by a defender.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Requires an adversary to undergo an intensive research process. It is resource intensive or requires special data access. May be easier for certain specialty use cases.", + "value": "Identify groups/roles - PRE-T1047", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1047" + ], + "external_id": "PRE-T1047", + "kill_chain": [ + "mitre-pre-attack:pre-attack:people-information-gathering" + ] + }, + "uuid": "89a79d91-53e0-4ef5-ba28-558cb8b01f76" + }, + { + "description": "After compromise, an adversary may utilize additional tools to facilitate their end goals. This may include tools to further explore the system, move laterally within a network, exfiltrate data, or destroy data. (Citation: SofacyHits)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Adversary will likely use code repositories, but development will be performed on their local systems.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Post compromise tool development is a standard part of the adversary's protocol in developing the necessary tools required to completely conduct an attack.", + "value": "Post compromise tool development - PRE-T1130", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1130" + ], + "external_id": "PRE-T1130", + "kill_chain": [ + "mitre-pre-attack:pre-attack:build-capabilities" + ] + }, + "uuid": "df42286d-dfbd-4455-bc9d-aef52ac29aa7" + }, + { + "description": "There is usually a delay between when a vulnerability or exploit is discovered and when it is made public. An adversary may target the systems of those known to research vulnerabilities in order to gain that knowledge for use during a different attack. (Citation: TempertonDarkHotel)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: The compromise of unknown vulnerabilities would provide little attack and warning against a defender, rendering it highly challenging to detect.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Finding, attacking, and compromising a 3rd party or closed vulnerability entity is challenging, because those containing the vulnerabilities should be very aware of attacks on their environments have a heightened awareness.", + "value": "Compromise 3rd party or closed-source vulnerability/exploit information - PRE-T1131", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1131" + ], + "external_id": "PRE-T1131", + "kill_chain": [ + "mitre-pre-attack:pre-attack:build-capabilities" + ] + }, + "uuid": "5a68c603-d7f9-4535-927e-ab56819eaa85" + }, + { + "description": "Open source intelligence (OSINT) is intelligence gathered from publicly available sources. This can include both information gathered on-line, such as from search engines, as well as in the physical world. (Citation: RSA-APTRecon)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: This activity is indistinguishable from legitimate business uses and easy to obtain. Direct access to the selected target is not required for the adversary to conduct this technique. There is a limited ability to detect this by looking at referrer fields on local web site accesses (e.g., a person who has accessed your web servers from [https://www.shodan.io Shodan]).\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Possible to gather technical intelligence about Internet accessible systems/devices by obtaining various commercial data sets and supporting business intelligence tools for ease of analysis. Commercial data set examples include advertising content delivery networks, Internet mapping/traffic collections, system fingerprinting data sets, device fingerprinting data sets, etc.", + "value": "Acquire OSINT data sets and information - PRE-T1024", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1024" + ], + "external_id": "PRE-T1024", + "kill_chain": [ + "mitre-pre-attack:pre-attack:technical-information-gathering" + ] + }, + "uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b" + }, + { + "description": "A wide variety of 3rd party software services are available (e.g., [https://twitter.com Twitter], [https://www.dropbox.com Dropbox], [https://www.google.com/docs/about/ GoogleDocs]). Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down. (Citation: LUCKYCAT2012) (Citation: Nemucod Facebook)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Defender will not have visibility over account creation for 3rd party software services.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: 3rd party services like these listed are freely available.", + "value": "Acquire and/or use 3rd party software services - PRE-T1085", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1085" + ], + "external_id": "PRE-T1085", + "kill_chain": [ + "mitre-pre-attack:pre-attack:adversary-opsec" + ] + }, + "uuid": "1a295f87-af63-4d94-b130-039d6221fb11" + }, + { + "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nUpon successful compromise the adversary may implement methods for confirming success including communication to a command and control server, exfiltration of data, or a verifiable intended effect such as a publicly accessible resource being inaccessible or a web page being defaced. (Citation: FireEye Malware Stages) (Citation: APTNetworkTrafficAnalysis)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Current commercial tools and sensitive analytics can be used to detect communications to command and control servers or data exfiltration.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Certainty of the confirmation of compromise is not guaranteed unless the adversary sees communication to a command and control server, exfiltration of data, or an intended effect occur.", + "value": "Confirmation of launched compromise achieved - PRE-T1160", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1160" + ], + "external_id": "PRE-T1160", + "kill_chain": [ + "mitre-pre-attack:pre-attack:compromise" + ] + }, + "uuid": "f4c5d1d9-8f0e-46f1-a9fa-f9a440926046" + }, + { + "description": "Job postings, on either company sites, or in other forums, provide information on organizational structure and often provide contact information for someone within the organization. This may give an adversary information on people within the organization which could be valuable in social engineering attempts. (Citation: JobPostingThreat)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Public source external to the defender's organization.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Very public by design.", + "value": "Identify job postings and needs/gaps - PRE-T1044", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1044" + ], + "external_id": "PRE-T1044", + "kill_chain": [ + "mitre-pre-attack:pre-attack:people-information-gathering" + ] + }, + "uuid": "0722cd65-0c83-4c89-9502-539198467ab1" + }, + { + "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nSocial Engineering is the practice of manipulating people in order to get them to divulge information or take an action. Human Intelligence (HUMINT) is intelligence collected and provided by human sources. (Citation: 17millionScam) (Citation: UbiquityEmailScam)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Assuming an average company does not train its employees to be aware of social engineering techniques, it is not possible to detect the adversary's use unless a highly motivated or paranoid employee informs security. This assessment flips to a 1 in cases of environments where security trains employees to be vigilant or in specialized industries where competitive intelligence and business intelligence train employees to be highly aware. Most likely more complex for an adversary to detect as methods move to physical or non traditionally monitored mechanisms (such as phone calls outside of call centers). Furthermore, the content of such an interaction may be lost due to lack of collection.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Assuming an average adversary whose focus is social engineering, it is not difficult for an adversary. Assuming a HUMINT operation and specialized circumstances, the adversary difficulty becomes 1. Social engineering can be easily done remotely via email or phone. In contrast, HUMINT operations typically would require physical contact at some point in the process, increasing the difficulty.", + "value": "Conduct social engineering or HUMINT operation - PRE-T1153", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1153" + ], + "external_id": "PRE-T1153", + "kill_chain": [ + "mitre-pre-attack:pre-attack:launch" + ] + }, + "uuid": "b79a1960-d0be-4b51-bb62-b27e91e1dea0" + }, + { + "description": "A wide variety of 3rd party software services are available (e.g., [https://twitter.com Twitter], [https://www.dropbox.com Dropbox], [https://www.google.com/docs/about/ GoogleDocs]). Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down. (Citation: LOWBALL2015)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Defender will not have visibility over account creation for 3rd party software services.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: 3rd party services like these listed are freely available.", + "value": "Acquire and/or use 3rd party software services - PRE-T1107", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1107" + ], + "external_id": "PRE-T1107", + "kill_chain": [ + "mitre-pre-attack:pre-attack:establish-&-maintain-infrastructure" + ] + }, + "uuid": "488da8ed-2887-4ef6-a39a-5b69bc6682c6" + }, + { + "description": "An adversary can probe a victim's network to determine configurations. The configurations may provide opportunities to route traffic through the network in an undetected or less detectable way. (Citation: OSFingerprinting2014)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: This can be done offline after the data has been collected.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Analyze network traffic to determine security filtering policies, packets dropped, etc.", + "value": "Analyze hardware/software security defensive capabilities - PRE-T1071", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1071" + ], + "external_id": "PRE-T1071", + "kill_chain": [ + "mitre-pre-attack:pre-attack:technical-weakness-identification" + ] + }, + "uuid": "a1e8d61b-22e1-4983-8485-96420152ecd8" + }, + { + "description": "Dynamic DNS is a automated method to rapidly update the domain name system mapping of hostnames to IPs. (Citation: FireEyeSupplyChain)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Defender will not know at first use what is valid or hostile traffic without more context.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: It is relatively easy to subscribe to dynamic DNS providers or find ways to get different IP addresses from a cloud provider.", + "value": "Dynamic DNS - PRE-T1110", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1110" + ], + "external_id": "PRE-T1110", + "kill_chain": [ + "mitre-pre-attack:pre-attack:establish-&-maintain-infrastructure" + ] + }, + "uuid": "54eb2bab-125f-4d1c-b999-0c692860bafe" + }, + { + "description": "An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. The adversary may need to discover new exploits when existing exploits are no longer relevant to the environment they are trying to compromise. An adversary may monitor exploit provider forums to understand the state of existing, as well as newly discovered, exploits. (Citation: EquationQA)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Public source external to the defender's organization.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Many public sources exist for this information.", + "value": "Discover new exploits and monitor exploit-provider forums - PRE-T1127", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1127" + ], + "external_id": "PRE-T1127", + "kill_chain": [ + "mitre-pre-attack:pre-attack:build-capabilities" + ] + }, + "uuid": "82bbd209-f516-45e0-9542-4ffbbc2a8717" + }, + { + "description": "For attacks incorporating social engineering the utilization of an on-line persona is important. Utilizing an existing persona with compromised accounts may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. (Citation: AnonHBGary) (Citation: Hacked Social Media Accounts)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Possible to detect compromised credentials if alerting from a service provider is enabled and acted upon by the individual.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: It is relatively easy and low cost to purchase compromised credentials. Mining social media sites offers open source information about a particular target. Most users tend to reuse passwords across sites and are not paranoid enough to check and see if spoofed sites from their persona exist across current social media.", + "value": "Choose pre-compromised persona and affiliated accounts - PRE-T1120", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1120" + ], + "external_id": "PRE-T1120", + "kill_chain": [ + "mitre-pre-attack:pre-attack:persona-development" + ] + }, + "uuid": "9a8c47f6-ae69-4044-917d-4b1602af64d9" + }, + { + "description": "Open source intelligence (OSINT) provides free, readily available information about a target while providing the target no indication they are of interest. Such information can assist an adversary in crafting a successful approach for compromise. (Citation: RSA-APTRecon)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: This activity is indistinguishable from legitimate business uses and easy to obtain.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Possible to gather digital intelligence about a person is easily aided by social networking sites, free/for fee people search engines, and publicly available information (e.g., county databases on tickets/DUIs).", + "value": "Acquire OSINT data sets and information - PRE-T1043", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1043" + ], + "external_id": "PRE-T1043", + "kill_chain": [ + "mitre-pre-attack:pre-attack:people-information-gathering" + ] + }, + "uuid": "2b9a666e-bd59-4f67-9031-ed41b428e04a" + }, + { + "description": "The attempt to identify people of interest or with an inherent weakness for direct or indirect targeting to determine an approach to compromise a person or organization. Such targets may include individuals with poor OPSEC practices or those who have a trusted relationship with the intended target. (Citation: RSA-APTRecon) (Citation: Scasny2015)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Common defenses protecting against poor OPSEC practices are traditionally more policy-based in nature rather than technical. Policy-based mitigations are generally more difficult to enforce and track violations, making it more difficult that this technique can be detected by common defenses.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Specialty cases enable an adversary to use key words in order to search social media and identify personnel with poor OPSEC practices who may have access to specialized information which would make them a target of interest. In addition, the open nature of social media leads to a tendency among individuals to overshare, encouraging poor OPSEC and increasing the ease by which an adversary can identify interesting targets.", + "value": "Identify people of interest - PRE-T1046", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1046" + ], + "external_id": "PRE-T1046", + "kill_chain": [ + "mitre-pre-attack:pre-attack:people-information-gathering" + ] + }, + "uuid": "0c0f075b-5d69-43f2-90df-d9ad18f44624" + }, + { + "description": "Network trusts enable communications between different networks with specific accesses and permissions. Network trusts could include the implementation of domain trusts or the use of virtual private networks (VPNs). (Citation: CuckoosEgg) (Citation: CuckoosEgg)Wikipedia (Citation: KGBComputerMe)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: This is not easily performed remotely and therefore not a detectable event. If the adversary can sniff traffic to deduce trust relations, this is a passive activity and not detectable.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Determining trust relationships once internal to a network is trivial. Simple tools like trace route can show evidence of firewalls or VPNs and then hosts on the either side of the firewall indicating a different trusted network. Active Directory command line tools can also identify separate trusted networks.\n\nIf completely external to a network, sniffing traffic (if possible) could also reveal the communications protocols that could be guessed to be a trusted network connection (e.g., IPsec, maybe SSL, etc.) though this is error-prone. \n\nWith no other access, this is hard for an adversary to do completely from a remote vantage point.", + "value": "Determine external network trust dependencies - PRE-T1036", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1036" + ], + "external_id": "PRE-T1036", + "kill_chain": [ + "mitre-pre-attack:pre-attack:technical-information-gathering" + ] + }, + "uuid": "a2fc93cd-e371-4755-9305-2615b6753d91" + }, + { + "description": "An adversary undergoes an iterative target selection process that may begin either broadly and narrow down into specifics (strategic to tactical) or narrowly and expand outward (tactical to strategic). As part of this process, an adversary may determine a high level target they wish to attack. One example of this may be a particular country, government, or commercial sector. (Citation: CyberAdversaryBehavior) (Citation: JP3-60) (Citation: JP3-12 (R)) (Citation: DoD Cyber 2015)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. May change for special use cases or adversary and defender overlays.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: This is the normal adversary targeting cycle where they utilize our poor OPSEC practices to their advantage.", + "value": "Determine strategic target - PRE-T1018", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1018" + ], + "external_id": "PRE-T1018", + "kill_chain": [ + "mitre-pre-attack:pre-attack:target-selection" + ] + }, + "uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877" + }, + { + "description": "Analyze strengths and weaknesses of the target for potential areas of where to focus compromise efforts. (Citation: FakeLinkedIn)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: This can be done offline after the data has been collected.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Job postings and hiring requisitions have to be made public for contractors and many times have the name of the organization being supported. In addition, they outline the skills needed to do a particular job, which can provide insight into the technical structure and organization of a target.", + "value": "Analyze organizational skillsets and deficiencies - PRE-T1066", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1066" + ], + "external_id": "PRE-T1066", + "kill_chain": [ + "mitre-pre-attack:pre-attack:technical-weakness-identification" + ] + }, + "uuid": "092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc" + }, + { + "description": "If going from strategic down to tactical or vice versa, an adversary would next consider the operational element. For example, the specific company within an industry or agency within a government. (Citation: CyberAdversaryBehavior) (Citation: JP3-60) (Citation: JP3-12 (R)) (Citation: DoD Cyber 2015)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. May change for special use cases or adversary and defender overlays.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: This is the normal adversary targeting cycle where they utilize our poor OPSEC practices to their advantage.", + "value": "Determine operational element - PRE-T1019", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1019" + ], + "external_id": "PRE-T1019", + "kill_chain": [ + "mitre-pre-attack:pre-attack:target-selection" + ] + }, + "uuid": "c860af4a-376e-46d7-afbf-262c41012227" + }, + { + "description": "An adversary can test their planned method of attack against existing security products such as email filters or intrusion detection sensors (IDS). (Citation: WiredVirusTotal)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Use of sites like [https://www.virustotal.com VirusTotal] to test signature detection often occurs to test detection. Defender can also look for newly added uploads as a precursor to an adversary's launch of an attack.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Current open source technologies and websites exist to facilitate adversary testing of malware against signatures.", + "value": "Test signature detection for file upload/email filters - PRE-T1138", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1138" + ], + "external_id": "PRE-T1138", + "kill_chain": [ + "mitre-pre-attack:pre-attack:test-capabilities" + ] + }, + "uuid": "c9ac5715-ee5c-4380-baf4-6f12e304ca93" + }, + { + "description": "From a tactical viewpoint, an adversary could potentially have a primary and secondary level target. The primary target represents the highest level tactical element the adversary wishes to attack. For example, the corporate network within a corporation or the division within an agency. (Citation: CyberAdversaryBehavior) (Citation: JP3-60) (Citation: JP3-12 (R)) (Citation: DoD Cyber 2015)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. May change for special use cases or adversary and defender overlays.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: This is the normal adversary targeting cycle where they utilize our poor OPSEC practices to their advantage.", + "value": "Determine highest level tactical element - PRE-T1020", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1020" + ], + "external_id": "PRE-T1020", + "kill_chain": [ + "mitre-pre-attack:pre-attack:target-selection" + ] + }, + "uuid": "dc7dfc9f-be1b-4e6e-a2e6-9a9bb2400ec9" + }, + { + "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nA technique used to compromise a specific group of end users by taking advantage of flaws in client-side applications. For example, infecting websites that members of a targeted group are known to visit with the goal to infect a targeted user's computer. (Citation: RSASEThreat) (Citation: WikiStagefright) (Citation: ForbesSecurityWeek) (Citation: StrongPity-waterhole)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Defensive technologies exist to scan web content before delivery to the requested end user. However, this is not foolproof as some sites encrypt web communications and the adversary constantly moves to sites not previously flagged as malicious thus defeating this defense. Host-based defenses can also aid in detection/mitigation as well as detection by the web site that got compromised. The added challenge for a conditional watering hole is the reduced scope and likely reduced ability to detect or be informed. Determining deltas in content (e.g., differences files type/size/number/hashes) downloaded could also aid in detection.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Commonly executed technique to place an exploit on an often widely used public web site intended for driveby delivery. The additional challenge is the reduced set of options for web sites to compromise since the set is reduced to those often visited by targets of interest.", + "value": "Targeted client-side exploitation - PRE-T1148", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1148" + ], + "external_id": "PRE-T1148", + "kill_chain": [ + "mitre-pre-attack:pre-attack:launch" + ] + }, + "uuid": "72923cae-6c8c-4da2-8f48-b73389529c25" + }, + { + "description": "Supply chains include the people, processes, and technologies used to move a product or service from a supplier to a consumer. Understanding supply chains may provide an adversary with opportunities to exploit the people, their positions, and relationships, that are part of the supply chain. (Citation: SmithSupplyChain) (Citation: CERT-UKSupplyChain)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Searching publicly available sources that cannot be monitored by a defender.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Requires an intensive process to obtain the full picture. It is possible to obtain basic information/some aspects via OSINT. May be easier in certain industries where there are a limited number of suppliers (e.g., SCADA).", + "value": "Identify supply chains - PRE-T1042", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1042" + ], + "external_id": "PRE-T1042", + "kill_chain": [ + "mitre-pre-attack:pre-attack:people-information-gathering" + ] + }, + "uuid": "59369f72-3005-4e54-9095-3d00efcece73" + }, + { + "description": "An adversary needs the necessary skills to set up procured equipment and software to create their desired infrastructure. (Citation: KasperskyRedOctober)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Defender will not have visibility on 3rd party sites unless target is successfully enticed to visit one.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Skills are common to majority of computer scientists and \"hackers\". Can be easily obtained through contracting if not organic to adversary's organization.", + "value": "Install and configure hardware, network, and systems - PRE-T1113", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1113" + ], + "external_id": "PRE-T1113", + "kill_chain": [ + "mitre-pre-attack:pre-attack:establish-&-maintain-infrastructure" + ] + }, + "uuid": "73e394e5-3d8a-40d1-ab8c-a1b4ea9db424" + }, + { + "description": "Host based hiding techniques are designed to allow an adversary to remain undetected on a machine upon which they have taken action. They may do this through the use of static linking of binaries, polymorphic code, exploiting weakness in file formats, parsers, or self-deleting code. (Citation: VirutAP)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Techniques are difficult to detect and might occur in uncommon use-cases (e.g., patching, anti-malware, anti-exploitation software).\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Some of the host-based hiding techniques require advanced knowledge combined with an understanding and awareness of the target's environment (e.g., exploiting weaknesses in file formats, parsers and detection capabilities).", + "value": "Host-based hiding techniques - PRE-T1091", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1091" + ], + "external_id": "PRE-T1091", + "kill_chain": [ + "mitre-pre-attack:pre-attack:adversary-opsec" + ] + }, + "uuid": "6f088e84-37b2-44de-8df3-393908f2d77b" + }, + { + "description": "Physical locality information may be used by an adversary to shape social engineering attempts (language, culture, events, weather, etc.) or to plan for physical actions such as dumpster diving or attempting to access a facility. (Citation: RSA-APTRecon)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Adversary searches publicly available sources that list physical locations that cannot be monitored by a defender or are not necessarily monitored (e.g., all IP addresses touching their public web space listing physical locations).\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Most corporations now list their locations on public facing websites. Some challenge still exists to find covert or sensitive locations.", + "value": "Determine physical locations - PRE-T1059", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1059" + ], + "external_id": "PRE-T1059", + "kill_chain": [ + "mitre-pre-attack:pre-attack:organizational-information-gathering" + ] + }, + "uuid": "2011ffeb-8003-41ef-b962-9d1cbfa35e6d" + }, + { + "description": "Leadership conducts a cost/benefit analysis that generates a compelling need for information gathering which triggers a Key Intelligence Toptic (KIT) or Key Intelligence Question (KIQ). For example, an adversary compares the cost of cyber intrusions with the expected benefits from increased intelligence collection on cyber adversaries. (Citation: LowenthalCh4) (Citation: KIT-Herring)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", + "value": "Conduct cost/benefit analysis - PRE-T1003", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1003" + ], + "external_id": "PRE-T1003", + "kill_chain": [ + "mitre-pre-attack:pre-attack:priority-definition-planning" + ] + }, + "uuid": "51bca707-a806-49bf-91e0-03885b0ac85c" + }, + { + "description": "Applicable agencies and/or personnel receive intelligence requirements and evaluate them to determine sub-requirements related to topics, questions, or requirements. For example, an adversary's nuclear energy requirements may be further divided into nuclear facilities versus nuclear warhead capabilities. (Citation: AnalystsAndPolicymaking)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", + "value": "Receive KITs/KIQs and determine requirements - PRE-T1016", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1016" + ], + "external_id": "PRE-T1016", + "kill_chain": [ + "mitre-pre-attack:pre-attack:priority-definition-direction" + ] + }, + "uuid": "acfcbe7a-4dbc-4471-be2b-134faf479e3e" + }, + { + "description": "Outsourcing, the arrangement of one company providing goods or services to another company for something that could be done in-house, provides another avenue for an adversary to target. Businesses often have networks, portals, or other technical connections between themselves and their outsourced/partner organizations that could be exploited. Additionally, outsourced/partner organization information could provide opportunities for phishing. (Citation: Scasny2015) (Citation: OPM Breach)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Much of this analysis can be done using the target's open source website, which is purposely designed to be informational and may not have extensive visitor tracking capabilities.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Analyzing business relationships from information gathering may provide insight into outsourced capabilities. In certain industries, outsourced capabilities or close business partnerships may be advertised on corporate websites.", + "value": "Analyze presence of outsourced capabilities - PRE-T1080", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1080" + ], + "external_id": "PRE-T1080", + "kill_chain": [ + "mitre-pre-attack:pre-attack:organizational-weakness-identification" + ] + }, + "uuid": "34450117-d1d5-417c-bb74-4359fc6551ca" + }, + { + "description": "Implementation plans specify how the goals of the strategic plan will be executed. (Citation: ChinaCollectionPlan) (Citation: OrderOfBattle)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", + "value": "Create implementation plan - PRE-T1009", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1009" + ], + "external_id": "PRE-T1009", + "kill_chain": [ + "mitre-pre-attack:pre-attack:priority-definition-planning" + ] + }, + "uuid": "b355817c-cf63-43b4-94a4-05e9645fa910" + }, + { + "description": "Using alternative payment options allows an adversary to hide their activities. Options include crypto currencies, barter systems, pre-paid cards or shell accounts. (Citation: Goodin300InBitcoins)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Defender likely will not have access to payment information. Monitoring crypto-currency or barter boards is resource intensive and not fully automatable.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Easy to use pre-paid cards or shell accounts to pay for services online. Crypto currencies and barter systems can avoid use of trace-able bank or credit apparatus.", + "value": "Non-traditional or less attributable payment options - PRE-T1093", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1093" + ], + "external_id": "PRE-T1093", + "kill_chain": [ + "mitre-pre-attack:pre-attack:adversary-opsec" + ] + }, + "uuid": "b79e8a3f-a109-47c2-a0e3-564955590a3d" + }, + { + "description": "In addition to a target's social media presence may exist a larger digital footprint, such as accounts and credentials on e-commerce sites or usernames and logins for email. An adversary familiar with a target's username can mine to determine the target's larger digital footprint via publicly available sources. (Citation: DigitalFootprint) (Citation: trendmicro-vtech)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Searching publicly available sources that cannot be monitored by a defender.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Information readily available through searches", + "value": "Aggregate individual's digital footprint - PRE-T1052", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1052" + ], + "external_id": "PRE-T1052", + "kill_chain": [ + "mitre-pre-attack:pre-attack:people-information-gathering" + ] + }, + "uuid": "b3f36317-3940-4d71-968f-e11ac1bf6a31" + }, + { + "description": "An adversary may identify sensitive personnel information not typically posted on a social media site, such as address, marital status, financial history, and law enforcement infractions. This could be conducted by searching public records that are frequently available for free or at a low cost online. (Citation: RSA-APTRecon)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Searching publicly available sources that cannot be monitored by a defender.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: This type of information is useful to understand the individual and their ability to be blackmailed. Searching public records is easy and most information can be purchased for a low cost if the adversary really wants it.", + "value": "Identify sensitive personnel information - PRE-T1051", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1051" + ], + "external_id": "PRE-T1051", + "kill_chain": [ + "mitre-pre-attack:pre-attack:people-information-gathering" + ] + }, + "uuid": "7dae871c-effc-444b-9962-4b7efefe7d40" + }, + { + "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nThrough social engineering or other methods, an adversary can get users to perform physical actions that provide access to an adversary. This could include providing a password over the phone or inserting a 'found' CD or USB into a system. (Citation: AnonHBGary) (Citation: CSOInsideOutside)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Non-hypersensing environments do not typically collect this level of detailed information.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Ill-informed users insert devices into their network that they randomly find, despite training educating them why this is not a wise idea.", + "value": "Human performs requested action of physical nature - PRE-T1162", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1162" + ], + "external_id": "PRE-T1162", + "kill_chain": [ + "mitre-pre-attack:pre-attack:compromise" + ] + }, + "uuid": "fb39384c-00e4-414a-88af-e80c4904e0b8" + }, + { + "description": "During mergers, divestitures, or other period of change in joint infrastructure or business processes there may be an opportunity for exploitation. During this type of churn, unusual requests, or other non standard practices may not be as noticeable. (Citation: RossiMergers) (Citation: MeidlHealthMergers)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Most of this activity would target partners and business processes. Partners would not report. Difficult to tie this activity to a cyber attack.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Mapping joint infrastructure and business processes is difficult without insider knowledge or SIGINT capability. While a merger creates and opportunity to exploit potentially cumbersome or sloppy business processes, advance notice of a merger is difficult; merger information is typically close-hold until the deal is done.", + "value": "Assess opportunities created by business deals - PRE-T1076", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1076" + ], + "external_id": "PRE-T1076", + "kill_chain": [ + "mitre-pre-attack:pre-attack:organizational-weakness-identification" + ] + }, + "uuid": "e2aa077d-60c9-4de5-b015-a9c382877cd9" + }, + { + "description": "The process of gathering domain account credentials in order to silently create subdomains pointed at malicious servers without tipping off the actual owner. (Citation: CiscoAngler) (Citation: ProofpointDomainShadowing)\n\nDetectable by Common Defenses: Partial\n\nDetectable by Common Defenses explanation: Detection of this technique requires individuals to monitor their domain registrant accounts routinely. In addition, defenders have had success with blacklisting sites or IP addresses, but an adversary can defeat this by rotating either the subdomains or the IP addresses associated with the campaign.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: To successfully conduct this attack, an adversary usually phishes the individual behind the domain registrant account, logs in with credentials, and creates a large amount of subdomains.", + "value": "Shadow DNS - PRE-T1117", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1117" + ], + "external_id": "PRE-T1117", + "kill_chain": [ + "mitre-pre-attack:pre-attack:establish-&-maintain-infrastructure" + ] + }, + "uuid": "3f157dee-74f0-41fc-801e-f837b8985b0a" + }, + { + "description": "A payload is the part of the malware which performs a malicious action. The adversary may create custom payloads when none exist with the needed capability or when targeting a specific environment. (Citation: APT1)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: It is likely that an adversary will create and develop payloads on inaccessible or unknown networks for OPSEC reasons.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: Specialized tools exist for research, development, and testing of virus/malware payloads.", + "value": "Create custom payloads - PRE-T1122", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1122" + ], + "external_id": "PRE-T1122", + "kill_chain": [ + "mitre-pre-attack:pre-attack:build-capabilities" + ] + }, + "uuid": "fddd81e9-dd3d-477e-9773-4fb8ae227234" + }, + { + "description": "Social Engineering is the practice of manipulating people in order to get them to divulge information or take an action. (Citation: SEAttackVectors) (Citation: BeachSE2003)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: No technical means to detect an adversary collecting information about a target. Any detection would be based upon strong OPSEC policy implementation.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Very effective technique for the adversary that does not require any formal training and relies upon finding just one person who exhibits poor judgement.", + "value": "Conduct social engineering - PRE-T1045", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1045" + ], + "external_id": "PRE-T1045", + "kill_chain": [ + "mitre-pre-attack:pre-attack:people-information-gathering" + ] + }, + "uuid": "af358cad-eb71-4e91-a752-236edc237dae" + }, + { + "description": "Certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. Acquiring a certificate for a domain name similar to one that is expected to be trusted may allow an adversary to trick a user in to trusting the domain (e.g., vvachovia instead of [https://www.wellsfargo.com/about/corporate/wachovia/ Wachovia] -- homoglyphs). (Citation: SubvertSSL) (Citation: PaypalScam)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Defender can monitor for domains similar to popular sites (possibly leverage [https://www.alexa.com Alexa] top ''N'' lists as starting point).\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: SSL certificates are readily available at little to no cost.", + "value": "SSL certificate acquisition for domain - PRE-T1114", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1114" + ], + "external_id": "PRE-T1114", + "kill_chain": [ + "mitre-pre-attack:pre-attack:establish-&-maintain-infrastructure" + ] + }, + "uuid": "e34b9ca1-8778-41a3-bba5-8edaab4076dc" + }, + { + "description": "An adversary can run their code on systems with cyber security protections, such as antivirus products, in place to see if their code is detected. They can also test their malware on freely available public services. (Citation: MalwareQAZirtest)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Adversary controls the testing and can ensure data does not leak with proper OPSEC on testing.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Adversary has the ability to procure products and not have reporting return to vendors or can choose to use freely available services", + "value": "Test malware to evade detection - PRE-T1136", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1136" + ], + "external_id": "PRE-T1136", + "kill_chain": [ + "mitre-pre-attack:pre-attack:test-capabilities" + ] + }, + "uuid": "8b57a8f1-9cbc-4b95-b162-cc2a1add94f2" + }, + { + "description": "An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. The adversary may use or modify existing exploits when those exploits are still relevant to the environment they are trying to compromise. (Citation: NYTStuxnet) (Citation: NationsBuying)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Adversary will likely use code repositories, but development will be performed on their local systems.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Several exploit repositories and tool suites exist for re-use and tailoring.", + "value": "Build or acquire exploits - PRE-T1126", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1126" + ], + "external_id": "PRE-T1126", + "kill_chain": [ + "mitre-pre-attack:pre-attack:build-capabilities" + ] + }, + "uuid": "4886e3c2-468b-4e26-b7e5-2031d995d13a" + }, + { + "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nIf an adversary can gain physical access to the target's environment they can introduce a variety of devices that provide compromise mechanisms. This could include installing keyboard loggers, adding routing/wireless equipment, or connecting computing devices. (Citation: Credit Card Skimmers)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: This varies depending on the amount of monitoring within the environment. Highly secure environments might have more innate monitoring and catch an adversary doing this more easily.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: This likely requires the adversary to have close or insider access to introduce the mechanism of compromise.", + "value": "Unauthorized user introduces compromise delivery mechanism - PRE-T1164", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1164" + ], + "external_id": "PRE-T1164", + "kill_chain": [ + "mitre-pre-attack:pre-attack:compromise" + ] + }, + "uuid": "b3253d9e-ba11-430f-b5a3-4db844ce5413" + }, + { + "description": "Certain types of traffic (e.g., Twitter14, HTTP) are more commonly used than others. Utilizing more common protocols and software may make an adversary's traffic more difficult to distinguish from legitimate traffic. (Citation: symantecNITRO)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: High level of entropy in communications. High volume of communications makes it extremely hard for a defender to distinguish between legitimate and adversary communications.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to decipher or to make the communication less conspicuous.", + "value": "Common, high volume protocols and software - PRE-T1098", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1098" + ], + "external_id": "PRE-T1098", + "kill_chain": [ + "mitre-pre-attack:pre-attack:adversary-opsec" + ] + }, + "uuid": "0c592c79-29a7-4a94-81a4-c87eae3aead6" + }, + { + "description": "Certain types of traffic (e.g., DNS tunneling, header inject) allow for user-defined fields. These fields can then be used to hide data. In addition to hiding data in network protocols, steganography techniques can be used to hide data in images or other file formats. Detection can be difficult unless a particular signature is already known. (Citation: BotnetsDNSC2) (Citation: HAMMERTOSS2015) (Citation: DNS-Tunnel)\n\nDetectable by Common Defenses: Yes\n\nDetectable by Common Defenses explanation: Unless defender is dissecting protocols or performing network signature analysis on any protocol deviations/patterns, this technique is largely undetected.\n\nDifficulty for the Adversary: No\n\nDifficulty for the Adversary explanation: This technique requires a more advanced protocol understanding and testing to insert covert communication into legitimate protocol fields.", + "value": "Data Hiding - PRE-T1097", + "meta": { + "refs": [ + "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1097" + ], + "external_id": "PRE-T1097", + "kill_chain": [ + "mitre-pre-attack:pre-attack:adversary-opsec" + ] + }, + "uuid": "1ff8b824-5287-4583-ab6a-013bf36d4864" + } + ] +} \ No newline at end of file diff --git a/galaxies/mitre-mobile-attack-attack-pattern.json b/galaxies/mitre-mobile-attack-attack-pattern.json index 7f56d55..7cee3e0 100644 --- a/galaxies/mitre-mobile-attack-attack-pattern.json +++ b/galaxies/mitre-mobile-attack-attack-pattern.json @@ -1,8 +1,8 @@ { - "name": "Mobile Attack - Attack Pattern", - "type": "mitre-mobile-attack-attack-pattern", - "description": "ATT&CK Tactic", - "uuid": "1c6d1332-1708-11e8-847c-e3c5643c41a5", - "version": 3, - "icon": "map" -} + "name": "Mobile Attack - Attack Pattern", + "type": "mitre-mobile-attack-attack-pattern", + "description": "ATT&CK Tactic", + "uuid": "1c6d1332-1708-11e8-847c-e3c5643c41a5", + "version": 3, + "icon": "map" +} \ No newline at end of file diff --git a/galaxies/mitre-pre-attack-attack-pattern.json b/galaxies/mitre-pre-attack-attack-pattern.json index 6edfedb..88088b1 100644 --- a/galaxies/mitre-pre-attack-attack-pattern.json +++ b/galaxies/mitre-pre-attack-attack-pattern.json @@ -1,8 +1,8 @@ { - "name": "Pre Attack - Attack Pattern", - "type": "mitre-pre-attack-attack-pattern", - "description": "ATT&CK Tactic", - "uuid": "1f665850-1708-11e8-9cfe-4792b2a91402", - "version": 3, - "icon": "map" -} + "name": "Pre Attack - Attack Pattern", + "type": "mitre-pre-attack-attack-pattern", + "description": "ATT&CK Tactic", + "uuid": "1f665850-1708-11e8-9cfe-4792b2a91402", + "version": 3, + "icon": "map" +} \ No newline at end of file diff --git a/tools/mitre-cti/v2.0/create_mitre-mobile-attack-attack-pattern_galaxy.py b/tools/mitre-cti/v2.0/create_mitre-mobile-attack-attack-pattern_galaxy.py index 8e49cbc..fa62126 100644 --- a/tools/mitre-cti/v2.0/create_mitre-mobile-attack-attack-pattern_galaxy.py +++ b/tools/mitre-cti/v2.0/create_mitre-mobile-attack-attack-pattern_galaxy.py @@ -32,7 +32,7 @@ for element in os.listdir('.'): value['meta']['external_id'] = reference['external_id'] value['meta']['kill_chain'] = [] for killchain in temp['kill_chain_phases']: - value['meta']['kill_chain'].append(killchain['kill_chain_name'] + ':enterprise-attack:' + killchain['phase_name']) + value['meta']['kill_chain'].append(killchain['kill_chain_name'] + ':mobile-attack:' + killchain['phase_name']) if 'x_mitre_data_sources' in temp: value['meta']['mitre_data_sources'] = temp['x_mitre_data_sources'] if 'x_mitre_platforms' in temp: diff --git a/tools/mitre-cti/v2.0/create_mitre-pre-attack-attack-pattern_galaxy.py b/tools/mitre-cti/v2.0/create_mitre-pre-attack-attack-pattern_galaxy.py index 032db41..0576068 100644 --- a/tools/mitre-cti/v2.0/create_mitre-pre-attack-attack-pattern_galaxy.py +++ b/tools/mitre-cti/v2.0/create_mitre-pre-attack-attack-pattern_galaxy.py @@ -32,7 +32,7 @@ for element in os.listdir('.'): value['meta']['external_id'] = reference['external_id'] value['meta']['kill_chain'] = [] for killchain in temp['kill_chain_phases']: - value['meta']['kill_chain'].append(killchain['kill_chain_name'] + ':enterprise-attack:' + killchain['phase_name']) + value['meta']['kill_chain'].append(killchain['kill_chain_name'] + ':pre-attack:' + killchain['phase_name']) if 'x_mitre_data_sources' in temp: value['meta']['mitre_data_sources'] = temp['x_mitre_data_sources'] if 'x_mitre_platforms' in temp: