MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

chg: [tidal] updated to the latest version

pull/976/head
Alexandre Dulaunoy 2024-05-16 20:29:18 +02:00
parent adc70d09e7
commit fe3fead459
6 changed files with 6392 additions and 1517 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

110
clusters/tidal-campaigns.json
View File

@ -33,6 +33,18 @@
"uuid": "06197e03-e1c1-56af-ba98-5071f98f91f1",
"value": "2016 Ukraine Electric Power Attack"
},
{
"description": "The [2022 Ukraine Electric Power Attack](https://app.tidalcyber.com/campaigns/a79e06d1-df08-5c72-9180-2c373274f889) was a [Sandworm Team](https://app.tidalcyber.com/groups/16a65ee9-cd60-4f04-ba34-f2f45fcfc666) campaign that used a combination of GOGETTER, Neo-REGEORG, [CaddyWiper](https://app.tidalcyber.com/software/62d0ddcd-790d-4d2d-9d94-276f54b40cf0), and living of the land (LotL) techniques to gain access to a Ukrainian electric utility to send unauthorized commands from their SCADA system.<sup>[[Mandiant-Sandworm-Ukraine-2022](https://app.tidalcyber.com/references/7ad64744-2790-54e4-97cd-e412423f6ada)]</sup><sup>[[Dragos-Sandworm-Ukraine-2022](https://app.tidalcyber.com/references/a17aa1b1-cda4-5aeb-b401-f4fd47d29f93)]</sup> ",
"meta": {
"campaign_attack_id": "C0034",
"first_seen": "2022-06-01T04:00:00Z",
"last_seen": "2022-10-01T04:00:00Z",
"source": "MITRE"
},
"related": [],
"uuid": "a79e06d1-df08-5c72-9180-2c373274f889",
"value": "2022 Ukraine Electric Power Attack"
},
{
"description": "In July 2023, U.S. authorities released joint Cybersecurity Advisory AA23-187A, which detailed increased observations of new variants of the Truebot botnet malware infecting organizations in the United States and Canada. Authorities assessed that Truebot infections are primarily motivated around collection and exfiltration of sensitive victim data for financial gain. Officials also assessed that actors were using both spearphishing emails containing malicious hyperlinks and exploitation of CVE-2022-31199 in the IT system auditing application Netwrix Auditor to deliver Truebot during these attacks. Additional tools associated with the attacks included Raspberry Robin for initial infections, FlawedGrace and Cobalt Strike for various post-exploitation activities, and Teleport, a custom tool for data exfiltration.<sup>[[U.S. CISA Increased Truebot Activity July 6 2023](/references/6f9b8f72-c55f-4268-903e-1f8a82efa5bb)]</sup>\n\nThe Advisory did not provide specific impacted victim sectors. The Advisory referred to activity taking place “in recent months” prior to July 2023 but did not provide an estimated date when the summarized activity began. A public threat report referenced in the Advisory reported an observed increase in Truebot infections beginning in August 2022, including several compromises involving education sector organizations.<sup>[[U.S. CISA Increased Truebot Activity July 6 2023](/references/6f9b8f72-c55f-4268-903e-1f8a82efa5bb)]</sup><sup>[[Cisco Talos Blog December 08 2022](/references/bcf92374-48a3-480f-a679-9fd34b67bcdd)]</sup>\n\n**Related Vulnerabilities**: CVE-2022-31199<sup>[[U.S. CISA Increased Truebot Activity July 6 2023](/references/6f9b8f72-c55f-4268-903e-1f8a82efa5bb)]</sup>",
"meta": {
@ -166,6 +178,29 @@
"uuid": "80ae546a-70e5-4427-be1d-e74efc428ffd",
"value": "APT29 TeamCity Exploits"
},
{
"description": "ArcaneDoor was a campaign, which likely ran from November 2023 until around February 2024, that targeted Cisco Adaptive Security Appliances (ASAs). ASAs are network devices that combine firewall, VPN, and other functionality. The campaign targeted unspecified government institutions around the world and was believed to have been conducted for espionage purposes.<sup>[[Cisco Talos ArcaneDoor April 24 2024](/references/531c3f6f-2d2b-4774-b069-e2b7a13602c1)]</sup>\n\nResearchers attributed the campaign to UAT4356 (aka Storm-1849), a possible China-linked adversary.<sup>[[Wired ArcaneDoor April 24 2024](/references/05a8afd3-0173-41ca-b23b-196ea0f3b1c1)]</sup> The initial access vector for the ArcaneDoor attacks remains unclear. After gaining a foothold, actors used the Line Dancer tool to upload Line Runner, a persistence and arbitrary code execution capability, to compromised ASAs (Cisco assigned two vulnerabilities, CVE-2024-20359 and CVE-2024-20353, to these activities). Responders observed various actions on objectives during the attacks, including device configuration modification, network traffic capture, and possible lateral movement.<sup>[[Cisco Talos ArcaneDoor April 24 2024](/references/531c3f6f-2d2b-4774-b069-e2b7a13602c1)]</sup>",
"meta": {
"campaign_attack_id": "C5019",
"first_seen": "2023-11-01T00:00:00Z",
"last_seen": "2024-02-29T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"a159c91c-5258-49ea-af7d-e803008d97d3",
"af5e9be5-b86e-47af-91dd-966a5e34a186",
"15787198-6c8b-4f79-bf50-258d55072fee",
"6bb2f579-a5cd-4647-9dcd-eff05efe3679",
"c25f341a-7030-4688-a00b-6d637298e52e",
"9768aada-9d63-4d46-ab9f-d41b8c8e4010",
"2e85babc-77cd-4455-9c6e-312223a956de",
"0d3ca5b9-2ea9-4daf-b3b5-11f1c6f9ebd3"
]
},
"related": [],
"uuid": "ccc6401a-b79f-424b-8617-3c2d55475584",
"value": "ArcaneDoor"
},
{
"description": "[C0010](https://app.tidalcyber.com/campaigns/a1e33caf-6eb0-442f-b97a-f6042f21df48) was a cyber espionage campaign conducted by UNC3890 that targeted Israeli shipping, government, aviation, energy, and healthcare organizations. Security researcher assess UNC3890 conducts operations in support of Iranian interests, and noted several limited technical connections to Iran, including PDB strings and Farsi language artifacts. [C0010](https://app.tidalcyber.com/campaigns/a1e33caf-6eb0-442f-b97a-f6042f21df48) began by at least late 2020, and was still ongoing as of mid-2022.<sup>[[Mandiant UNC3890 Aug 2022](https://app.tidalcyber.com/references/7b3fda0b-d327-4f02-bebe-2b8974f9959d)]</sup>",
"meta": {
@ -273,6 +308,30 @@
"uuid": "a9719584-4f52-5a5d-b0f7-1059e715c2b8",
"value": "C0027"
},
{
"description": "[C0032](https://app.tidalcyber.com/campaigns/c26b3156-8472-5b87-971f-41a7a4702268) was an extended campaign suspected to involve the [Triton](https://app.tidalcyber.com/software/) adversaries with related capabilities and techniques focused on gaining a foothold within IT environments. This campaign occurred in 2019 and was distinctly different from the [Triton Safety Instrumented System Attack](https://app.tidalcyber.com/campaigns/6c7185e1-bd46-5a80-9a76-a376b16fbc7b).<sup>[[FireEye TRITON 2019](https://app.tidalcyber.com/references/49c97b85-ca22-400a-9dc4-6290cc117f04)]</sup>",
"meta": {
"campaign_attack_id": "C0032",
"first_seen": "2014-10-01T04:00:00Z",
"last_seen": "2017-01-01T05:00:00Z",
"source": "MITRE"
},
"related": [],
"uuid": "c26b3156-8472-5b87-971f-41a7a4702268",
"value": "C0032"
},
{
"description": "[C0033](https://app.tidalcyber.com/campaigns/c5d35d8d-fe96-5210-bb57-4692081a25a9) was a [PROMETHIUM](https://app.tidalcyber.com/groups/cc798766-8662-4b55-8536-6d057fbc58f0) campaign during which they used [StrongPity](https://app.tidalcyber.com/software/ed563524-235e-4e06-8c69-3f9d8ddbfd8a) to target Android users. [C0033](https://app.tidalcyber.com/campaigns/c5d35d8d-fe96-5210-bb57-4692081a25a9) was the first publicly documented mobile campaign for [PROMETHIUM](https://app.tidalcyber.com/groups/cc798766-8662-4b55-8536-6d057fbc58f0), who previously used Windows-based techniques.<sup>[[welivesec_strongpity](https://app.tidalcyber.com/references/1b89df2c-e756-599a-9f7f-a5230db9de46)]</sup>",
"meta": {
"campaign_attack_id": "C0033",
"first_seen": "2016-05-01T07:00:00Z",
"last_seen": "2023-01-01T08:00:00Z",
"source": "MITRE"
},
"related": [],
"uuid": "c5d35d8d-fe96-5210-bb57-4692081a25a9",
"value": "C0033"
},
{
"description": "In June 2023, U.S. authorities released Cybersecurity Advisory AA23-158A, which detailed observed exploits of a zero-day SQL injection vulnerability (CVE-2023-34362) affecting Progress Software's managed file transfer (MFT) solution, MOVEit Transfer. According to the Advisory, exploit activity began on May 27, 2023, as threat actors, which the Advisory attributed to \"CL0P Ransomware Gang, also known as TA505\", began compromising internet-facing MOVEit Transfer web applications. Actors deployed web shells, dubbed LEMURLOOT, on compromised MOVEit applications, which enabled persistence, discovery of files and folders stored on MOVEit servers, and staging and exfiltration of compressed victim data. Authorities indicated they expected to see \"widespread exploitation of unpatched software services in both private and public networks\".<sup>[[U.S. CISA CL0P CVE-2023-34362 Exploitation](/references/07e48ca8-b965-4234-b04a-dfad45d58b22)]</sup> Progress Software acknowledged the vulnerability and issued guidance on known affected versions, software upgrades, and patching.<sup>[[Progress Software MOVEit Transfer Critical Vulnerability](/references/9f364e22-b73c-4f3a-902c-a3f0eb01a2b9)]</sup>\n\n**Related Vulnerabilities**: CVE-2023-34362<sup>[[U.S. CISA CL0P CVE-2023-34362 Exploitation](/references/07e48ca8-b965-4234-b04a-dfad45d58b22)]</sup>",
"meta": {
@ -303,6 +362,29 @@
"uuid": "fb011ed2-bfb9-4f0f-bd88-8b3fa0cf9b48",
"value": "CostaRicto"
},
{
"description": "[Cutting Edge](https://app.tidalcyber.com/campaigns/4e605e33-57fe-5bb2-b0ad-ec146aac041b) was a campaign conducted by suspected China-nexus espionage actors, variously identified as UNC5221/UTA0178 and UNC5325, that began as early as December 2023 with the exploitation of zero-day vulnerabilities in Ivanti Connect Secure (previously Pulse Secure) VPN appliances. [Cutting Edge](https://app.tidalcyber.com/campaigns/4e605e33-57fe-5bb2-b0ad-ec146aac041b) targeted the U.S. defense industrial base and multiple sectors globally including telecommunications, financial, aerospace, and technology. [Cutting Edge](https://app.tidalcyber.com/campaigns/4e605e33-57fe-5bb2-b0ad-ec146aac041b) featured the use of defense evasion and living-off-the-land (LoTL) techniques along with the deployment of web shells and other custom malware.<sup>[[Mandiant Cutting Edge January 2024](https://app.tidalcyber.com/references/9d9ec923-89c1-5155-ae6e-98d4776d4250)]</sup><sup>[[Volexity Ivanti Zero-Day Exploitation January 2024](https://app.tidalcyber.com/references/93eda380-ea21-59e0-97e8-5bec1f9a0e71)]</sup><sup>[[Volexity Ivanti Global Exploitation January 2024](https://app.tidalcyber.com/references/b96fa4f2-864d-5d88-9a29-b117da8f8c5c)]</sup><sup>[[Mandiant Cutting Edge Part 2 January 2024](https://app.tidalcyber.com/references/5209d259-4293-58c0-bbdc-f30ff77d57f7)]</sup><sup>[[Mandiant Cutting Edge Part 3 February 2024](https://app.tidalcyber.com/references/49e5b125-5503-5cb0-9a56-a93f82b55753)]</sup>",
"meta": {
"campaign_attack_id": "C0029",
"first_seen": "2023-12-01T05:00:00Z",
"last_seen": "2024-02-01T05:00:00Z",
"source": "MITRE",
"tags": [
"9768aada-9d63-4d46-ab9f-d41b8c8e4010",
"758c3085-2f79-40a8-ab95-f8a684737927",
"af5e9be5-b86e-47af-91dd-966a5e34a186",
"35e694ec-5133-46e3-b7e1-5831867c3b55",
"1dc8fd1e-0737-405a-98a1-111dd557f1b5",
"15787198-6c8b-4f79-bf50-258d55072fee",
"d1ab6bd6-2688-4e54-a1d3-d180bb8fd41a",
"1ff4614e-0ee6-4e04-921d-61abba7fcdb7",
"e00b65fc-8f56-4a9e-9f09-ccf3124a3272"
]
},
"related": [],
"uuid": "4e605e33-57fe-5bb2-b0ad-ec146aac041b",
"value": "Cutting Edge"
},
{
"description": "German and South Korean cybersecurity authorities published an advisory highlighting recent attempts by North Korea-linked cyber actors to target enterprises and research centers in the defense sector. The advisory detailed a supply chain attack, attributed to an unnamed threat group, in which actors compromised a company that maintained a defense sector research center's web servers, then used stolen SSH credentials to remotely access the research center's network. The actors then used various methods to evade defenses, including impersonating security staff, deployed malware via a patch management system, and stole account information and email contents before being evicted from the network.<sup>[[BfV North Korea February 17 2024](/references/cc76be15-6d9d-40b2-b7f3-196bb0a7106a)]</sup>",
"meta": {
@ -431,6 +513,8 @@
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"fe984a01-910d-4e39-9c49-179aa03f75ab",
"9768aada-9d63-4d46-ab9f-d41b8c8e4010",
"758c3085-2f79-40a8-ab95-f8a684737927",
"af5e9be5-b86e-47af-91dd-966a5e34a186",
"35e694ec-5133-46e3-b7e1-5831867c3b55",
@ -454,6 +538,7 @@
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"fe984a01-910d-4e39-9c49-179aa03f75ab",
"a98d7a43-f227-478e-81de-e7299639a355",
"c475ad68-3fdc-4725-8abc-784c56125e96"
]
@ -494,6 +579,19 @@
"uuid": "85f136b3-d5a3-4c4c-a37c-40e4418dc989",
"value": "Night Dragon"
},
{
"description": "\"Operation Bearded Barbie\" was a suspected AridViper (aka APT-C-23/Desert Falcon) campaign that appeared to target Israeli individuals, especially \"high-profile\" defense, law enforcement, and other government service personnel. The campaign heavily relied upon social engineering techniques, including the use of well-developed social media personas, aimed at tricking targets into installing backdoors for Windows and Android devices. The campaign appeared to be motivated by information collection for espionage purposes.<sup>[[Cybereason Operation Bearded Barbie April 5 2022](/references/7d71b7c9-531e-4e4f-ab85-df2380555b7a)]</sup>",
"meta": {
"campaign_attack_id": "C5018",
"first_seen": "2022-03-01T00:00:00Z",
"last_seen": "2022-04-01T00:00:00Z",
"owner": "TidalCyberIan",
"source": "Tidal Cyber"
},
"related": [],
"uuid": "0496e076-1813-4f51-86e6-8f551983e8f8",
"value": "Operation Bearded Barbie"
},
{
"description": "[Operation CuckooBees](https://app.tidalcyber.com/campaigns/81bf4e45-f0d3-4fec-a9d4-1259cf8542a1) was a cyber espionage campaign targeting technology and manufacturing companies in East Asia, Western Europe, and North America since at least 2019. Security researchers noted the goal of [Operation CuckooBees](https://app.tidalcyber.com/campaigns/81bf4e45-f0d3-4fec-a9d4-1259cf8542a1), which was still ongoing as of May 2022, was likely the theft of proprietary information, research and development documents, source code, and blueprints for various technologies. Researchers assessed [Operation CuckooBees](https://app.tidalcyber.com/campaigns/81bf4e45-f0d3-4fec-a9d4-1259cf8542a1) was conducted by actors affiliated with [Winnti Group](https://app.tidalcyber.com/groups/6932662a-53a7-4e43-877f-6e940e2d744b), [APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9), and BARIUM.<sup>[[Cybereason OperationCuckooBees May 2022](https://app.tidalcyber.com/references/fe3e2c7e-2287-406c-b717-cf7721b5843a)]</sup>",
"meta": {
@ -641,6 +739,18 @@
"related": [],
"uuid": "8bde8146-0656-5800-82e6-e24e008e4f4a",
"value": "SolarWinds Compromise"
},
{
"description": "[Triton Safety Instrumented System Attack](https://app.tidalcyber.com/campaigns/6c7185e1-bd46-5a80-9a76-a376b16fbc7b) was a campaign employed by [TEMP.Veles](https://app.tidalcyber.com/groups/3a54b8dc-a231-4db8-96da-1c0c1aa396f6) which leveraged the [Triton](https://app.tidalcyber.com/software/) malware framework against a petrochemical organization.<sup>[[Triton-EENews-2017](https://app.tidalcyber.com/references/5cc54d85-ee53-579d-a8fb-9b54b3540dc0)]</sup> The malware and techniques used within this campaign targeted specific Triconex [Safety Controller](https://attack.mitre.org/assets/A0010)s within the environment.<sup>[[FireEye TRITON 2018](https://app.tidalcyber.com/references/bfa5886a-a7f4-40d1-98d0-c3358abcf265)]</sup> The incident was eventually discovered due to a safety trip that occurred as a result of an issue in the malware.<sup>[[FireEye TRITON 2017](https://app.tidalcyber.com/references/597a4d8b-ffb2-4551-86db-b319f5a5b707)]</sup>\n",
"meta": {
"campaign_attack_id": "C0030",
"first_seen": "2017-06-01T04:00:00Z",
"last_seen": "2017-08-01T04:00:00Z",
"source": "MITRE"
},
"related": [],
"uuid": "6c7185e1-bd46-5a80-9a76-a376b16fbc7b",
"value": "Triton Safety Instrumented System Attack"
}
],
"version": 1

256
clusters/tidal-groups.json
View File

@ -37,6 +37,68 @@
"uuid": "e38bcb42-12c1-4202-a794-ec26cd830caa",
"value": "Ajax Security Team"
},
{
"description": "[Akira](https://app.tidalcyber.com/groups/923f478c-7ad1-516f-986d-61f96b9c553e) is a ransomware variant and ransomware deployment entity active since at least March 2023.<sup>[[Arctic Wolf Akira 2023](https://app.tidalcyber.com/references/aa34f2a1-a398-5dc4-b898-cdc02afeca5d)]</sup> [Akira](https://app.tidalcyber.com/groups/923f478c-7ad1-516f-986d-61f96b9c553e) uses compromised credentials to access single-factor external access mechanisms such as VPNs for initial access, then various publicly-available tools and techniques for lateral movement.<sup>[[Arctic Wolf Akira 2023](https://app.tidalcyber.com/references/aa34f2a1-a398-5dc4-b898-cdc02afeca5d)]</sup><sup>[[Secureworks GOLD SAHARA](https://app.tidalcyber.com/references/3abb7995-4a62-56a6-9492-942965edf0a0)]</sup> [Akira](https://app.tidalcyber.com/groups/923f478c-7ad1-516f-986d-61f96b9c553e) operations are associated with \"double extortion\" ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid. Technical analysis of [Akira](https://app.tidalcyber.com/software/96ae0e1e-975a-5e11-adbe-c79ee17cee11) ransomware indicates multiple overlaps with and similarities to [Conti](https://app.tidalcyber.com/software/8e995c29-2759-4aeb-9a0f-bb7cd97b06e5) malware.<sup>[[BushidoToken Akira 2023](https://app.tidalcyber.com/references/8fe09ef1-f72e-5261-b79f-5d41fad51eac)]</sup>",
"meta": {
"group_attack_id": "G1024",
"observed_countries": [
"AU",
"BD",
"BR",
"CA",
"DK",
"FR",
"IN",
"IL",
"LV",
"MX",
"NI",
"PT",
"ZA",
"TR",
"GB",
"US"
],
"observed_motivations": [
"Financial Gain"
],
"source": "MITRE",
"tags": [
"0580d361-b60b-4664-9b2e-6d737e495cc1",
"9768aada-9d63-4d46-ab9f-d41b8c8e4010",
"a159c91c-5258-49ea-af7d-e803008d97d3",
"c5a258ce-9045-48d9-b254-ec2bf6437bb5",
"cc4ea215-87ce-4351-9579-cf527caf5992",
"e551ae97-d1b4-484e-9267-89f33829ec2c",
"15787198-6c8b-4f79-bf50-258d55072fee",
"c79f7ba7-a2f2-43ff-8c78-521807ef6c92",
"a2e000da-8181-4327-bacd-32013dbd3654",
"5e7433ad-a894-4489-93bc-41e90da90019",
"7e7b0c67-bb85-4996-a289-da0e792d7172",
"562e535e-19f5-4d6c-81ed-ce2aec544f09"
],
"target_categories": [
"Agriculture",
"Banks",
"Construction",
"Education",
"Energy",
"Financial Services",
"Government",
"Healthcare",
"Insurance",
"Legal",
"Manufacturing",
"Non Profit",
"Retail",
"Technology",
"Telecommunications"
]
},
"related": [],
"uuid": "923f478c-7ad1-516f-986d-61f96b9c553e",
"value": "Akira"
},
{
"description": "This Group object reflects the tools & TTPs used by threat actors known to deploy Akira, a ransomware family that researchers believe has been used since at least March 2023.<sup>[[TrendMicro Akira October 5 2023](/references/8f45fb21-c6ad-4b97-b459-da96eb643069)]</sup> Researchers assess that the Akira operation relates to and possibly derives from the Conti ransomware operation (by way of the Royal ransomware operation).<sup>[[GitHub ransomware_map](/references/d995f4b2-3262-4c37-855a-61aef7d7b8a8)]</sup>\n\nTTPs associated with the Akria ransomware binary itself can be found in the separate \"Akira Ransomware\" Software object.",
"meta": {
@ -420,7 +482,7 @@
"value": "APT20"
},
{
"description": "[APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.<sup>[[NSA/FBI Drovorub August 2020](https://app.tidalcyber.com/references/d697a342-4100-4e6b-95b9-4ae3ba80924b)]</sup><sup>[[Cybersecurity Advisory GRU Brute Force Campaign July 2021](https://app.tidalcyber.com/references/e70f0742-5f3e-4701-a46b-4a58c0281537)]</sup> This group has been active since at least 2004.<sup>[[DOJ GRU Indictment Jul 2018](https://app.tidalcyber.com/references/d65f371b-19d0-49de-b92b-94a2bea1d988)]</sup><sup>[[Ars Technica GRU indictment Jul 2018](https://app.tidalcyber.com/references/a1192cb3-4536-4900-93c7-a127ca06c690)]</sup><sup>[[Crowdstrike DNC June 2016](https://app.tidalcyber.com/references/7f4edc06-ac67-4d71-b39c-5df9ce521bbb)]</sup><sup>[[FireEye APT28](https://app.tidalcyber.com/references/c423b2b2-25a3-4a8d-b89a-83ab07c0cd20)]</sup><sup>[[SecureWorks TG-4127](https://app.tidalcyber.com/references/5f401c82-4e16-43a1-b234-48918fe7df9f)]</sup><sup>[[FireEye APT28 January 2017](https://app.tidalcyber.com/references/61d80b8f-5bdb-41e6-b59a-d2d996392873)]</sup><sup>[[GRIZZLY STEPPE JAR](https://app.tidalcyber.com/references/4b26d274-497f-49bc-a2a5-b93856a49893)]</sup><sup>[[Sofacy DealersChoice](https://app.tidalcyber.com/references/ec157d0c-4091-43f5-85f1-a271c4aac1fc)]</sup><sup>[[Palo Alto Sofacy 06-2018](https://app.tidalcyber.com/references/a32357eb-3226-4bee-aeed-d2fbcfa52da0)]</sup><sup>[[Symantec APT28 Oct 2018](https://app.tidalcyber.com/references/777bc94a-6c21-4f8c-9efa-a1cf52ececc0)]</sup><sup>[[ESET Zebrocy May 2019](https://app.tidalcyber.com/references/f8b837fb-e46c-4153-8e86-dc4b909b393a)]</sup>\n\n[APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5) reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. <sup>[[Crowdstrike DNC June 2016](https://app.tidalcyber.com/references/7f4edc06-ac67-4d71-b39c-5df9ce521bbb)]</sup> In 2018, the US indicted five GRU Unit 26165 officers associated with [APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5) for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.<sup>[[US District Court Indictment GRU Oct 2018](https://app.tidalcyber.com/references/56aeab4e-b046-4426-81a8-c3b2323492f0)]</sup> Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as [Sandworm Team](https://app.tidalcyber.com/groups/16a65ee9-cd60-4f04-ba34-f2f45fcfc666). ",
"description": "[APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.<sup>[[NSA/FBI Drovorub August 2020](https://app.tidalcyber.com/references/d697a342-4100-4e6b-95b9-4ae3ba80924b)]</sup><sup>[[Cybersecurity Advisory GRU Brute Force Campaign July 2021](https://app.tidalcyber.com/references/e70f0742-5f3e-4701-a46b-4a58c0281537)]</sup> This group has been active since at least 2004.<sup>[[DOJ GRU Indictment Jul 2018](https://app.tidalcyber.com/references/d65f371b-19d0-49de-b92b-94a2bea1d988)]</sup><sup>[[Ars Technica GRU indictment Jul 2018](https://app.tidalcyber.com/references/a1192cb3-4536-4900-93c7-a127ca06c690)]</sup><sup>[[Crowdstrike DNC June 2016](https://app.tidalcyber.com/references/7f4edc06-ac67-4d71-b39c-5df9ce521bbb)]</sup><sup>[[FireEye APT28](https://app.tidalcyber.com/references/c423b2b2-25a3-4a8d-b89a-83ab07c0cd20)]</sup><sup>[[SecureWorks TG-4127](https://app.tidalcyber.com/references/5f401c82-4e16-43a1-b234-48918fe7df9f)]</sup><sup>[[FireEye APT28 January 2017](https://app.tidalcyber.com/references/61d80b8f-5bdb-41e6-b59a-d2d996392873)]</sup><sup>[[GRIZZLY STEPPE JAR](https://app.tidalcyber.com/references/4b26d274-497f-49bc-a2a5-b93856a49893)]</sup><sup>[[Sofacy DealersChoice](https://app.tidalcyber.com/references/ec157d0c-4091-43f5-85f1-a271c4aac1fc)]</sup><sup>[[Palo Alto Sofacy 06-2018](https://app.tidalcyber.com/references/a32357eb-3226-4bee-aeed-d2fbcfa52da0)]</sup><sup>[[Symantec APT28 Oct 2018](https://app.tidalcyber.com/references/777bc94a-6c21-4f8c-9efa-a1cf52ececc0)]</sup><sup>[[ESET Zebrocy May 2019](https://app.tidalcyber.com/references/f8b837fb-e46c-4153-8e86-dc4b909b393a)]</sup>\n\n[APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5) reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.<sup>[[Crowdstrike DNC June 2016](https://app.tidalcyber.com/references/7f4edc06-ac67-4d71-b39c-5df9ce521bbb)]</sup> In 2018, the US indicted five GRU Unit 26165 officers associated with [APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5) for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.<sup>[[US District Court Indictment GRU Oct 2018](https://app.tidalcyber.com/references/56aeab4e-b046-4426-81a8-c3b2323492f0)]</sup> Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as [Sandworm Team](https://app.tidalcyber.com/groups/16a65ee9-cd60-4f04-ba34-f2f45fcfc666). ",
"meta": {
"country": "RU",
"group_attack_id": "G0007",
@ -607,7 +669,7 @@
"value": "APT29"
},
{
"description": "[APT3](https://app.tidalcyber.com/groups/9da726e6-af02-49b8-8ebe-7ea4235513c9) is a China-based threat group that researchers have attributed to China's Ministry of State Security.<sup>[[FireEye Clandestine Wolf](https://app.tidalcyber.com/references/dbb779c4-4d75-4fb4-ad3a-7d1f0f74e26f)]</sup><sup>[[Recorded Future APT3 May 2017](https://app.tidalcyber.com/references/a894d79f-5977-4ef9-9aa5-7bfec795ceb2)]</sup> This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.<sup>[[FireEye Clandestine Wolf](https://app.tidalcyber.com/references/dbb779c4-4d75-4fb4-ad3a-7d1f0f74e26f)]</sup><sup>[[FireEye Operation Double Tap](https://app.tidalcyber.com/references/4b9af128-98da-48b6-95c7-8d27979c2ab1)]</sup> As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.<sup>[[Symantec Buckeye](https://app.tidalcyber.com/references/dbf3ce3e-bcf2-4e47-ad42-839e51967395)]</sup>\n\nIn 2017, MITRE developed an APT3 Adversary Emulation Plan.<sup>[[APT3 Adversary Emulation Plan](https://app.tidalcyber.com/references/64c01921-c33f-402e-b30d-a2ba26583a24)]</sup>",
"description": "[APT3](https://app.tidalcyber.com/groups/9da726e6-af02-49b8-8ebe-7ea4235513c9) is a China-based threat group that researchers have attributed to China's Ministry of State Security.<sup>[[FireEye Clandestine Wolf](https://app.tidalcyber.com/references/dbb779c4-4d75-4fb4-ad3a-7d1f0f74e26f)]</sup><sup>[[Recorded Future APT3 May 2017](https://app.tidalcyber.com/references/a894d79f-5977-4ef9-9aa5-7bfec795ceb2)]</sup> This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.<sup>[[FireEye Clandestine Wolf](https://app.tidalcyber.com/references/dbb779c4-4d75-4fb4-ad3a-7d1f0f74e26f)]</sup><sup>[[FireEye Operation Double Tap](https://app.tidalcyber.com/references/4b9af128-98da-48b6-95c7-8d27979c2ab1)]</sup> As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.<sup>[[Symantec Buckeye](https://app.tidalcyber.com/references/dbf3ce3e-bcf2-4e47-ad42-839e51967395)]</sup>",
"meta": {
"country": "CN",
"group_attack_id": "G0022",
@ -704,7 +766,7 @@
"value": "APT32"
},
{
"description": "[APT33](https://app.tidalcyber.com/groups/99bbbe25-45af-492f-a7ff-7cbc57828bac) is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors. <sup>[[FireEye APT33 Sept 2017](https://app.tidalcyber.com/references/70610469-db0d-45ab-a790-6e56309a39ec)]</sup> <sup>[[FireEye APT33 Webinar Sept 2017](https://app.tidalcyber.com/references/9b378592-5737-403d-8a07-27077f5b2d61)]</sup>",
"description": "[APT33](https://app.tidalcyber.com/groups/99bbbe25-45af-492f-a7ff-7cbc57828bac) is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors.<sup>[[FireEye APT33 Sept 2017](https://app.tidalcyber.com/references/70610469-db0d-45ab-a790-6e56309a39ec)]</sup><sup>[[FireEye APT33 Webinar Sept 2017](https://app.tidalcyber.com/references/9b378592-5737-403d-8a07-27077f5b2d61)]</sup>",
"meta": {
"country": "IR",
"group_attack_id": "G0064",
@ -766,7 +828,7 @@
"value": "APT37"
},
{
"description": "[APT38](https://app.tidalcyber.com/groups/dfbce236-735c-436d-b433-933bd6eae17b) is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.<sup>[[CISA AA20-239A BeagleBoyz August 2020](https://app.tidalcyber.com/references/a8a2e3f2-3967-4e82-a36a-2436c654fb3f)]</sup> Active since at least 2014, [APT38](https://app.tidalcyber.com/groups/dfbce236-735c-436d-b433-933bd6eae17b) has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which [APT38](https://app.tidalcyber.com/groups/dfbce236-735c-436d-b433-933bd6eae17b) stole $81 million, as well as attacks against Bancomext (2018) and Banco de Chile (2018); some of their attacks have been destructive.<sup>[[CISA AA20-239A BeagleBoyz August 2020](https://app.tidalcyber.com/references/a8a2e3f2-3967-4e82-a36a-2436c654fb3f)]</sup><sup>[[FireEye APT38 Oct 2018](https://app.tidalcyber.com/references/7c916329-af56-4723-820c-ef932a6e3409)]</sup><sup>[[DOJ North Korea Indictment Feb 2021](https://app.tidalcyber.com/references/d702653f-a9da-4a36-8f84-97caeb445266)]</sup><sup>[[Kaspersky Lazarus Under The Hood Blog 2017](https://app.tidalcyber.com/references/a1e1ab6a-8db0-4593-95ec-78784607dfa0)]</sup>\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) instead of tracking clusters or subgroups.",
"description": "[APT38](https://app.tidalcyber.com/groups/dfbce236-735c-436d-b433-933bd6eae17b) is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.<sup>[[CISA AA20-239A BeagleBoyz August 2020](https://app.tidalcyber.com/references/a8a2e3f2-3967-4e82-a36a-2436c654fb3f)]</sup> Active since at least 2014, [APT38](https://app.tidalcyber.com/groups/dfbce236-735c-436d-b433-933bd6eae17b) has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which [APT38](https://app.tidalcyber.com/groups/dfbce236-735c-436d-b433-933bd6eae17b) stole $81 million, as well as attacks against Bancomext <sup>[[FireEye APT38 Oct 2018](https://app.tidalcyber.com/references/7c916329-af56-4723-820c-ef932a6e3409)]</sup> and Banco de Chile <sup>[[FireEye APT38 Oct 2018](https://app.tidalcyber.com/references/7c916329-af56-4723-820c-ef932a6e3409)]</sup>; some of their attacks have been destructive.<sup>[[CISA AA20-239A BeagleBoyz August 2020](https://app.tidalcyber.com/references/a8a2e3f2-3967-4e82-a36a-2436c654fb3f)]</sup><sup>[[FireEye APT38 Oct 2018](https://app.tidalcyber.com/references/7c916329-af56-4723-820c-ef932a6e3409)]</sup><sup>[[DOJ North Korea Indictment Feb 2021](https://app.tidalcyber.com/references/d702653f-a9da-4a36-8f84-97caeb445266)]</sup><sup>[[Kaspersky Lazarus Under The Hood Blog 2017](https://app.tidalcyber.com/references/a1e1ab6a-8db0-4593-95ec-78784607dfa0)]</sup>\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) instead of tracking clusters or subgroups.",
"meta": {
"country": "KP",
"group_attack_id": "G0082",
@ -929,6 +991,43 @@
"uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9",
"value": "APT41"
},
{
"description": "[APT5](https://app.tidalcyber.com/groups/f46d6ee9-9d1d-586a-9f2d-6bff8fb92910) is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia. [APT5](https://app.tidalcyber.com/groups/f46d6ee9-9d1d-586a-9f2d-6bff8fb92910) has displayed advanced tradecraft and significant interest in compromising networking devices and their underlying software including through the use of zero-day exploits.<sup>[[NSA APT5 Citrix Threat Hunting December 2022](https://app.tidalcyber.com/references/916e2137-46e6-53c2-a917-5b5b5c4bae3a)]</sup><sup>[[Microsoft East Asia Threats September 2023](https://app.tidalcyber.com/references/31f2c61e-cefe-5df7-9c2b-780bf03c88ec)]</sup><sup>[[Mandiant Pulse Secure Zero-Day April 2021](https://app.tidalcyber.com/references/0760480c-97be-5fc9-a6aa-f1df91a314a3)]</sup><sup>[[Mandiant Pulse Secure Update May 2021](https://app.tidalcyber.com/references/5620adaf-c2a7-5f0f-ae70-554ce720426e)]</sup><sup>[[FireEye Southeast Asia Threat Landscape March 2015](https://app.tidalcyber.com/references/59658f8b-af24-5df5-8f7d-cb6b9cf7579e)]</sup><sup>[[Mandiant Advanced Persistent Threats](https://app.tidalcyber.com/references/2d16615b-09fc-5925-8f59-6d20f334d236)]</sup> ",
"meta": {
"group_attack_id": "G1023",
"source": "MITRE"
},
"related": [],
"uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910",
"value": "APT5"
},
{
"description": "[APT-C-23](https://app.tidalcyber.com/groups/e3c5164e-49cf-5bb1-955d-6775585abb14) is a threat group that has been active since at least 2014.<sup>[[symantec_mantis](https://app.tidalcyber.com/references/76a792b5-f3cd-566e-a87b-9fae844ce07d)]</sup> [APT-C-23](https://app.tidalcyber.com/groups/e3c5164e-49cf-5bb1-955d-6775585abb14) has primarily focused its operations on the Middle East, including Israeli military assets. [APT-C-23](https://app.tidalcyber.com/groups/e3c5164e-49cf-5bb1-955d-6775585abb14) has developed mobile spyware targeting Android and iOS devices since 2017.<sup>[[welivesecurity_apt-c-23](https://app.tidalcyber.com/references/7196226e-7d0d-5e14-a4e3-9b6322537039)]</sup>",
"meta": {
"group_attack_id": "G1028",
"observed_countries": [
"DZ",
"BH",
"IL",
"PS",
"TR"
],
"observed_motivations": [
"Cyber Espionage"
],
"source": "MITRE",
"target_categories": [
"Defense",
"Education",
"Government",
"Media",
"NGOs"
]
},
"related": [],
"uuid": "e3c5164e-49cf-5bb1-955d-6775585abb14",
"value": "APT-C-23"
},
{
"description": "[APT-C-36](https://app.tidalcyber.com/groups/153c14a6-31b7-44f2-892e-6d9fdc152267) is a suspected South America espionage group that has been active since at least 2018. The group mainly targets Colombian government institutions as well as important corporations in the financial sector, petroleum industry, and professional manufacturing.<sup>[[QiAnXin APT-C-36 Feb2019](https://app.tidalcyber.com/references/cae075ea-42cb-4695-ac66-9187241393d1)]</sup>",
"meta": {
@ -1083,7 +1182,7 @@
"value": "BianLian Ransomware Group"
},
{
"description": "[BITTER](https://app.tidalcyber.com/groups/3a02aa1b-851a-43e1-b83b-58037f3c7025) is a suspected South Asian cyber espionage threat group that has been active since at least 2013. [BITTER](https://app.tidalcyber.com/groups/3a02aa1b-851a-43e1-b83b-58037f3c7025) has primarily targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia.<sup>[[Cisco Talos Bitter Bangladesh May 2022](https://app.tidalcyber.com/references/097583ed-03b0-41cd-bf85-66d473f46439)]</sup><sup>[[Forcepoint BITTER Pakistan Oct 2016](https://app.tidalcyber.com/references/9fc54fb0-b7d9-49dc-b6dd-ab4cb2cd34fa)]</sup>",
"description": "[BITTER](https://app.tidalcyber.com/groups/3a02aa1b-851a-43e1-b83b-58037f3c7025) is a suspected South Asian cyber espionage threat group that has been active since at least 2013. [BITTER](https://app.tidalcyber.com/groups/3a02aa1b-851a-43e1-b83b-58037f3c7025) has targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia.<sup>[[Cisco Talos Bitter Bangladesh May 2022](https://app.tidalcyber.com/references/097583ed-03b0-41cd-bf85-66d473f46439)]</sup><sup>[[Forcepoint BITTER Pakistan Oct 2016](https://app.tidalcyber.com/references/9fc54fb0-b7d9-49dc-b6dd-ab4cb2cd34fa)]</sup>",
"meta": {
"group_attack_id": "G1002",
"source": "MITRE"
@ -1126,6 +1225,55 @@
"uuid": "393da13e-016c-41a3-9d89-b33173adecbf",
"value": "Bl00dy Ransomware Gang"
},
{
"description": "This Group object reflects the tools & TTPs associated with threat actors known to deploy Black Basta, a ransomware-as-a-service (RaaS) variant that researchers believe has been used since at least April 2022. Black Basta affiliates have attacked a very wide range of targets, including organizations in at least 12 out of 16 U.S. critical infrastructure sectors, including the Healthcare and Public Health (HPH) Sector.<sup>[[U.S. CISA Black Basta May 10 2024](/references/10fed6c7-4d73-49cd-9170-3f67d06365ca)]</sup>\n\nSpecific pre- and post-exploit behaviors may vary among intrusions carried out by different Black Basta affiliates. TTPs associated with the Black Basta ransomware binary itself can be found in the separate dedicated Software object.",
"meta": {
"group_attack_id": "G5023",
"observed_countries": [
"AU",
"AT",
"CA",
"DE",
"IT",
"CH",
"GB",
"US"
],
"observed_motivations": [
"Financial Gain"
],
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"d903e38b-600d-4736-9e3b-cf1a6e436481",
"e551ae97-d1b4-484e-9267-89f33829ec2c",
"d819ae1a-e385-49fd-88d5-f66660729ecb",
"15787198-6c8b-4f79-bf50-258d55072fee",
"c40971d6-ad75-4b2d-be6c-5353c96a232d",
"3adcb409-166d-4465-ba1f-ddaecaff8282",
"dea4388a-b1f2-4f2a-9df9-108631d0d078",
"2743d495-7728-4a75-9e5f-b64854039792",
"d431939f-2dc0-410b-83f7-86c458125444",
"fdd53e62-5bf1-41f1-8bd6-b970a866c39d",
"5e7433ad-a894-4489-93bc-41e90da90019",
"7e7b0c67-bb85-4996-a289-da0e792d7172",
"562e535e-19f5-4d6c-81ed-ce2aec544f09"
],
"target_categories": [
"Construction",
"Financial Services",
"Healthcare",
"Legal",
"Manufacturing",
"Retail",
"Technology",
"Transportation"
]
},
"related": [],
"uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4",
"value": "Black Basta Affiliates"
},
{
"description": "This object represents the BlackCat/ALPHV Ransomware-as-a-Service (“RaaS”) apex group and the behaviors associated with its various affiliate ransomware operators. Specific affiliate operations defined by the research community will be tracked as separate objects.\n\nResearchers first observed BlackCat ransomware (AKA ALPHV or Noberus) in November 2021. An April 2022 U.S. FBI advisory linked BlackCats developers and money launderers to the defunct Blackmatter and Darkside ransomware operations (the latter was responsible for the major 2021 Colonial Pipeline incident).<sup>[[FBI BlackCat April 19 2022](/references/2640b58c-8413-4691-80e1-33aec9b6c7f6)]</sup> As of September 2023, BlackCat is believed to be responsible for attacking organizations globally and in virtually every major sector, and it consistently claims some of the highest victim tallies of any RaaS. According to data collected by the [ransomwatch project](https://github.com/joshhighet/ransomwatch) and analyzed by Tidal, BlackCat actors publicly claimed 233 victims in 2022, the third most of any ransomware operation in the dataset (considerably below Clop (558) but well above Hive (181)), and it already surpassed that number by July of 2023.<sup>[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)]</sup> Like many RaaS, BlackCat actors threaten to leak exfiltrated victim data, but they also threaten to carry out denial of service attacks if victims do not pay timely ransoms.<sup>[[BlackBerry BlackCat Threat Overview](/references/59f98ae1-c62d-460f-8d2a-9ae287b59953)]</sup>\n\nBlackCat developers have regularly evolved the namesake ransomware over time, and collaboration with affiliates means that a large number and variety of tools & TTPs are observed during intrusions involving BlackCat. BlackCat became the first prominent ransomware family to transition to the Rust programming language in 2022, which researchers assess provides greater customization and defense evasion capabilities and faster performance.<sup>[[X-Force BlackCat May 30 2023](/references/b80c1f70-9d05-4f4b-bdc2-6157c6837202)]</sup><sup>[[FBI BlackCat April 19 2022](/references/2640b58c-8413-4691-80e1-33aec9b6c7f6)]</sup> A BlackCat variant named Sphynx emerged in early 2023, featuring multiple defense evasion-focused enhancements. In Q3 2023, public reports suggested that Scattered Spider (AKA 0ktapus or UNC3944), a group attributed to several prominent intrusions involving telecommunications, technology, and casino entities, had begun to use BlackCat/Sphynx ransomware during its operations.<sup>[[Caesars Scattered Spider September 13 2023](/references/6915c003-7c8b-451c-8fb1-3541f00c14fb)]</sup><sup>[[BushidoToken Scattered Spider August 16 2023](/references/621a8320-0e3c-444f-b82a-7fd4fdf9fb67)]</sup>",
"meta": {
@ -1265,6 +1413,9 @@
"Cyber Espionage"
],
"source": "MITRE",
"tags": [
"b20e7912-6a8d-46e3-8e13-9a3fc4813852"
],
"target_categories": [
"Construction",
"Defense",
@ -1386,6 +1537,16 @@
"uuid": "ca93af75-0ffa-4df4-b86a-92d4d50e496e",
"value": "Chimera"
},
{
"description": "[Cinnamon Tempest](https://app.tidalcyber.com/groups/8e059c6b-d278-5454-a234-a8ad69feb66c) is a China-based threat group that has been active since at least 2021 deploying multiple strains of ransomware based on the leaked [Babuk](https://app.tidalcyber.com/software/0dc07eb9-66df-4116-b1bc-7020ca6395a1) source code. [Cinnamon Tempest](https://app.tidalcyber.com/groups/8e059c6b-d278-5454-a234-a8ad69feb66c) does not operate their ransomware on an affiliate model or purchase access but appears to act independently in all stages of the attack lifecycle. Based on victimology, the short lifespan of each ransomware variant, and use of malware attributed to government-sponsored threat groups, [Cinnamon Tempest](https://app.tidalcyber.com/groups/8e059c6b-d278-5454-a234-a8ad69feb66c) may be motivated by intellectual property theft or cyberespionage rather than financial gain.<sup>[[Microsoft Ransomware as a Service](https://app.tidalcyber.com/references/833018b5-6ef6-5327-9af5-1a551df25cd2)]</sup><sup>[[Microsoft Threat Actor Naming July 2023](https://app.tidalcyber.com/references/78a8137d-694e-533d-aed3-6bd48fc0cd4a)]</sup><sup>[[Trend Micro Cheerscrypt May 2022](https://app.tidalcyber.com/references/ca7ccf2c-37f3-522a-acfb-09daa16e23d8)]</sup><sup>[[SecureWorks BRONZE STARLIGHT Ransomware Operations June 2022](https://app.tidalcyber.com/references/0b275cf9-a885-58cc-b859-112090a711e3)]</sup>",
"meta": {
"group_attack_id": "G1021",
"source": "MITRE"
},
"related": [],
"uuid": "8e059c6b-d278-5454-a234-a8ad69feb66c",
"value": "Cinnamon Tempest"
},
{
"description": "[Cleaver](https://app.tidalcyber.com/groups/c8cc6ce8-d421-42e6-a6eb-2ea9d2d9ab07) is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. <sup>[[Cylance Cleaver](https://app.tidalcyber.com/references/f0b45225-3ec3-406f-bd74-87f24003761b)]</sup> Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889). <sup>[[Dell Threat Group 2889](https://app.tidalcyber.com/references/de7003cb-5127-4fd7-9475-d69e0d7f5cc8)]</sup>",
"meta": {
@ -2218,7 +2379,7 @@
"value": "Fox Kitten"
},
{
"description": "[GALLIUM](https://app.tidalcyber.com/groups/15ff1ce0-44f0-4f1d-a4ef-83444570e572) is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. Security researchers have identified [GALLIUM](https://app.tidalcyber.com/groups/15ff1ce0-44f0-4f1d-a4ef-83444570e572) as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.<sup>[[Cybereason Soft Cell June 2019](https://app.tidalcyber.com/references/620b7353-0e58-4503-b534-9250a8f5ae3c)]</sup><sup>[[Microsoft GALLIUM December 2019](https://app.tidalcyber.com/references/5bc76b47-ff68-4031-a347-f2dc0daba203)]</sup><sup>[[Unit 42 PingPull Jun 2022](https://app.tidalcyber.com/references/ac6491ab-6ef1-4091-8a15-50e2cbafe157)]</sup>",
"description": "[GALLIUM](https://app.tidalcyber.com/groups/15ff1ce0-44f0-4f1d-a4ef-83444570e572) is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. This group is particularly known for launching Operation Soft Cell, a long-term campaign targeting telecommunications providers.<sup>[[Cybereason Soft Cell June 2019](https://app.tidalcyber.com/references/620b7353-0e58-4503-b534-9250a8f5ae3c)]</sup> Security researchers have identified [GALLIUM](https://app.tidalcyber.com/groups/15ff1ce0-44f0-4f1d-a4ef-83444570e572) as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.<sup>[[Cybereason Soft Cell June 2019](https://app.tidalcyber.com/references/620b7353-0e58-4503-b534-9250a8f5ae3c)]</sup><sup>[[Microsoft GALLIUM December 2019](https://app.tidalcyber.com/references/5bc76b47-ff68-4031-a347-f2dc0daba203)]</sup><sup>[[Unit 42 PingPull Jun 2022](https://app.tidalcyber.com/references/ac6491ab-6ef1-4091-8a15-50e2cbafe157)]</sup>",
"meta": {
"country": "CN",
"group_attack_id": "G0093",
@ -2670,7 +2831,7 @@
"value": "LAPSUS$"
},
{
"description": "[Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) is a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau.<sup>[[US-CERT HIDDEN COBRA June 2017](https://app.tidalcyber.com/references/8e57cea3-ee37-4507-bb56-7445050ec8ca)]</sup><sup>[[Treasury North Korean Cyber Groups September 2019](https://app.tidalcyber.com/references/54977bb2-2929-41d7-bdea-06d39dc76174)]</sup> The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. <sup>[[Novetta Blockbuster](https://app.tidalcyber.com/references/bde96b4f-5f98-4ce5-a507-4b05d192b6d7)]</sup>\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) instead of tracking clusters or subgroups, such as [Andariel](https://app.tidalcyber.com/groups/2cc997b5-5076-4eef-9974-f54387614f46), [APT37](https://app.tidalcyber.com/groups/013fdfdc-aa32-4779-8f6e-7920615cbf66), [APT38](https://app.tidalcyber.com/groups/dfbce236-735c-436d-b433-933bd6eae17b), and [Kimsuky](https://app.tidalcyber.com/groups/37f317d8-02f0-43d4-8a7d-7a65ce8aadf1). ",
"description": "[Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) is a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau.<sup>[[US-CERT HIDDEN COBRA June 2017](https://app.tidalcyber.com/references/8e57cea3-ee37-4507-bb56-7445050ec8ca)]</sup><sup>[[Treasury North Korean Cyber Groups September 2019](https://app.tidalcyber.com/references/54977bb2-2929-41d7-bdea-06d39dc76174)]</sup> The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.<sup>[[Novetta Blockbuster](https://app.tidalcyber.com/references/bde96b4f-5f98-4ce5-a507-4b05d192b6d7)]</sup>\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) instead of tracking clusters or subgroups, such as [Andariel](https://app.tidalcyber.com/groups/2cc997b5-5076-4eef-9974-f54387614f46), [APT37](https://app.tidalcyber.com/groups/013fdfdc-aa32-4779-8f6e-7920615cbf66), [APT38](https://app.tidalcyber.com/groups/dfbce236-735c-436d-b433-933bd6eae17b), and [Kimsuky](https://app.tidalcyber.com/groups/37f317d8-02f0-43d4-8a7d-7a65ce8aadf1). ",
"meta": {
"country": "KP",
"group_attack_id": "G0032",
@ -3026,6 +3187,33 @@
"uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4",
"value": "Magic Hound"
},
{
"description": "[Malteiro](https://app.tidalcyber.com/groups/803f8018-6e45-5b0f-978f-1fe96b217120) is a financially motivated criminal group that is likely based in Brazil and has been active since at least November 2019. The group operates and distributes the [Mispadu](https://app.tidalcyber.com/software/758e5226-6015-5cc7-af4b-20fa35c9bac1) banking trojan via a Malware-as-a-Service (MaaS) business model. [Malteiro](https://app.tidalcyber.com/groups/803f8018-6e45-5b0f-978f-1fe96b217120) mainly targets victims throughout Latin America (particularly Mexico) and Europe (particularly Spain and Portugal).<sup>[[SCILabs Malteiro 2021](https://app.tidalcyber.com/references/c6948dfc-b133-556b-a8ac-b3a4dba09c0e)]</sup>",
"meta": {
"country": "BR",
"group_attack_id": "G1026",
"observed_countries": [
"MX",
"PT",
"ES"
],
"observed_motivations": [
"Financial Gain"
],
"source": "MITRE",
"target_categories": [
"Financial Services",
"Government",
"Healthcare",
"Manufacturing",
"Retail",
"Telecommunications"
]
},
"related": [],
"uuid": "803f8018-6e45-5b0f-978f-1fe96b217120",
"value": "Malteiro"
},
{
"description": "MedusaLocker is a ransomware-as-a-service (\"RaaS\") operation that has been active since September 2019. U.S. cybersecurity authorities indicate that MedusaLocker operators have primarily targeted victims in the healthcare sector, among other unspecified sectors. Initial access for MedusaLocker intrusions originally came via phishing and spam email campaigns, but since 2022 has typically occurred via exploit of vulnerable Remote Desktop Protocol devices.<sup>[[HC3 Analyst Note MedusaLocker Ransomware February 2023](/references/49e314d6-5324-41e0-8bee-2b3e08d5e12f)]</sup>\n \nThis object represents behaviors associated with operators of MedusaLocker ransomware. As MedusaLocker is licensed on a RaaS model, affiliates likely do not act as a single cohesive unit, and behaviors observed during particular attacks may vary. Behaviors associated with samples of MedusaLocker ransomware are represented in the \"MedusaLocker Ransomware\" Software object.\n\n**Malpedia (Research)**: https://malpedia.caad.fkie.fraunhofer.de/details/win.medusalocker",
"meta": {
@ -3407,6 +3595,16 @@
"uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47",
"value": "Mustang Panda"
},
{
"description": "[Mustard Tempest](https://app.tidalcyber.com/groups/0898e7cb-118e-5eeb-b856-04e56ed18182) is an initial access broker that has operated the [SocGholish](https://app.tidalcyber.com/software/ab84f259-9b9a-51d8-a68a-2bcd7512d760) distribution network since at least 2017. [Mustard Tempest](https://app.tidalcyber.com/groups/0898e7cb-118e-5eeb-b856-04e56ed18182) has partnered with [Indrik Spider](https://app.tidalcyber.com/groups/3c7ad595-1940-40fc-b9ca-3e649c1e5d87) to provide access for the download of additional malware including LockBit, [WastedLocker](https://app.tidalcyber.com/software/0ba6ee8d-2b29-4980-8e55-348ea05f00ad), and remote access tools.<sup>[[Microsoft Ransomware as a Service](https://app.tidalcyber.com/references/833018b5-6ef6-5327-9af5-1a551df25cd2)]</sup><sup>[[Microsoft Threat Actor Naming July 2023](https://app.tidalcyber.com/references/78a8137d-694e-533d-aed3-6bd48fc0cd4a)]</sup><sup>[[Secureworks Gold Prelude Profile](https://app.tidalcyber.com/references/b16ae37d-5244-5c1e-92a9-e494b5a9ef49)]</sup><sup>[[SocGholish-update](https://app.tidalcyber.com/references/01d9c3ba-29e2-5090-b399-0e7adf50a6b9)]</sup>",
"meta": {
"group_attack_id": "G1020",
"source": "MITRE"
},
"related": [],
"uuid": "0898e7cb-118e-5eeb-b856-04e56ed18182",
"value": "Mustard Tempest"
},
{
"description": "[Naikon](https://app.tidalcyber.com/groups/a80c00b2-b8b6-4780-99bb-df8fe921947d) is assessed to be a state-sponsored cyber espionage group attributed to the Chinese Peoples Liberation Armys (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020).<sup>[[CameraShy](https://app.tidalcyber.com/references/9942b6a5-6ffb-4a26-9392-6c8bb9954997)]</sup> Active since at least 2010, [Naikon](https://app.tidalcyber.com/groups/a80c00b2-b8b6-4780-99bb-df8fe921947d) has primarily conducted operations against government, military, and civil organizations in Southeast Asia, as well as against international bodies such as the United Nations Development Programme (UNDP) and the Association of Southeast Asian Nations (ASEAN).<sup>[[CameraShy](https://app.tidalcyber.com/references/9942b6a5-6ffb-4a26-9392-6c8bb9954997)]</sup><sup>[[Baumgartner Naikon 2015](https://app.tidalcyber.com/references/09302b4f-7f71-4289-92f6-076c685f0810)]</sup> \n\nWhile [Naikon](https://app.tidalcyber.com/groups/a80c00b2-b8b6-4780-99bb-df8fe921947d) shares some characteristics with [APT30](https://app.tidalcyber.com/groups/be45ff95-6c74-4000-bc39-63044673d82f), the two groups do not appear to be exact matches.<sup>[[Baumgartner Golovkin Naikon 2015](https://app.tidalcyber.com/references/5163576f-0b2c-49ba-8f34-b7efe3f3f6db)]</sup>",
"meta": {
@ -3477,7 +3675,7 @@
"value": "Nomadic Octopus"
},
{
"description": "[OilRig](https://app.tidalcyber.com/groups/d01abdb1-0378-4654-aa38-1a4a292703e2) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.<sup>[[Palo Alto OilRig April 2017](https://app.tidalcyber.com/references/fb561cdd-03f6-4867-b5b5-7e4deb11f0d0)]</sup><sup>[[ClearSky OilRig Jan 2017](https://app.tidalcyber.com/references/f19f9ad4-bb31-443b-9c26-87946469a0c3)]</sup><sup>[[Palo Alto OilRig May 2016](https://app.tidalcyber.com/references/53836b95-a30a-4e95-8e19-e2bb2f18c738)]</sup><sup>[[Palo Alto OilRig Oct 2016](https://app.tidalcyber.com/references/14bbb07b-caeb-4d17-8e54-047322a5930c)]</sup><sup>[[Unit42 OilRig Playbook 2023](https://app.tidalcyber.com/references/e38902bb-9bab-5beb-817b-668a67a76541)]</sup><sup>[[FireEye APT34 Dec 2017](https://app.tidalcyber.com/references/88f41728-08ad-4cd8-a418-895738d68b04)]</sup><sup>[[Unit 42 QUADAGENT July 2018](https://app.tidalcyber.com/references/320f49df-7b0a-4a6a-8542-17b0f56c94c9)]</sup>",
"description": "[OilRig](https://app.tidalcyber.com/groups/d01abdb1-0378-4654-aa38-1a4a292703e2) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.<sup>[[FireEye APT34 Dec 2017](https://app.tidalcyber.com/references/88f41728-08ad-4cd8-a418-895738d68b04)]</sup><sup>[[Palo Alto OilRig April 2017](https://app.tidalcyber.com/references/fb561cdd-03f6-4867-b5b5-7e4deb11f0d0)]</sup><sup>[[ClearSky OilRig Jan 2017](https://app.tidalcyber.com/references/f19f9ad4-bb31-443b-9c26-87946469a0c3)]</sup><sup>[[Palo Alto OilRig May 2016](https://app.tidalcyber.com/references/53836b95-a30a-4e95-8e19-e2bb2f18c738)]</sup><sup>[[Palo Alto OilRig Oct 2016](https://app.tidalcyber.com/references/14bbb07b-caeb-4d17-8e54-047322a5930c)]</sup><sup>[[Unit42 OilRig Playbook 2023](https://app.tidalcyber.com/references/e38902bb-9bab-5beb-817b-668a67a76541)]</sup><sup>[[Unit 42 QUADAGENT July 2018](https://app.tidalcyber.com/references/320f49df-7b0a-4a6a-8542-17b0f56c94c9)]</sup>",
"meta": {
"country": "IR",
"group_attack_id": "G0049",
@ -3512,7 +3710,7 @@
"value": "OilRig"
},
{
"description": "[Orangeworm](https://app.tidalcyber.com/groups/863b7013-133d-4a82-93d2-51b53a8fd30e) is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015, likely for the purpose of corporate espionage.<sup>[[Symantec Orangeworm April 2018](https://app.tidalcyber.com/references/eee5efa1-bbc6-44eb-8fae-23002f351605)]</sup>",
"description": "[Orangeworm](https://app.tidalcyber.com/groups/863b7013-133d-4a82-93d2-51b53a8fd30e) is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015, likely for the purpose of corporate espionage.<sup>[[Symantec Orangeworm April 2018](https://app.tidalcyber.com/references/eee5efa1-bbc6-44eb-8fae-23002f351605)]</sup> Reverse engineering of [Kwampirs](https://app.tidalcyber.com/software/35ac4018-8506-4025-a9e3-bd017700b3b3), directly associated with [Orangeworm](https://app.tidalcyber.com/groups/863b7013-133d-4a82-93d2-51b53a8fd30e) activity, indicates significant functional and development overlaps with [Shamoon](https://app.tidalcyber.com/software/840db1db-e262-4d6f-b6e3-2a64696a41c5).<sup>[[Cylera Kwampirs 2022](https://app.tidalcyber.com/references/06442111-2c71-5efb-9530-cabeba159a91)]</sup>",
"meta": {
"group_attack_id": "G0071",
"observed_countries": [
@ -3955,6 +4153,7 @@
],
"source": "MITRE",
"tags": [
"b20e7912-6a8d-46e3-8e13-9a3fc4813852",
"f2ae2283-f94d-4f8f-bbde-43f2bed66c55"
],
"target_categories": [
@ -3987,7 +4186,7 @@
"value": "Scarlet Mimic"
},
{
"description": "[Scattered Spider](https://app.tidalcyber.com/groups/3d77fb6c-cfb4-5563-b0be-7aa1ad535337) is a cybercriminal group that has been active since at least 2022 targeting customer relationship management and business-process outsourcing (BPO) firms as well as telecommunications and technology companies. During campaigns [Scattered Spider](https://app.tidalcyber.com/groups/3d77fb6c-cfb4-5563-b0be-7aa1ad535337) has leveraged targeted social-engineering techniques and attempted to bypass popular endpoint security tools.<sup>[[CrowdStrike Scattered Spider Profile](https://app.tidalcyber.com/references/a865a984-7f7b-5f82-ac4a-6fac79a2a753)]</sup><sup>[[CrowdStrike Scattered Spider BYOVD January 2023](https://app.tidalcyber.com/references/d7d86f5d-1f02-54b0-b6f4-879878563245)]</sup><sup>[[Crowdstrike TELCO BPO Campaign December 2022](https://app.tidalcyber.com/references/382785e1-4ef3-506e-b74f-cd07df9ae46e)]</sup>",
"description": "[Scattered Spider](https://app.tidalcyber.com/groups/3d77fb6c-cfb4-5563-b0be-7aa1ad535337) is a native English-speaking cybercriminal group that has been active since at least 2022.<sup>[[CrowdStrike Scattered Spider Profile](https://app.tidalcyber.com/references/a865a984-7f7b-5f82-ac4a-6fac79a2a753)]</sup><sup>[[MSTIC Octo Tempest Operations October 2023](https://app.tidalcyber.com/references/92716d7d-3ca5-5d7a-b719-946e94828f13)]</sup> The group initially targeted customer relationship management and business-process outsourcing (BPO) firms as well as telecommunications and technology companies. Beginning in 2023, [Scattered Spider](https://app.tidalcyber.com/groups/3d77fb6c-cfb4-5563-b0be-7aa1ad535337) expanded its operations to compromise victims in the gaming, hospitality, retail, MSP, manufacturing, and financial sectors.<sup>[[MSTIC Octo Tempest Operations October 2023](https://app.tidalcyber.com/references/92716d7d-3ca5-5d7a-b719-946e94828f13)]</sup> During campaigns, [Scattered Spider](https://app.tidalcyber.com/groups/3d77fb6c-cfb4-5563-b0be-7aa1ad535337) has leveraged targeted social-engineering techniques, attempted to bypass popular endpoint security tools, and more recently, deployed ransomware for financial gain.<sup>[[CISA Scattered Spider Advisory November 2023](https://app.tidalcyber.com/references/deae8b2c-39dd-5252-b846-88e1cab099c2)]</sup><sup>[[CrowdStrike Scattered Spider BYOVD January 2023](https://app.tidalcyber.com/references/d7d86f5d-1f02-54b0-b6f4-879878563245)]</sup><sup>[[CrowdStrike Scattered Spider Profile](https://app.tidalcyber.com/references/a865a984-7f7b-5f82-ac4a-6fac79a2a753)]</sup><sup>[[MSTIC Octo Tempest Operations October 2023](https://app.tidalcyber.com/references/92716d7d-3ca5-5d7a-b719-946e94828f13)]</sup><sup>[[Crowdstrike TELCO BPO Campaign December 2022](https://app.tidalcyber.com/references/382785e1-4ef3-506e-b74f-cd07df9ae46e)]</sup>",
"meta": {
"group_attack_id": "G1015",
"observed_countries": [
@ -4505,6 +4704,16 @@
"uuid": "a3b39b07-0bfa-4c69-9f01-acf7dc6033b4",
"value": "Thrip"
},
{
"description": "[ToddyCat](https://app.tidalcyber.com/groups/0f41da7d-1e47-58fe-ba6e-ee658a985e1b) is a sophisticated threat group that has been active since at least 2020 using custom loaders and malware in multi-stage infection chains against government and military targets across Europe and Asia.<sup>[[Kaspersky ToddyCat June 2022](https://app.tidalcyber.com/references/285c038b-e5fc-57ef-9a98-d9e24c52e2cf)]</sup><sup>[[Kaspersky ToddyCat Check Logs October 2023](https://app.tidalcyber.com/references/dbdaf320-eada-5bbb-95ab-aaa987ed7960)]</sup>",
"meta": {
"group_attack_id": "G1022",
"source": "MITRE"
},
"related": [],
"uuid": "0f41da7d-1e47-58fe-ba6e-ee658a985e1b",
"value": "ToddyCat"
},
{
"description": "[Tonto Team](https://app.tidalcyber.com/groups/9f5c5672-5e7e-4440-afc8-3fdf46a1bb6c) is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009; by 2020 they expanded operations to include other Asian as well as Eastern European countries. [Tonto Team](https://app.tidalcyber.com/groups/9f5c5672-5e7e-4440-afc8-3fdf46a1bb6c) has targeted government, military, energy, mining, financial, education, healthcare, and technology organizations, including through the Heartbeat Campaign (2009-2012) and Operation Bitter Biscuit (2017).<sup>[[Kaspersky CactusPete Aug 2020](https://app.tidalcyber.com/references/1c393964-e717-45ad-8eb6-5df5555d3c70)]</sup><sup>[[ESET Exchange Mar 2021](https://app.tidalcyber.com/references/c83f1810-22bb-4def-ab2f-3f3d67703f47)]</sup><sup>[[FireEye Chinese Espionage October 2019](https://app.tidalcyber.com/references/d37c069c-7fb8-44e1-8377-da97e8bbcf67)]</sup><sup>[[ARS Technica China Hack SK April 2017](https://app.tidalcyber.com/references/c9c647b6-f4fb-44d6-9376-23c1ae9520b4)]</sup><sup>[[Trend Micro HeartBeat Campaign January 2013](https://app.tidalcyber.com/references/f42a36c2-1ca5-49ff-a7ec-7de90379a6d5)]</sup><sup>[[Talos Bisonal 10 Years March 2020](https://app.tidalcyber.com/references/6844e59b-d393-43df-9978-e3e3cc7b8db6)]</sup>",
"meta": {
@ -4706,6 +4915,30 @@
"uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2",
"value": "Turla"
},
{
"description": "UAT4356 (aka Storm-1849) is an actor attributed to the ArcaneDoor campaign targeting Cisco Adaptive Security Appliance (ASA) network devices. The suspected espionage activity targeted unspecified government institutions around the world.<sup>[[Cisco Talos ArcaneDoor April 24 2024](/references/531c3f6f-2d2b-4774-b069-e2b7a13602c1)]</sup> Anonymous sources indicated that the ArcaneDoor campaign appeared aligned with China's state interests.<sup>[[Wired ArcaneDoor April 24 2024](/references/05a8afd3-0173-41ca-b23b-196ea0f3b1c1)]</sup>",
"meta": {
"country": "CN",
"group_attack_id": "G5022",
"observed_motivations": [
"Cyber Espionage"
],
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
"a159c91c-5258-49ea-af7d-e803008d97d3",
"6bb2f579-a5cd-4647-9dcd-eff05efe3679",
"c25f341a-7030-4688-a00b-6d637298e52e",
"9768aada-9d63-4d46-ab9f-d41b8c8e4010"
],
"target_categories": [
"Government"
]
},
"related": [],
"uuid": "f69c7e2f-b616-4782-b2f3-28e9b6702eb4",
"value": "UAT4356"
},
{
"description": "Vice Society is an extortion-focused threat actor group first observed in mid-2021. The group gained notoriety after targeting a considerable number of educational institutions, especially lower education institutions. Although the education sector accounts for a disproportionate amount of the groups victims, Vice Society has claimed victims in multiple other industries too, including the healthcare, retail, financial, insurance, and public services sectors. The group regularly pressures victims into paying a ransom by threatening to leak data exfiltrated during its intrusions. Vice Society is not known to have developed its own ransomware, instead deploying other existing families, including HELLOKITTY/FIVEHANDS and Zeppelin.<sup>[[U.S. CISA Vice Society September 2022](/references/0a754513-5f20-44a0-8cea-c5d9519106c8)]</sup>\n\n**Related Vulnerabilities**: CVE-2021-1675<sup>[[Unit 42 Vice Society December 6 2022](/references/6abf7387-0857-4938-b36e-1374a66d4ed8)]</sup>, CVE-2021-34527<sup>[[Unit 42 Vice Society December 6 2022](/references/6abf7387-0857-4938-b36e-1374a66d4ed8)]</sup>",
"meta": {
@ -5061,6 +5294,9 @@
"Cyber Espionage"
],
"source": "MITRE",
"tags": [
"b20e7912-6a8d-46e3-8e13-9a3fc4813852"
],
"target_categories": [
"Aerospace",
"Construction",

4877
clusters/tidal-references.json
View File

File diff suppressed because it is too large Load Diff

2445
clusters/tidal-software.json
View File

File diff suppressed because it is too large Load Diff

72
clusters/tidal-tactic.json
View File

@ -384,6 +384,14 @@
{
"dest-uuid": "478da817-1914-50f6-b1fd-434081a34354",
"type": "uses"
},
{
"dest-uuid": "9938f7ab-c7d0-5483-bdb9-565431a049ff",
"type": "uses"
},
{
"dest-uuid": "f57c8d43-ca88-5351-9828-36b1937daf0e",
"type": "uses"
}
],
"uuid": "989d09c2-12b8-4419-9b34-a328cf295fff",
@ -636,6 +644,10 @@
{
"dest-uuid": "944a7b91-c58e-567d-9e2c-515b93713c50",
"type": "uses"
},
{
"dest-uuid": "889b6cfa-dfb4-5d9f-beef-6c7c2e171454",
"type": "uses"
}
],
"uuid": "dad2337d-6d35-410a-acc5-da36ff83ee44",
@ -1108,6 +1120,18 @@
{
"dest-uuid": "0719ea2b-d630-5ada-9b04-c3136ff530ae",
"type": "uses"
},
{
"dest-uuid": "3d6727cd-d297-51e9-a6a2-8718284bf8e5",
"type": "uses"
},
{
"dest-uuid": "b9490b5f-645c-54a6-bf50-ad63540e6a07",
"type": "uses"
},
{
"dest-uuid": "2fa370dd-42be-5c10-85e8-294624c8a778",
"type": "uses"
}
],
"uuid": "ec4f9786-c00c-430a-bc6d-0d0d22fdd393",
@ -1536,6 +1560,18 @@
{
"dest-uuid": "15660958-1f4f-4136-8cda-82123fd38232",
"type": "uses"
},
{
"dest-uuid": "3d6727cd-d297-51e9-a6a2-8718284bf8e5",
"type": "uses"
},
{
"dest-uuid": "b9490b5f-645c-54a6-bf50-ad63540e6a07",
"type": "uses"
},
{
"dest-uuid": "769d2e67-5430-5fdd-9a07-d1b227110ec0",
"type": "uses"
}
],
"uuid": "b17dde68-dbcf-4cfd-9bb8-be014ec65c37",
@ -2312,6 +2348,34 @@
{
"dest-uuid": "04e8e75c-434e-51e0-9780-580a3823a8cb",
"type": "uses"
},
{
"dest-uuid": "3b8f1fe2-f6f1-5660-a0b3-2f6be096b791",
"type": "uses"
},
{
"dest-uuid": "49714d10-6f44-5035-a448-66c2a3f3cdd6",
"type": "uses"
},
{
"dest-uuid": "3d6727cd-d297-51e9-a6a2-8718284bf8e5",
"type": "uses"
},
{
"dest-uuid": "b02bc1f4-fbed-5eab-918c-f367c39cc3ba",
"type": "uses"
},
{
"dest-uuid": "2fa370dd-42be-5c10-85e8-294624c8a778",
"type": "uses"
},
{
"dest-uuid": "afe01d48-73bc-5e52-aa5f-2310911c2e3c",
"type": "uses"
},
{
"dest-uuid": "769d2e67-5430-5fdd-9a07-d1b227110ec0",
"type": "uses"
}
],
"uuid": "8e29c6c9-0c10-4bb0-827d-ff0ab8922726",
@ -2580,6 +2644,10 @@
{
"dest-uuid": "260571a6-3c08-5419-98c5-3fa1aa8e675d",
"type": "uses"
},
{
"dest-uuid": "2fa370dd-42be-5c10-85e8-294624c8a778",
"type": "uses"
}
],
"uuid": "0c3132d5-c0df-4793-b5f2-1a95bd64ab53",
@ -3212,6 +3280,10 @@
{
"dest-uuid": "3f95e4f2-cd4a-502c-a12a-becb8d28440c",
"type": "uses"
},
{
"dest-uuid": "a3a2a527-39e7-58b4-a3cc-932eb0cef562",
"type": "uses"
}
],
"uuid": "94ffe549-1c29-438d-9c7f-e27f7acee0bb",

149
clusters/tidal-technique.json
View File

@ -10,7 +10,7 @@
"uuid": "298b6aee-981b-4fd8-8759-a2e72ad223fa",
"values": [
{
"description": "Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.",
"description": "Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk.<sup>[[TechNet How UAC Works](https://app.tidalcyber.com/references/bbf8d1a3-115e-4bc8-be43-47ce3b295d45)]</sup><sup>[[sudo man page 2018](https://app.tidalcyber.com/references/659d4302-d4cf-41af-8007-aa1da0208aa0)]</sup> An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.<sup>[[OSX Keydnap malware](https://app.tidalcyber.com/references/d43e0dd1-0946-4f49-bcc7-3ef38445eac3)]</sup><sup>[[Fortinet Fareit](https://app.tidalcyber.com/references/d06223d7-2d86-41c6-af23-50865a1810c0)]</sup>",
"meta": {
"platforms": [
"Azure AD",
@ -79,7 +79,7 @@
"value": "Account Access Removal"
},
{
"description": "Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406)).\n\nAdversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and potential misconfigurations that leak account names and roles or permissions in the targeted environment.\n\nFor examples, cloud environments typically provide easily accessible interfaces to obtain user lists. On hosts, adversaries can use default [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) and other command line functionality to identify accounts. Information about email addresses and accounts may also be extracted by searching an infected systems files.",
"description": "Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406)).\n\nAdversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and potential misconfigurations that leak account names and roles or permissions in the targeted environment.\n\nFor examples, cloud environments typically provide easily accessible interfaces to obtain user lists.<sup>[[AWS List Users](https://app.tidalcyber.com/references/517e3d27-36da-4810-b256-3f47147b36e3)]</sup><sup>[[Google Cloud - IAM Servie Accounts List API](https://app.tidalcyber.com/references/3ffad706-1dac-41dd-b197-06f22fec3b30)]</sup> On hosts, adversaries can use default [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) and other command line functionality to identify accounts. Information about email addresses and accounts may also be extracted by searching an infected systems files.",
"meta": {
"platforms": [
"Azure AD",
@ -103,7 +103,7 @@
"value": "Account Discovery"
},
{
"description": "Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406).",
"description": "Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups.<sup>[[FireEye SMOKEDHAM June 2021](https://app.tidalcyber.com/references/a81ad3ef-fd96-432c-a7c8-ccc86d127a1b)]</sup> These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406).",
"meta": {
"platforms": [
"Azure AD",
@ -150,7 +150,7 @@
"value": "Acquire Access"
},
{
"description": "Adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.<sup>[[TrendmicroHideoutsLease](https://app.tidalcyber.com/references/527de869-3c76-447c-98c4-c37a2acf75e2)]</sup> Additionally, botnets are available for rent or purchase.\n\nUse of these infrastructure solutions allows adversaries to stage, launch, and execute operations. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contacting third-party web services or acquiring infrastructure to support [Proxy](https://app.tidalcyber.com/technique/ba6a869a-c870-4be6-bc08-e078f0efdc3b), including from residential proxy services.<sup>[[amnesty_nso_pegasus](https://app.tidalcyber.com/references/9e40d93a-fe91-504a-a6f2-e6546067ba53)]</sup><sup>[[FBI Proxies Credential Stuffing](https://app.tidalcyber.com/references/17f9b7b0-3e1a-5d75-9030-da79fcccdb49)]</sup><sup>[[Mandiant APT29 Microsoft 365 2022](https://app.tidalcyber.com/references/e141408e-d22b-58e4-884f-0cbff25444da)]</sup> Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.",
"description": "Adversaries may buy, lease, rent, or obtain infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.<sup>[[TrendmicroHideoutsLease](https://app.tidalcyber.com/references/527de869-3c76-447c-98c4-c37a2acf75e2)]</sup> Some infrastructure providers offer free trial periods, enabling infrastructure acquisition at limited to no cost.<sup>[[Free Trial PurpleUrchin](https://app.tidalcyber.com/references/841f397d-d103-56d7-9854-7ce43c684879)]</sup> Additionally, botnets are available for rent or purchase.\n\nUse of these infrastructure solutions allows adversaries to stage, launch, and execute operations. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contacting third-party web services or acquiring infrastructure to support [Proxy](https://app.tidalcyber.com/technique/ba6a869a-c870-4be6-bc08-e078f0efdc3b), including from residential proxy services.<sup>[[amnesty_nso_pegasus](https://app.tidalcyber.com/references/9e40d93a-fe91-504a-a6f2-e6546067ba53)]</sup><sup>[[FBI Proxies Credential Stuffing](https://app.tidalcyber.com/references/17f9b7b0-3e1a-5d75-9030-da79fcccdb49)]</sup><sup>[[Mandiant APT29 Microsoft 365 2022](https://app.tidalcyber.com/references/e141408e-d22b-58e4-884f-0cbff25444da)]</sup> Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.",
"meta": {
"platforms": [
"PRE"
@ -184,7 +184,7 @@
"value": "Active Scanning"
},
{
"description": "Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://app.tidalcyber.com/technique/bbad213d-477d-43bf-9501-ad7d74bac323), [Transmitted Data Manipulation](https://app.tidalcyber.com/technique/70365fab-8531-4a0e-b147-7cabdfdef243), or replay attacks ([Exploitation for Credential Access](https://app.tidalcyber.com/technique/afdfa503-0464-4b42-a79c-a6fc828492ef)). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.<sup>[[Rapid7 MiTM Basics](https://app.tidalcyber.com/references/33b25966-0ab9-4cc6-9702-62263a23af9c)]</sup>\n\nFor example, adversaries may manipulate victim DNS settings to enable other malicious activities such as preventing/redirecting users from accessing legitimate sites and/or pushing additional malware.<sup>[[ttint_rat](https://app.tidalcyber.com/references/f3e60cae-3225-4800-bc15-cb46ff715061)]</sup><sup>[[dns_changer_trojans](https://app.tidalcyber.com/references/082a0fde-d9f9-45f2-915d-f14c77b62254)]</sup><sup>[[ad_blocker_with_miner](https://app.tidalcyber.com/references/8e30f71e-80b8-4662-bc95-bf3cf7cfcf40)]</sup> Adversaries may also manipulate DNS and leverage their position in order to intercept user credentials and session cookies.<sup>[[volexity_0day_sophos_FW](https://app.tidalcyber.com/references/85bee18e-216d-4ea6-b34e-b071e3f63382)]</sup> [Downgrade Attack](https://app.tidalcyber.com/technique/257fffe4-d17b-4e63-a41c-8388936d6215)s can also be used to establish an AiTM position, such as by negotiating a less secure, deprecated, or weaker version of communication protocol (SSL/TLS) or encryption algorithm.<sup>[[mitm_tls_downgrade_att](https://app.tidalcyber.com/references/af907fe1-1e37-4f44-8ad4-fcc3826ee6fb)]</sup><sup>[[taxonomy_downgrade_att_tls](https://app.tidalcyber.com/references/4459076e-7c79-4855-9091-5aabd274f586)]</sup><sup>[[tlseminar_downgrade_att](https://app.tidalcyber.com/references/8b5d46bf-fb4e-4ecd-b8a9-9c084c1864a3)]</sup>\n\nAdversaries may also leverage the AiTM position to attempt to monitor and/or modify traffic, such as in [Transmitted Data Manipulation](https://app.tidalcyber.com/technique/70365fab-8531-4a0e-b147-7cabdfdef243). Adversaries can setup a position similar to AiTM to prevent traffic from flowing to the appropriate destination, potentially to [Impair Defenses](https://app.tidalcyber.com/technique/e3be3d76-0a36-4060-8003-3b39c557f728) and/or in support of a [Network Denial of Service](https://app.tidalcyber.com/technique/e6c14a7b-1fb8-4557-83e7-7f5b89717311).",
"description": "Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://app.tidalcyber.com/technique/bbad213d-477d-43bf-9501-ad7d74bac323), [Transmitted Data Manipulation](https://app.tidalcyber.com/technique/70365fab-8531-4a0e-b147-7cabdfdef243), or replay attacks ([Exploitation for Credential Access](https://app.tidalcyber.com/technique/afdfa503-0464-4b42-a79c-a6fc828492ef)). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.<sup>[[Rapid7 MiTM Basics](https://app.tidalcyber.com/references/33b25966-0ab9-4cc6-9702-62263a23af9c)]</sup>\n\nFor example, adversaries may manipulate victim DNS settings to enable other malicious activities such as preventing/redirecting users from accessing legitimate sites and/or pushing additional malware.<sup>[[ttint_rat](https://app.tidalcyber.com/references/f3e60cae-3225-4800-bc15-cb46ff715061)]</sup><sup>[[dns_changer_trojans](https://app.tidalcyber.com/references/082a0fde-d9f9-45f2-915d-f14c77b62254)]</sup><sup>[[ad_blocker_with_miner](https://app.tidalcyber.com/references/8e30f71e-80b8-4662-bc95-bf3cf7cfcf40)]</sup> Adversaries may also manipulate DNS and leverage their position in order to intercept user credentials, including access tokens ([Steal Application Access Token](https://app.tidalcyber.com/technique/f78f2c87-626a-468f-93a5-31b61be17727)) and session cookies ([Steal Web Session Cookie](https://app.tidalcyber.com/technique/17f9e46d-4e3d-4491-a0d9-0cc042531d6e)).<sup>[[volexity_0day_sophos_FW](https://app.tidalcyber.com/references/85bee18e-216d-4ea6-b34e-b071e3f63382)]</sup><sup>[[Token tactics](https://app.tidalcyber.com/references/e254e336-2e3e-5bea-a9e9-0f42f333b894)]</sup> [Downgrade Attack](https://app.tidalcyber.com/technique/257fffe4-d17b-4e63-a41c-8388936d6215)s can also be used to establish an AiTM position, such as by negotiating a less secure, deprecated, or weaker version of communication protocol (SSL/TLS) or encryption algorithm.<sup>[[mitm_tls_downgrade_att](https://app.tidalcyber.com/references/af907fe1-1e37-4f44-8ad4-fcc3826ee6fb)]</sup><sup>[[taxonomy_downgrade_att_tls](https://app.tidalcyber.com/references/4459076e-7c79-4855-9091-5aabd274f586)]</sup><sup>[[tlseminar_downgrade_att](https://app.tidalcyber.com/references/8b5d46bf-fb4e-4ecd-b8a9-9c084c1864a3)]</sup>\n\nAdversaries may also leverage the AiTM position to attempt to monitor and/or modify traffic, such as in [Transmitted Data Manipulation](https://app.tidalcyber.com/technique/70365fab-8531-4a0e-b147-7cabdfdef243). Adversaries can setup a position similar to AiTM to prevent traffic from flowing to the appropriate destination, potentially to [Impair Defenses](https://app.tidalcyber.com/technique/e3be3d76-0a36-4060-8003-3b39c557f728) and/or in support of a [Network Denial of Service](https://app.tidalcyber.com/technique/e6c14a7b-1fb8-4557-83e7-7f5b89717311).",
"meta": {
"platforms": [
"Linux",
@ -208,11 +208,12 @@
"value": "Adversary-in-the-Middle"
},
{
"description": "Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nAdversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP. ",
"description": "Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nAdversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.<sup>[[Mandiant APT29 Eye Spy Email Nov 22](https://app.tidalcyber.com/references/452ca091-42b1-5bef-8a01-921c1f46bbee)]</sup> ",
"meta": {
"platforms": [
"Linux",
"macOS",
"Network",
"Windows"
],
"source": "MITRE"
@ -246,7 +247,7 @@
"value": "Application Window Discovery"
},
{
"description": "An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.\n\nBoth compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method.",
"description": "An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network.<sup>[[DOJ GRU Indictment Jul 2018](https://app.tidalcyber.com/references/d65f371b-19d0-49de-b92b-94a2bea1d988)]</sup> Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.\n\nBoth compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method.",
"meta": {
"platforms": [
"Linux",
@ -265,7 +266,7 @@
"value": "Archive Collected Data"
},
{
"description": "An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.\n\nMalware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.",
"description": "An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.<sup>[[ESET Attor Oct 2019](https://app.tidalcyber.com/references/fdd57c56-d989-4a6f-8cc5-5b3713605dec)]</sup>\n\nMalware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.",
"meta": {
"platforms": [
"Linux",
@ -284,7 +285,7 @@
"value": "Audio Capture"
},
{
"description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a [Command and Scripting Interpreter](https://app.tidalcyber.com/technique/a2184d53-63b1-4c40-81ed-da799080c36c) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. In cloud-based environments, adversaries may also use cloud APIs, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data. This functionality could also be built into remote access tools. \n\nThis technique may incorporate use of other techniques such as [File and Directory Discovery](https://app.tidalcyber.com/technique/1492c4ba-c933-47b8-953d-6de3db8cfce8) and [Lateral Tool Transfer](https://app.tidalcyber.com/technique/3dea57fc-3131-408b-a1fd-ff2eea1d858f) to identify and move files, as well as [Cloud Service Dashboard](https://app.tidalcyber.com/technique/315ce434-ad6d-4dae-a1dd-6db944a44422) and [Cloud Storage Object Discovery](https://app.tidalcyber.com/technique/92761d92-a288-4407-a112-bb2720f07d07) to identify resources in cloud environments.",
"description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a [Command and Scripting Interpreter](https://app.tidalcyber.com/technique/a2184d53-63b1-4c40-81ed-da799080c36c) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. \n\nIn cloud-based environments, adversaries may also use cloud APIs, data pipelines, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data.<sup>[[Mandiant UNC3944 SMS Phishing 2023](https://app.tidalcyber.com/references/3a310dbd-4b5c-5eaf-a4ce-699e52007c9b)]</sup> \n\nThis functionality could also be built into remote access tools. \n\nThis technique may incorporate use of other techniques such as [File and Directory Discovery](https://app.tidalcyber.com/technique/1492c4ba-c933-47b8-953d-6de3db8cfce8) and [Lateral Tool Transfer](https://app.tidalcyber.com/technique/3dea57fc-3131-408b-a1fd-ff2eea1d858f) to identify and move files, as well as [Cloud Service Dashboard](https://app.tidalcyber.com/technique/315ce434-ad6d-4dae-a1dd-6db944a44422) and [Cloud Storage Object Discovery](https://app.tidalcyber.com/technique/92761d92-a288-4407-a112-bb2720f07d07) to identify resources in cloud environments.",
"meta": {
"platforms": [
"IaaS",
@ -305,7 +306,7 @@
"value": "Automated Collection"
},
{
"description": "Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection. \n\nWhen automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://app.tidalcyber.com/technique/89203cae-d3f1-4eef-9b5a-29042eb05d19) and [Exfiltration Over Alternative Protocol](https://app.tidalcyber.com/technique/192d25ea-bae1-48e4-88de-e0acd481ab88).",
"description": "Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.<sup>[[ESET Gamaredon June 2020](https://app.tidalcyber.com/references/6532664d-2311-4b38-8960-f43762471729)]</sup> \n\nWhen automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://app.tidalcyber.com/technique/89203cae-d3f1-4eef-9b5a-29042eb05d19) and [Exfiltration Over Alternative Protocol](https://app.tidalcyber.com/technique/192d25ea-bae1-48e4-88de-e0acd481ab88).",
"meta": {
"platforms": [
"Linux",
@ -351,6 +352,7 @@
"platforms": [
"Linux",
"macOS",
"Network",
"Windows"
],
"source": "MITRE"
@ -369,11 +371,12 @@
"value": "Boot or Logon Autostart Execution"
},
{
"description": "Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely. \n\nAdversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary. \n\nAn adversary may also be able to escalate their privileges since some boot or logon initialization scripts run with higher privileges.",
"description": "Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence.<sup>[[Mandiant APT29 Eye Spy Email Nov 22](https://app.tidalcyber.com/references/452ca091-42b1-5bef-8a01-921c1f46bbee)]</sup><sup>[[Anomali Rocke March 2019](https://app.tidalcyber.com/references/31051c8a-b523-4b8e-b834-2168c59e783b)]</sup> Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely. \n\nAdversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary. \n\nAn adversary may also be able to escalate their privileges since some boot or logon initialization scripts run with higher privileges.",
"meta": {
"platforms": [
"Linux",
"macOS",
"Network",
"Windows"
],
"source": "MITRE"
@ -392,7 +395,7 @@
"value": "Boot or Logon Initialization Scripts"
},
{
"description": "Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.<sup>[[Wikipedia Browser Extension](https://app.tidalcyber.com/references/52aef082-3f8e-41b4-af95-6631ce4c9e91)]</sup><sup>[[Chrome Extensions Definition](https://app.tidalcyber.com/references/fe00cee9-54d9-4775-86da-b7db73295bf7)]</sup>\n\nMalicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.<sup>[[Malicious Chrome Extension Numbers](https://app.tidalcyber.com/references/f34fcf1f-370e-4b6e-9cc4-7ee4075faf6e)]</sup> Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary controlled server or manipulate the mobile configuration file to silently install additional extensions.\n\nPrevious to macOS 11, adversaries could silently install browser extensions via the command line using the <code>profiles</code> tool to install malicious <code>.mobileconfig</code> files. In macOS 11+, the use of the <code>profiles</code> tool can no longer install configuration profiles, however <code>.mobileconfig</code> files can be planted and installed with user interaction.<sup>[[xorrior chrome extensions macOS](https://app.tidalcyber.com/references/84bfd3a1-bda2-4821-ac52-6af8515e5879)]</sup>\n\nOnce the extension is installed, it can browse to websites in the background, steal all information that a user enters into a browser (including credentials), and be used as an installer for a RAT for persistence.<sup>[[Chrome Extension Crypto Miner](https://app.tidalcyber.com/references/ae28f530-40da-451e-89b8-b472340c3e0a)]</sup><sup>[[ICEBRG Chrome Extensions](https://app.tidalcyber.com/references/459bfd4a-7a9b-4d65-b574-acb221428dad)]</sup><sup>[[Banker Google Chrome Extension Steals Creds](https://app.tidalcyber.com/references/93f37adc-d060-4b35-9a4d-62d2ad61cdf3)]</sup><sup>[[Catch All Chrome Extension](https://app.tidalcyber.com/references/eddd2ea8-89c1-40f9-b6e3-37cbdebd210e)]</sup>\n\nThere have also been instances of botnets using a persistent backdoor through malicious Chrome extensions.<sup>[[Stantinko Botnet](https://app.tidalcyber.com/references/d81e0274-76f4-43ce-b829-69f761e280dc)]</sup> There have also been similar examples of extensions being used for command & control.<sup>[[Chrome Extension C2 Malware](https://app.tidalcyber.com/references/b0fdf9c7-614b-4269-ba3e-7d8b02aa8502)]</sup>",
"description": "Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.<sup>[[Wikipedia Browser Extension](https://app.tidalcyber.com/references/52aef082-3f8e-41b4-af95-6631ce4c9e91)]</sup><sup>[[Chrome Extensions Definition](https://app.tidalcyber.com/references/fe00cee9-54d9-4775-86da-b7db73295bf7)]</sup>\n\nMalicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.<sup>[[Malicious Chrome Extension Numbers](https://app.tidalcyber.com/references/f34fcf1f-370e-4b6e-9cc4-7ee4075faf6e)]</sup> Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary controlled server or manipulate the mobile configuration file to silently install additional extensions.\n\nPrevious to macOS 11, adversaries could silently install browser extensions via the command line using the <code>profiles</code> tool to install malicious <code>.mobileconfig</code> files. In macOS 11+, the use of the <code>profiles</code> tool can no longer install configuration profiles, however <code>.mobileconfig</code> files can be planted and installed with user interaction.<sup>[[xorrior chrome extensions macOS](https://app.tidalcyber.com/references/84bfd3a1-bda2-4821-ac52-6af8515e5879)]</sup>\n\nOnce the extension is installed, it can browse to websites in the background, steal all information that a user enters into a browser (including credentials), and be used as an installer for a RAT for persistence.<sup>[[Chrome Extension Crypto Miner](https://app.tidalcyber.com/references/ae28f530-40da-451e-89b8-b472340c3e0a)]</sup><sup>[[ICEBRG Chrome Extensions](https://app.tidalcyber.com/references/459bfd4a-7a9b-4d65-b574-acb221428dad)]</sup><sup>[[Banker Google Chrome Extension Steals Creds](https://app.tidalcyber.com/references/93f37adc-d060-4b35-9a4d-62d2ad61cdf3)]</sup><sup>[[Catch All Chrome Extension](https://app.tidalcyber.com/references/eddd2ea8-89c1-40f9-b6e3-37cbdebd210e)]</sup>\n\nThere have also been instances of botnets using a persistent backdoor through malicious Chrome extensions for [Command and Control](https://app.tidalcyber.com/tactics/94ffe549-1c29-438d-9c7f-e27f7acee0bb).<sup>[[Stantinko Botnet](https://app.tidalcyber.com/references/d81e0274-76f4-43ce-b829-69f761e280dc)]</sup><sup>[[Chrome Extension C2 Malware](https://app.tidalcyber.com/references/b0fdf9c7-614b-4269-ba3e-7d8b02aa8502)]</sup> Adversaries may also use browser extensions to modify browser permissions and components, privacy settings, and other security controls for [Defense Evasion](https://app.tidalcyber.com/tactics/8e29c6c9-0c10-4bb0-827d-ff0ab8922726).<sup>[[Browers FriarFox](https://app.tidalcyber.com/references/3fe79fc8-c86d-57ad-961f-30fddd0e5f62)]</sup><sup>[[Browser Adrozek](https://app.tidalcyber.com/references/48afb730-b5e1-5a85-bb60-9ef9b536e397)]</sup> ",
"meta": {
"platforms": [
"Linux",
@ -447,7 +450,7 @@
"value": "Browser Session Hijacking"
},
{
"description": "Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.\n\nBrute forcing credentials may take place at various points during a breach. For example, adversaries may attempt to brute force access to [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406) within a victim environment leveraging knowledge gathered from other post-compromise behaviors such as [OS Credential Dumping](https://app.tidalcyber.com/technique/368f85f9-2b15-4732-80fe-087694eaf34d), [Account Discovery](https://app.tidalcyber.com/technique/6736995e-b9ea-401b-81fa-6caeb7a17ce3), or [Password Policy Discovery](https://app.tidalcyber.com/technique/2bf2e498-99c8-4e36-ad4b-e675d95ac925). Adversaries may also combine brute forcing activity with behaviors such as [External Remote Services](https://app.tidalcyber.com/technique/c1f7e330-f1c4-4923-b8ad-bbd79cc63cb4) as part of Initial Access.",
"description": "Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.<sup>[[TrendMicro Pawn Storm Dec 2020](https://app.tidalcyber.com/references/3bc249cd-f29a-4a74-a179-a6860e43683f)]</sup> Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism.<sup>[[Dragos Crashoverride 2018](https://app.tidalcyber.com/references/d14442d5-2557-4a92-9a29-b15a20752f56)]</sup> Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.\n\nBrute forcing credentials may take place at various points during a breach. For example, adversaries may attempt to brute force access to [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406) within a victim environment leveraging knowledge gathered from other post-compromise behaviors such as [OS Credential Dumping](https://app.tidalcyber.com/technique/368f85f9-2b15-4732-80fe-087694eaf34d), [Account Discovery](https://app.tidalcyber.com/technique/6736995e-b9ea-401b-81fa-6caeb7a17ce3), or [Password Policy Discovery](https://app.tidalcyber.com/technique/2bf2e498-99c8-4e36-ad4b-e675d95ac925). Adversaries may also combine brute forcing activity with behaviors such as [External Remote Services](https://app.tidalcyber.com/technique/c1f7e330-f1c4-4923-b8ad-bbd79cc63cb4) as part of Initial Access.",
"meta": {
"platforms": [
"Azure AD",
@ -509,10 +512,9 @@
"value": "Clipboard Data"
},
{
"description": "Adversaries may abuse cloud management services to execute commands within virtual machines or hybrid-joined devices. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. Similarly, in Azure AD environments, Microsoft Endpoint Manager allows Global or Intune Administrators to run scripts as SYSTEM on on-premises devices joined to the Azure AD.<sup>[[AWS Systems Manager Run Command](https://app.tidalcyber.com/references/ef66f17b-6a5b-5eb8-83de-943e2bddd114)]</sup><sup>[[Microsoft Run Command](https://app.tidalcyber.com/references/4f2e6adb-6e3d-5f1f-b873-4b99797f2bfa)]</sup><sup>[[SpecterOps Lateral Movement from Azure to On-Prem AD 2020](https://app.tidalcyber.com/references/eb97d3d6-21cb-5f27-9a78-1e8576acecdc)]</sup>\n\nIf an adversary gains administrative access to a cloud environment, they may be able to abuse cloud management services to execute commands in the environments virtual machines or on-premises hybrid-joined devices. Additionally, an adversary that compromises a service provider or delegated administrator account may similarly be able to leverage a [Trusted Relationship](https://app.tidalcyber.com/technique/7549c2f9-b5d2-4773-90ed-42f668aecacf) to execute commands in connected virtual machines.<sup>[[MSTIC Nobelium Oct 2021](https://app.tidalcyber.com/references/7b6cc308-9871-47e5-9039-a9a7e66ce373)]</sup>",
"description": "Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. <sup>[[AWS Systems Manager Run Command](https://app.tidalcyber.com/references/ef66f17b-6a5b-5eb8-83de-943e2bddd114)]</sup><sup>[[Microsoft Run Command](https://app.tidalcyber.com/references/4f2e6adb-6e3d-5f1f-b873-4b99797f2bfa)]</sup>\n\nIf an adversary gains administrative access to a cloud environment, they may be able to abuse cloud management services to execute commands in the environments virtual machines. Additionally, an adversary that compromises a service provider or delegated administrator account may similarly be able to leverage a [Trusted Relationship](https://app.tidalcyber.com/technique/7549c2f9-b5d2-4773-90ed-42f668aecacf) to execute commands in connected virtual machines.<sup>[[MSTIC Nobelium Oct 2021](https://app.tidalcyber.com/references/7b6cc308-9871-47e5-9039-a9a7e66ce373)]</sup>",
"meta": {
"platforms": [
"Azure AD",
"IaaS"
],
"source": "MITRE"
@ -550,7 +552,8 @@
"Azure AD",
"Google Workspace",
"IaaS",
"Office 365"
"Office 365",
"SaaS"
],
"source": "MITRE"
},
@ -626,7 +629,7 @@
"value": "Command and Scripting Interpreter"
},
{
"description": "Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by [Replication Through Removable Media](https://app.tidalcyber.com/technique/6a7ab25e-49ed-4cd3-b199-5d80b728b416). Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.",
"description": "Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system.<sup>[[ESET Sednit USBStealer 2014](https://app.tidalcyber.com/references/8673f7fc-5b23-432a-a2d8-700ece46bd0f)]</sup> Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by [Replication Through Removable Media](https://app.tidalcyber.com/technique/6a7ab25e-49ed-4cd3-b199-5d80b728b416). Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.",
"meta": {
"platforms": [
"Linux",
@ -662,7 +665,7 @@
"value": "Compromise Accounts"
},
{
"description": "Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers.\n\nAdversaries may make modifications to client software binaries to carry out malicious tasks when those applications are in use. For example, an adversary may copy source code for the client software, add a backdoor, compile for the target, and replace the legitimate application binary (or support files) with the backdoored one. An adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)<sup>[[Unit42 Banking Trojans Hooking 2022](https://app.tidalcyber.com/references/411c3df4-08e6-518a-953d-19988b663dc4)]</sup> prior to the binarys legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.<sup>[[ESET FontOnLake Analysis 2021](https://app.tidalcyber.com/references/dbcced87-91ee-514f-98c8-29a85d967384)]</sup>\n\nSince these applications may be routinely executed by the user, the adversary can leverage this for persistent access to the host.",
"description": "Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications.\n\nAdversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host.\n\nAn adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)<sup>[[Unit42 Banking Trojans Hooking 2022](https://app.tidalcyber.com/references/411c3df4-08e6-518a-953d-19988b663dc4)]</sup> prior to the binarys legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.<sup>[[ESET FontOnLake Analysis 2021](https://app.tidalcyber.com/references/dbcced87-91ee-514f-98c8-29a85d967384)]</sup>",
"meta": {
"platforms": [
"Linux",
@ -678,10 +681,10 @@
}
],
"uuid": "05435e33-05fe-4a41-b8e4-694d45eb9147",
"value": "Compromise Client Software Binary"
"value": "Compromise Host Software Binary"
},
{
"description": "Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.<sup>[[Mandiant APT1](https://app.tidalcyber.com/references/865eba93-cf6a-4e41-bc09-de9b0b3c2669)]</sup><sup>[[ICANNDomainNameHijacking](https://app.tidalcyber.com/references/96c5ec6c-d53d-49c3-bca1-0b6abe0080e6)]</sup><sup>[[Talos DNSpionage Nov 2018](https://app.tidalcyber.com/references/d597ad7d-f808-4289-b42a-79807248c2d6)]</sup><sup>[[FireEye EPS Awakens Part 2](https://app.tidalcyber.com/references/7fd58ef5-a0b7-40b6-8771-ca5e87740965)]</sup> Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.\n\nUse of compromised infrastructure allows adversaries to stage, launch, and execute operations. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. For example, adversaries may leverage compromised infrastructure (potentially also in conjunction with [Digital Certificates](https://app.tidalcyber.com/technique/4c0db4e5-14e0-4fb7-88b0-bb391ce5ad58)) to further blend in and support staged information gathering and/or [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533) campaigns.<sup>[[FireEye DNS Hijack 2019](https://app.tidalcyber.com/references/2c696e90-11eb-4196-9946-b5c4c11ccddc)]</sup> Additionally, adversaries may also compromise infrastructure to support [Proxy](https://app.tidalcyber.com/technique/ba6a869a-c870-4be6-bc08-e078f0efdc3b) and/or proxyware services.<sup>[[amnesty_nso_pegasus](https://app.tidalcyber.com/references/9e40d93a-fe91-504a-a6f2-e6546067ba53)]</sup><sup>[[Sysdig Proxyjacking](https://app.tidalcyber.com/references/26562be2-cab6-5867-9a43-d8a59c663596)]</sup>\n\nBy using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.<sup>[[NSA NCSC Turla OilRig](https://app.tidalcyber.com/references/3e86a807-5188-4278-9a58-babd23b86410)]</sup>",
"description": "Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, network devices, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.<sup>[[Mandiant APT1](https://app.tidalcyber.com/references/865eba93-cf6a-4e41-bc09-de9b0b3c2669)]</sup><sup>[[ICANNDomainNameHijacking](https://app.tidalcyber.com/references/96c5ec6c-d53d-49c3-bca1-0b6abe0080e6)]</sup><sup>[[Talos DNSpionage Nov 2018](https://app.tidalcyber.com/references/d597ad7d-f808-4289-b42a-79807248c2d6)]</sup><sup>[[FireEye EPS Awakens Part 2](https://app.tidalcyber.com/references/7fd58ef5-a0b7-40b6-8771-ca5e87740965)]</sup> Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.\n\nUse of compromised infrastructure allows adversaries to stage, launch, and execute operations. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. For example, adversaries may leverage compromised infrastructure (potentially also in conjunction with [Digital Certificates](https://app.tidalcyber.com/technique/4c0db4e5-14e0-4fb7-88b0-bb391ce5ad58)) to further blend in and support staged information gathering and/or [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533) campaigns.<sup>[[FireEye DNS Hijack 2019](https://app.tidalcyber.com/references/2c696e90-11eb-4196-9946-b5c4c11ccddc)]</sup> Additionally, adversaries may also compromise infrastructure to support [Proxy](https://app.tidalcyber.com/technique/ba6a869a-c870-4be6-bc08-e078f0efdc3b) and/or proxyware services.<sup>[[amnesty_nso_pegasus](https://app.tidalcyber.com/references/9e40d93a-fe91-504a-a6f2-e6546067ba53)]</sup><sup>[[Sysdig Proxyjacking](https://app.tidalcyber.com/references/26562be2-cab6-5867-9a43-d8a59c663596)]</sup>\n\nBy using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.<sup>[[NSA NCSC Turla OilRig](https://app.tidalcyber.com/references/3e86a807-5188-4278-9a58-babd23b86410)]</sup>",
"meta": {
"platforms": [
"PRE"
@ -755,7 +758,7 @@
"value": "Content Injection"
},
{
"description": "Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.\n\nAccounts may be created on the local system or within a domain or cloud tenant. In cloud environments, adversaries may create accounts that only have access to specific services, which can reduce the chance of detection.",
"description": "Adversaries may create an account to maintain access to victim systems.<sup>[[Symantec WastedLocker June 2020](https://app.tidalcyber.com/references/061d8f74-a202-4089-acae-687e4f96933b)]</sup> With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.\n\nAccounts may be created on the local system or within a domain or cloud tenant. In cloud environments, adversaries may create accounts that only have access to specific services, which can reduce the chance of detection.",
"meta": {
"platforms": [
"Azure AD",
@ -784,6 +787,7 @@
"description": "Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services.<sup>[[TechNet Services](https://app.tidalcyber.com/references/b50a3c2e-e997-4af5-8be0-3a8b3a959827)]</sup> On macOS, launchd processes known as [Launch Daemon](https://app.tidalcyber.com/technique/eff618a9-6498-4b01-bca1-cd5f3784fc27) and [Launch Agent](https://app.tidalcyber.com/technique/6dbe030c-5f87-4b45-9b6b-5bba2c0fad00) are run to finish system initialization and load user specific parameters.<sup>[[AppleDocs Launch Agent Daemons](https://app.tidalcyber.com/references/310d18f8-6f9a-48b7-af12-6b921209d1ab)]</sup> \n\nAdversaries may install new services, daemons, or agents that can be configured to execute at startup or a repeatable interval in order to establish persistence. Similarly, adversaries may modify existing services, daemons, or agents to achieve the same effect. \n\nServices, daemons, or agents may be created with administrator privileges but executed under root/SYSTEM privileges. Adversaries may leverage this functionality to create or modify system processes in order to escalate privileges.<sup>[[OSX Malware Detection](https://app.tidalcyber.com/references/0df0e28a-3c0b-4418-9f5a-77fffe37ac8a)]</sup> ",
"meta": {
"platforms": [
"Containers",
"Linux",
"macOS",
"Windows"
@ -804,7 +808,7 @@
"value": "Create or Modify System Process"
},
{
"description": "Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.",
"description": "Adversaries may search for common password storage locations to obtain user credentials.<sup>[[F-Secure The Dukes](https://app.tidalcyber.com/references/cc0dc623-ceb5-4ac6-bfbb-4f8514d45a27)]</sup> Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.",
"meta": {
"platforms": [
"IaaS",
@ -1002,7 +1006,7 @@
"value": "Data from Removable Media"
},
{
"description": "Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.\n\nThe type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.",
"description": "Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data.<sup>[[Sygnia Elephant Beetle Jan 2022](https://app.tidalcyber.com/references/932897a6-0fa4-5be3-bf0b-20d6ddad238e)]</sup> By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.\n\nThe type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.",
"meta": {
"platforms": [
"Linux",
@ -1021,7 +1025,7 @@
"value": "Data Manipulation"
},
{
"description": "Adversaries may obfuscate command and control traffic to make it more difficult to detect. Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols. ",
"description": "Adversaries may obfuscate command and control traffic to make it more difficult to detect.<sup>[[Bitdefender FunnyDream Campaign November 2020](https://app.tidalcyber.com/references/b62a9f2c-02ca-4dfa-95fc-5dc6ad9568de)]</sup> Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols. ",
"meta": {
"platforms": [
"Linux",
@ -1141,7 +1145,7 @@
"value": "Deobfuscate/Decode Files or Information"
},
{
"description": "Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment.\n\nContainers can be deployed by various means, such as via Docker's <code>create</code> and <code>start</code> APIs or via a web application such as the Kubernetes dashboard or Kubeflow.<sup>[[Docker Containers API](https://app.tidalcyber.com/references/2351cb32-23d6-4557-9c52-e6e228402bab)]</sup><sup>[[Kubernetes Dashboard](https://app.tidalcyber.com/references/02f23351-df83-4aae-a0bd-614ed91bc683)]</sup><sup>[[Kubeflow Pipelines](https://app.tidalcyber.com/references/0b40474c-173c-4a8c-8cc7-bac2dcfcaedd)]</sup> Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.<sup>[[Aqua Build Images on Hosts](https://app.tidalcyber.com/references/efd64f41-13cc-4b2b-864c-4d2352cdadcd)]</sup>",
"description": "Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://app.tidalcyber.com/technique/bebaf25b-9f50-4e3b-96cc-cc55c5765b61) and access other containers running on the node. <sup>[[AppSecco Kubernetes Namespace Breakout 2020](https://app.tidalcyber.com/references/85852b3e-f6a3-5406-9dd5-a649358a53de)]</sup>\n\nContainers can be deployed by various means, such as via Docker's <code>create</code> and <code>start</code> APIs or via a web application such as the Kubernetes dashboard or Kubeflow. <sup>[[Docker Containers API](https://app.tidalcyber.com/references/2351cb32-23d6-4557-9c52-e6e228402bab)]</sup><sup>[[Kubernetes Dashboard](https://app.tidalcyber.com/references/02f23351-df83-4aae-a0bd-614ed91bc683)]</sup><sup>[[Kubeflow Pipelines](https://app.tidalcyber.com/references/0b40474c-173c-4a8c-8cc7-bac2dcfcaedd)]</sup> In Kubernetes environments, containers may be deployed through workloads such as ReplicaSets or DaemonSets, which can allow containers to be deployed across multiple nodes.<sup>[[Kubernetes Workload Management](https://app.tidalcyber.com/references/f207163b-08a8-5219-aca8-812e83e0dad3)]</sup> Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.<sup>[[Aqua Build Images on Hosts](https://app.tidalcyber.com/references/efd64f41-13cc-4b2b-864c-4d2352cdadcd)]</sup>",
"meta": {
"platforms": [
"Containers"
@ -1201,6 +1205,7 @@
"description": "Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. <sup>[[Hakobyan 2009](https://app.tidalcyber.com/references/d92f6dc0-e902-4a4a-9083-8d1667a7003e)]</sup>\n\nUtilities, such as `NinjaCopy`, exist to perform these actions in PowerShell.<sup>[[Github PowerSploit Ninjacopy](https://app.tidalcyber.com/references/e92aed6b-348b-4dab-8292-fee0698e4a85)]</sup> Adversaries may also use built-in or third-party utilities (such as `vssadmin`, `wbadmin`, and [esentutl](https://app.tidalcyber.com/software/a7589733-6b04-4215-a4e7-4b62cd4610fa)) to create shadow copies or backups of data from system volumes.<sup>[[LOLBAS Esentutl](https://app.tidalcyber.com/references/691b4907-3544-4ad0-989c-b5c845e0330f)]</sup>",
"meta": {
"platforms": [
"Network",
"Windows"
],
"source": "MITRE"
@ -1235,10 +1240,11 @@
"value": "Disk Wipe"
},
{
"description": "Adversaries may modify the configuration settings of a domain to evade defenses and/or escalate privileges in domain environments. Domains provide a centralized means of managing how computer resources (ex: computers, user accounts) can act, and interact with each other, on a network. The policy of the domain also includes configuration settings that may apply between domains in a multi-domain/forest environment. Modifications to domain settings may include altering domain Group Policy Objects (GPOs) or changing trust settings for domains, including federation trusts.\n\nWith sufficient permissions, adversaries can modify domain policy settings. Since domain configuration settings control many of the interactions within the Active Directory (AD) environment, there are a great number of potential attacks that can stem from this abuse. Examples of such abuse include modifying GPOs to push a malicious [Scheduled Task](https://app.tidalcyber.com/technique/723c6d51-91db-4658-9ee0-eafb953c2d82) to computers throughout the domain environment<sup>[[ADSecurity GPO Persistence 2016](https://app.tidalcyber.com/references/e304715f-7da1-4342-ba5b-d0387d93aeb2)]</sup><sup>[[Wald0 Guide to GPOs](https://app.tidalcyber.com/references/48bb84ac-56c8-4840-9a11-2cc76213e24e)]</sup><sup>[[Harmj0y Abusing GPO Permissions](https://app.tidalcyber.com/references/18cc9426-9b51-46fa-9106-99688385ebe4)]</sup> or modifying domain trusts to include an adversary controlled domain where they can control access tokens that will subsequently be accepted by victim domain resources.<sup>[[Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks](https://app.tidalcyber.com/references/47031992-841f-4ef4-87c6-bb4c077fb8dc)]</sup> Adversaries can also change configuration settings within the AD environment to implement a [Rogue Domain Controller](https://app.tidalcyber.com/technique/c5eb5b88-6c62-4900-9b14-c4d67d420002).\n\nAdversaries may temporarily modify domain policy, carry out a malicious action(s), and then revert the change to remove suspicious indicators.",
"description": "Adversaries may modify the configuration settings of a domain or identity tenant to evade defenses and/or escalate privileges in centrally managed environments. Such services provide a centralized means of managing identity resources such as devices and accounts, and often include configuration settings that may apply between domains or tenants such as trust relationships, identity syncing, or identity federation.\n\nModifications to domain or tenant settings may include altering domain Group Policy Objects (GPOs) in Microsoft Active Directory (AD) or changing trust settings for domains, including federation trusts relationships between domains or tenants.\n\nWith sufficient permissions, adversaries can modify domain or tenant policy settings. Since configuration settings for these services apply to a large number of identity resources, there are a great number of potential attacks malicious outcomes that can stem from this abuse. Examples of such abuse include: \n\n* modifying GPOs to push a malicious [Scheduled Task](https://app.tidalcyber.com/technique/723c6d51-91db-4658-9ee0-eafb953c2d82) to computers throughout the domain environment<sup>[[ADSecurity GPO Persistence 2016](https://app.tidalcyber.com/references/e304715f-7da1-4342-ba5b-d0387d93aeb2)]</sup><sup>[[Wald0 Guide to GPOs](https://app.tidalcyber.com/references/48bb84ac-56c8-4840-9a11-2cc76213e24e)]</sup><sup>[[Harmj0y Abusing GPO Permissions](https://app.tidalcyber.com/references/18cc9426-9b51-46fa-9106-99688385ebe4)]</sup>\n* modifying domain trusts to include an adversary-controlled domain, allowing adversaries to forge access tokens that will subsequently be accepted by victim domain resources<sup>[[Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks](https://app.tidalcyber.com/references/47031992-841f-4ef4-87c6-bb4c077fb8dc)]</sup>\n* changing configuration settings within the AD environment to implement a [Rogue Domain Controller](https://app.tidalcyber.com/technique/c5eb5b88-6c62-4900-9b14-c4d67d420002).\n* adding new, adversary-controlled federated identity providers to identity tenants, allowing adversaries to authenticate as any user managed by the victim tenant <sup>[[Okta Cross-Tenant Impersonation 2023](https://app.tidalcyber.com/references/d54188b5-86eb-52a0-8384-823c45431762)]</sup>\n\nAdversaries may temporarily modify domain or tenant policy, carry out a malicious action(s), and then revert the change to remove suspicious indicators.",
"meta": {
"platforms": [
"Azure AD",
"SaaS",
"Windows"
],
"source": "MITRE"
@ -1254,7 +1260,7 @@
}
],
"uuid": "d092a9e1-63d0-415d-8cd0-666a261be5d9",
"value": "Domain Policy Modification"
"value": "Domain or Tenant Policy Modification"
},
{
"description": "Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.<sup>[[Microsoft Trusts](https://app.tidalcyber.com/references/e6bfc6a8-9eea-4c65-9c2b-04749da72a92)]</sup> Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct [SID-History Injection](https://app.tidalcyber.com/technique/dcb323f0-0fe6-4e26-9039-4f26f10cd3a5), [Pass the Ticket](https://app.tidalcyber.com/technique/5e771f38-6286-4330-b7b4-38071ad6b68a), and [Kerberoasting](https://app.tidalcyber.com/technique/2f980aed-b34a-4300-ac6b-70e7ddf6d9be).<sup>[[AdSecurity Forging Trust Tickets](https://app.tidalcyber.com/references/09d3ccc1-cd8a-4675-88c0-84110f5b8e8b)]</sup><sup>[[Harmj0y Domain Trusts](https://app.tidalcyber.com/references/23a9ef6c-9f71-47bb-929f-9a92f24553eb)]</sup> Domain trusts can be enumerated using the `DSEnumerateDomainTrusts()` Win32 API call, .NET methods, and LDAP.<sup>[[Harmj0y Domain Trusts](https://app.tidalcyber.com/references/23a9ef6c-9f71-47bb-929f-9a92f24553eb)]</sup> The Windows utility [Nltest](https://app.tidalcyber.com/software/fbb1546a-f288-4e43-9e5c-14c94423c4f6) is known to be used by adversaries to enumerate domain trusts.<sup>[[Microsoft Operation Wilysupply](https://app.tidalcyber.com/references/567ce633-a061-460b-84af-01dfe3d818c7)]</sup>",
@ -1334,11 +1340,12 @@
"value": "Email Collection"
},
{
"description": "Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.",
"description": "Adversaries may employ an encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.",
"meta": {
"platforms": [
"Linux",
"macOS",
"Network",
"Windows"
],
"source": "MITRE"
@ -1378,7 +1385,7 @@
"value": "Endpoint Denial of Service"
},
{
"description": "Adversaries may break out of a container to gain access to the underlying host. This can allow an adversary access to other containerized resources from the host level or to the host itself. In principle, containerized resources should provide a clear separation of application functionality and be isolated from the host environment.<sup>[[Docker Overview](https://app.tidalcyber.com/references/52954bb1-16b0-4717-a72c-8a6dec97610b)]</sup>\n\nThere are multiple ways an adversary may escape to a host environment. Examples include creating a container configured to mount the hosts filesystem using the bind parameter, which allows the adversary to drop payloads and execute control utilities such as cron on the host; utilizing a privileged container to run commands or load a malicious kernel module on the underlying host; or abusing system calls such as `unshare` and `keyctl` to escalate privileges and steal secrets.<sup>[[Docker Bind Mounts](https://app.tidalcyber.com/references/b298b3d1-30c1-4894-b1de-be11812cde6b)]</sup><sup>[[Trend Micro Privileged Container](https://app.tidalcyber.com/references/92ac290c-4863-4774-b334-848ed72e3627)]</sup><sup>[[Intezer Doki July 20](https://app.tidalcyber.com/references/688b2582-6602-44e1-aaac-3a4b8e168b04)]</sup><sup>[[Container Escape](https://app.tidalcyber.com/references/8248917a-9afd-4ec6-a086-1a97a68deff1)]</sup><sup>[[Crowdstrike Kubernetes Container Escape](https://app.tidalcyber.com/references/84d5f015-9014-417c-b2a9-f650fe19d448)]</sup><sup>[[Keyctl-unmask](https://app.tidalcyber.com/references/75db8c88-e547-4d1b-8f22-6ace2b3d7ad4)]</sup>\n\nAdditionally, an adversary may be able to exploit a compromised container with a mounted container management socket, such as `docker.sock`, to break out of the container via a [Container Administration Command](https://app.tidalcyber.com/technique/0b9609dd-9f19-4747-ba6e-421b6b7ff03f).<sup>[[Container Escape](https://app.tidalcyber.com/references/8248917a-9afd-4ec6-a086-1a97a68deff1)]</sup> Adversaries may also escape via [Exploitation for Privilege Escalation](https://app.tidalcyber.com/technique/9cc715d7-9969-485f-87a2-c9f7ed3cc44c), such as exploiting vulnerabilities in global symbolic links in order to access the root directory of a host machine.<sup>[[Windows Server Containers Are Open](https://app.tidalcyber.com/references/9a801256-5852-433e-95bd-768f9b70b9fe)]</sup>\n\nGaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, or setting up a command and control channel on the host.",
"description": "Adversaries may break out of a container to gain access to the underlying host. This can allow an adversary access to other containerized resources from the host level or to the host itself. In principle, containerized resources should provide a clear separation of application functionality and be isolated from the host environment.<sup>[[Docker Overview](https://app.tidalcyber.com/references/52954bb1-16b0-4717-a72c-8a6dec97610b)]</sup>\n\nThere are multiple ways an adversary may escape to a host environment. Examples include creating a container configured to mount the hosts filesystem using the bind parameter, which allows the adversary to drop payloads and execute control utilities such as cron on the host; utilizing a privileged container to run commands or load a malicious kernel module on the underlying host; or abusing system calls such as `unshare` and `keyctl` to escalate privileges and steal secrets.<sup>[[Docker Bind Mounts](https://app.tidalcyber.com/references/b298b3d1-30c1-4894-b1de-be11812cde6b)]</sup><sup>[[Trend Micro Privileged Container](https://app.tidalcyber.com/references/92ac290c-4863-4774-b334-848ed72e3627)]</sup><sup>[[Intezer Doki July 20](https://app.tidalcyber.com/references/688b2582-6602-44e1-aaac-3a4b8e168b04)]</sup><sup>[[Container Escape](https://app.tidalcyber.com/references/8248917a-9afd-4ec6-a086-1a97a68deff1)]</sup><sup>[[Crowdstrike Kubernetes Container Escape](https://app.tidalcyber.com/references/84d5f015-9014-417c-b2a9-f650fe19d448)]</sup><sup>[[Keyctl-unmask](https://app.tidalcyber.com/references/75db8c88-e547-4d1b-8f22-6ace2b3d7ad4)]</sup>\n\nAdditionally, an adversary may be able to exploit a compromised container with a mounted container management socket, such as `docker.sock`, to break out of the container via a [Container Administration Command](https://app.tidalcyber.com/technique/0b9609dd-9f19-4747-ba6e-421b6b7ff03f).<sup>[[Container Escape](https://app.tidalcyber.com/references/8248917a-9afd-4ec6-a086-1a97a68deff1)]</sup> Adversaries may also escape via [Exploitation for Privilege Escalation](https://app.tidalcyber.com/technique/9cc715d7-9969-485f-87a2-c9f7ed3cc44c), such as exploiting vulnerabilities in global symbolic links in order to access the root directory of a host machine.<sup>[[Windows Server Containers Are Open](https://app.tidalcyber.com/references/9a801256-5852-433e-95bd-768f9b70b9fe)]</sup>\n\nGaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, accessing other containers running on the host, or setting up a command and control channel on the host.",
"meta": {
"platforms": [
"Containers",
@ -1397,7 +1404,7 @@
"value": "Escape to Host"
},
{
"description": "Adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity.<sup>[[NEWSCASTER2014](https://app.tidalcyber.com/references/9abb4bbb-bad3-4d22-b235-c8a35465f2ce)]</sup><sup>[[BlackHatRobinSage](https://app.tidalcyber.com/references/82068e93-a3f8-4d05-9358-6fe76a0055bb)]</sup>\n\nFor operations incorporating social engineering, the utilization of an online persona may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, GitHub, Docker Hub, etc.). Establishing a persona may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos.<sup>[[NEWSCASTER2014](https://app.tidalcyber.com/references/9abb4bbb-bad3-4d22-b235-c8a35465f2ce)]</sup><sup>[[BlackHatRobinSage](https://app.tidalcyber.com/references/82068e93-a3f8-4d05-9358-6fe76a0055bb)]</sup>\n\nEstablishing accounts can also include the creation of accounts with email providers, which may be directly leveraged for [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06) or [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533).<sup>[[Mandiant APT1](https://app.tidalcyber.com/references/865eba93-cf6a-4e41-bc09-de9b0b3c2669)]</sup>",
"description": "Adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity.<sup>[[NEWSCASTER2014](https://app.tidalcyber.com/references/9abb4bbb-bad3-4d22-b235-c8a35465f2ce)]</sup><sup>[[BlackHatRobinSage](https://app.tidalcyber.com/references/82068e93-a3f8-4d05-9358-6fe76a0055bb)]</sup>\n\nFor operations incorporating social engineering, the utilization of an online persona may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, GitHub, Docker Hub, etc.). Establishing a persona may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos.<sup>[[NEWSCASTER2014](https://app.tidalcyber.com/references/9abb4bbb-bad3-4d22-b235-c8a35465f2ce)]</sup><sup>[[BlackHatRobinSage](https://app.tidalcyber.com/references/82068e93-a3f8-4d05-9358-6fe76a0055bb)]</sup>\n\nEstablishing accounts can also include the creation of accounts with email providers, which may be directly leveraged for [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06) or [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533).<sup>[[Mandiant APT1](https://app.tidalcyber.com/references/865eba93-cf6a-4e41-bc09-de9b0b3c2669)]</sup> In addition, establishing accounts may allow adversaries to abuse free services, such as registering for trial periods to [Acquire Infrastructure](https://app.tidalcyber.com/technique/66ce76fb-5e1b-4462-9b46-d59bdfc6d3f3) for malicious purposes.<sup>[[Free Trial PurpleUrchin](https://app.tidalcyber.com/references/841f397d-d103-56d7-9854-7ce43c684879)]</sup>\n",
"meta": {
"platforms": [
"PRE"
@ -1661,7 +1668,7 @@
"value": "Exploitation of Remote Services"
},
{
"description": "Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.\n\nExploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet accessible open sockets.<sup>[[NVD CVE-2016-6662](https://app.tidalcyber.com/references/1813c26d-da68-4a82-a959-27351dd5e51b)]</sup><sup>[[CIS Multiple SMB Vulnerabilities](https://app.tidalcyber.com/references/76d9da2c-1503-4105-b017-cb2b69298296)]</sup><sup>[[US-CERT TA18-106A Network Infrastructure Devices 2018](https://app.tidalcyber.com/references/8fdf280d-680f-4b8f-8fb9-6b3118ec3983)]</sup><sup>[[Cisco Blog Legacy Device Attacks](https://app.tidalcyber.com/references/f7ce5099-7e04-4c0b-8767-e0eec664b18e)]</sup><sup>[[NVD CVE-2014-7169](https://app.tidalcyber.com/references/c3aab918-51c6-4773-8677-a89b27a00eb1)]</sup> Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://app.tidalcyber.com/technique/15b65bf2-dbe5-47bc-be09-ed97684bf391). \n\nIf an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://app.tidalcyber.com/technique/bebaf25b-9f50-4e3b-96cc-cc55c5765b61), or take advantage of weak identity and access management policies.\n\nAdversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.<sup>[[Mandiant Fortinet Zero Day](https://app.tidalcyber.com/references/7bdc5bbb-ebbd-5eb8-bd10-9087c883aea7)]</sup><sup>[[Wired Russia Cyberwar](https://app.tidalcyber.com/references/28c53a97-5500-5bfb-8aac-3c0bf94c2dfe)]</sup>\n\nFor websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.<sup>[[OWASP Top 10](https://app.tidalcyber.com/references/c6db3a77-4d01-4b4d-886d-746d676ed6d0)]</sup><sup>[[CWE top 25](https://app.tidalcyber.com/references/d8ee8b1f-c18d-48f3-9758-6860cd31c3e3)]</sup>",
"description": "Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.\n\nExploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet accessible open sockets.<sup>[[NVD CVE-2016-6662](https://app.tidalcyber.com/references/1813c26d-da68-4a82-a959-27351dd5e51b)]</sup><sup>[[CIS Multiple SMB Vulnerabilities](https://app.tidalcyber.com/references/76d9da2c-1503-4105-b017-cb2b69298296)]</sup><sup>[[US-CERT TA18-106A Network Infrastructure Devices 2018](https://app.tidalcyber.com/references/8fdf280d-680f-4b8f-8fb9-6b3118ec3983)]</sup><sup>[[Cisco Blog Legacy Device Attacks](https://app.tidalcyber.com/references/f7ce5099-7e04-4c0b-8767-e0eec664b18e)]</sup><sup>[[NVD CVE-2014-7169](https://app.tidalcyber.com/references/c3aab918-51c6-4773-8677-a89b27a00eb1)]</sup> Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://app.tidalcyber.com/technique/15b65bf2-dbe5-47bc-be09-ed97684bf391) or [Exploitation for Client Execution](https://app.tidalcyber.com/technique/068df3d7-f788-44e4-9e6b-2ae443af1609).\n\nIf an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://app.tidalcyber.com/technique/bebaf25b-9f50-4e3b-96cc-cc55c5765b61), or take advantage of weak identity and access management policies.\n\nAdversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.<sup>[[Mandiant Fortinet Zero Day](https://app.tidalcyber.com/references/7bdc5bbb-ebbd-5eb8-bd10-9087c883aea7)]</sup><sup>[[Wired Russia Cyberwar](https://app.tidalcyber.com/references/28c53a97-5500-5bfb-8aac-3c0bf94c2dfe)]</sup>\n\nFor websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.<sup>[[OWASP Top 10](https://app.tidalcyber.com/references/c6db3a77-4d01-4b4d-886d-746d676ed6d0)]</sup><sup>[[CWE top 25](https://app.tidalcyber.com/references/d8ee8b1f-c18d-48f3-9758-6860cd31c3e3)]</sup>",
"meta": {
"platforms": [
"Containers",
@ -1726,7 +1733,7 @@
"value": "Fallback Channels"
},
{
"description": "Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://app.tidalcyber.com/technique/1492c4ba-c933-47b8-953d-6de3db8cfce8) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nMany command shell utilities can be used to obtain this information. Examples include <code>dir</code>, <code>tree</code>, <code>ls</code>, <code>find</code>, and <code>locate</code>.<sup>[[Windows Commands JPCERT](https://app.tidalcyber.com/references/9d935f7f-bc2a-4d09-a51a-82074ffd7d77)]</sup> Custom tools may also be used to gather file and directory information and interact with the [Native API](https://app.tidalcyber.com/technique/1120f5ec-ef1b-4596-8d8b-a3979a766560). Adversaries may also leverage a [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) on network devices to gather file and directory information (e.g. <code>dir</code>, <code>show flash</code>, and/or <code>nvram</code>).<sup>[[US-CERT-TA18-106A](https://app.tidalcyber.com/references/1fe55557-94af-4697-a675-884701f70f2a)]</sup>",
"description": "Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://app.tidalcyber.com/technique/1492c4ba-c933-47b8-953d-6de3db8cfce8) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nMany command shell utilities can be used to obtain this information. Examples include <code>dir</code>, <code>tree</code>, <code>ls</code>, <code>find</code>, and <code>locate</code>.<sup>[[Windows Commands JPCERT](https://app.tidalcyber.com/references/9d935f7f-bc2a-4d09-a51a-82074ffd7d77)]</sup> Custom tools may also be used to gather file and directory information and interact with the [Native API](https://app.tidalcyber.com/technique/1120f5ec-ef1b-4596-8d8b-a3979a766560). Adversaries may also leverage a [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) on network devices to gather file and directory information (e.g. <code>dir</code>, <code>show flash</code>, and/or <code>nvram</code>).<sup>[[US-CERT-TA18-106A](https://app.tidalcyber.com/references/1fe55557-94af-4697-a675-884701f70f2a)]</sup>\n\nSome files and directories may require elevated or specific user permissions to access.",
"meta": {
"platforms": [
"Linux",
@ -1765,7 +1772,7 @@
"value": "File and Directory Permissions Modification"
},
{
"description": "Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims. Financial theft is the ultimate objective of several popular campaign types including extortion by ransomware,<sup>[[FBI-ransomware](https://app.tidalcyber.com/references/54e296c9-edcc-5af7-99be-b118da29711f)]</sup> business email compromise (BEC) and fraud,<sup>[[FBI-BEC](https://app.tidalcyber.com/references/3388bfec-7822-56dc-a384-95aa79f42fe8)]</sup> \"pig butchering,\"<sup>[[wired-pig butchering](https://app.tidalcyber.com/references/dc833e17-7105-5790-b30b-b4fed7fd2d2f)]</sup> bank hacking,<sup>[[DOJ-DPRK Heist](https://app.tidalcyber.com/references/c50d2a5b-1d44-5f18-aaff-4be9f6d3f3ac)]</sup> and exploiting cryptocurrency networks.<sup>[[BBC-Ronin](https://app.tidalcyber.com/references/8e162e39-a58f-5ba0-9a8e-101d4cfa324c)]</sup> \n\nAdversaries may [Compromise Accounts](https://app.tidalcyber.com/technique/c6374cbe-799a-4648-b1e2-2a66bb42d3f3) to conduct unauthorized transfers of funds.<sup>[[Internet crime report 2022](https://app.tidalcyber.com/references/ef30c4eb-3da3-5c7b-a304-188acd2f7ebc)]</sup> In the case of business email compromise or email fraud, an adversary may utilize [Impersonation](https://app.tidalcyber.com/technique/20417e43-6ffa-5d36-a2ef-e27cd5a4b8f1) of a trusted entity. Once the social engineering is successful, victims can be deceived into sending money to financial accounts controlled by an adversary.<sup>[[FBI-BEC](https://app.tidalcyber.com/references/3388bfec-7822-56dc-a384-95aa79f42fe8)]</sup> This creates the potential for multiple victims (i.e., compromised accounts as well as the ultimate monetary loss) in incidents involving financial theft.<sup>[[VEC](https://app.tidalcyber.com/references/4fd7c9f7-4731-524a-b332-9cb7f2c025ae)]</sup>\n\nExtortion by ransomware may occur, for example, when an adversary demands payment from a victim after [Data Encrypted for Impact](https://app.tidalcyber.com/technique/f0c36d24-263c-4811-8784-f716c77ec6b3) <sup>[[NYT-Colonial](https://app.tidalcyber.com/references/58900911-ab4b-5157-968c-67fa69cc122d)]</sup> and [Exfiltration](https://app.tidalcyber.com/tactics/66249a6d-be4e-43ab-a295-349d03a98023) of data, followed by threatening public exposure unless payment is made to the adversary.<sup>[[Mandiant-leaks](https://app.tidalcyber.com/references/aecc3ffb-c524-5ad9-b621-7228f53e27c3)]</sup>\n\nDue to the potentially immense business impact of financial theft, an adversary may abuse the possibility of financial theft and seeking monetary gain to divert attention from their true goals such as [Data Destruction](https://app.tidalcyber.com/technique/e5016c2b-85fe-4e6b-917d-0dd5b441cc34) and business disruption.<sup>[[AP-NotPetya](https://app.tidalcyber.com/references/7f1af58a-33fd-538f-b092-789a8776780c)]</sup>",
"description": "Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims. Financial theft is the ultimate objective of several popular campaign types including extortion by ransomware,<sup>[[FBI-ransomware](https://app.tidalcyber.com/references/54e296c9-edcc-5af7-99be-b118da29711f)]</sup> business email compromise (BEC) and fraud,<sup>[[FBI-BEC](https://app.tidalcyber.com/references/3388bfec-7822-56dc-a384-95aa79f42fe8)]</sup> \"pig butchering,\"<sup>[[wired-pig butchering](https://app.tidalcyber.com/references/dc833e17-7105-5790-b30b-b4fed7fd2d2f)]</sup> bank hacking,<sup>[[DOJ-DPRK Heist](https://app.tidalcyber.com/references/c50d2a5b-1d44-5f18-aaff-4be9f6d3f3ac)]</sup> and exploiting cryptocurrency networks.<sup>[[BBC-Ronin](https://app.tidalcyber.com/references/8e162e39-a58f-5ba0-9a8e-101d4cfa324c)]</sup> \n\nAdversaries may [Compromise Accounts](https://app.tidalcyber.com/technique/c6374cbe-799a-4648-b1e2-2a66bb42d3f3) to conduct unauthorized transfers of funds.<sup>[[Internet crime report 2022](https://app.tidalcyber.com/references/ef30c4eb-3da3-5c7b-a304-188acd2f7ebc)]</sup> In the case of business email compromise or email fraud, an adversary may utilize [Impersonation](https://app.tidalcyber.com/technique/20417e43-6ffa-5d36-a2ef-e27cd5a4b8f1) of a trusted entity. Once the social engineering is successful, victims can be deceived into sending money to financial accounts controlled by an adversary.<sup>[[FBI-BEC](https://app.tidalcyber.com/references/3388bfec-7822-56dc-a384-95aa79f42fe8)]</sup> This creates the potential for multiple victims (i.e., compromised accounts as well as the ultimate monetary loss) in incidents involving financial theft.<sup>[[VEC](https://app.tidalcyber.com/references/4fd7c9f7-4731-524a-b332-9cb7f2c025ae)]</sup>\n\nExtortion by ransomware may occur, for example, when an adversary demands payment from a victim after [Data Encrypted for Impact](https://app.tidalcyber.com/technique/f0c36d24-263c-4811-8784-f716c77ec6b3) <sup>[[NYT-Colonial](https://app.tidalcyber.com/references/58900911-ab4b-5157-968c-67fa69cc122d)]</sup> and [Exfiltration](https://app.tidalcyber.com/tactics/66249a6d-be4e-43ab-a295-349d03a98023) of data, followed by threatening to leak sensitive data to the public unless payment is made to the adversary.<sup>[[Mandiant-leaks](https://app.tidalcyber.com/references/aecc3ffb-c524-5ad9-b621-7228f53e27c3)]</sup> Adversaries may use dedicated leak sites to distribute victim data.<sup>[[Crowdstrike-leaks](https://app.tidalcyber.com/references/a91c3252-94b8-52a8-bb0d-cadac6afa161)]</sup>\n\nDue to the potentially immense business impact of financial theft, an adversary may abuse the possibility of financial theft and seeking monetary gain to divert attention from their true goals such as [Data Destruction](https://app.tidalcyber.com/technique/e5016c2b-85fe-4e6b-917d-0dd5b441cc34) and business disruption.<sup>[[AP-NotPetya](https://app.tidalcyber.com/references/7f1af58a-33fd-538f-b092-789a8776780c)]</sup>",
"meta": {
"platforms": [
"Google Workspace",
@ -1865,7 +1872,7 @@
"value": "Gather Victim Host Information"
},
{
"description": "Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, etc.) as well as sensitive details such as credentials.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06). Information about users could also be enumerated via other active means (i.e. [Active Scanning](https://app.tidalcyber.com/technique/a930437d-5a12-4dc4-b311-f5fd6a766c85)) such as probing and analyzing responses from authentication services that may reveal valid usernames in a system.<sup>[[GrimBlog UsernameEnum](https://app.tidalcyber.com/references/cab25908-63da-484d-8c42-4451f46086e2)]</sup> Information about victims may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://app.tidalcyber.com/technique/d97c3d34-1210-4c71-b305-59dcccab8f45) or [Search Victim-Owned Websites](https://app.tidalcyber.com/technique/c55c0462-d59f-4bd8-9728-05cf711917b0)).<sup>[[OPM Leak](https://app.tidalcyber.com/references/b67ed4e9-ed44-460a-bd59-c978bdfda32f)]</sup><sup>[[Register Deloitte](https://app.tidalcyber.com/references/e6b10687-8666-4c9c-ac77-1988378e096d)]</sup><sup>[[Register Uber](https://app.tidalcyber.com/references/89b85928-a962-4230-875c-63742b3c9d37)]</sup><sup>[[Detectify Slack Tokens](https://app.tidalcyber.com/references/46c40ed4-5a15-4b38-b625-bebc569dbf69)]</sup><sup>[[Forbes GitHub Creds](https://app.tidalcyber.com/references/303f8801-bdd6-4a0c-a90a-37867898c99c)]</sup><sup>[[GitHub truffleHog](https://app.tidalcyber.com/references/324a563f-55ee-49e9-9fc7-2b8e35f36875)]</sup><sup>[[GitHub Gitrob](https://app.tidalcyber.com/references/1dee0842-15cc-4835-b8a8-938e0c94807b)]</sup><sup>[[CNET Leaks](https://app.tidalcyber.com/references/46df3a49-e7c4-4169-b35c-0aecc78c31ea)]</sup>\n\nGathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6) or [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06)), establishing operational resources (ex: [Compromise Accounts](https://app.tidalcyber.com/technique/c6374cbe-799a-4648-b1e2-2a66bb42d3f3)), and/or initial access (ex: [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533) or [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406)).",
"description": "Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, security question responses, etc.) as well as sensitive details such as credentials or multi-factor authentication (MFA) configurations.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06). Information about users could also be enumerated via other active means (i.e. [Active Scanning](https://app.tidalcyber.com/technique/a930437d-5a12-4dc4-b311-f5fd6a766c85)) such as probing and analyzing responses from authentication services that may reveal valid usernames in a system or permitted MFA /methods associated with those usernames.<sup>[[GrimBlog UsernameEnum](https://app.tidalcyber.com/references/cab25908-63da-484d-8c42-4451f46086e2)]</sup><sup>[[Obsidian SSPR Abuse 2023](https://app.tidalcyber.com/references/7f28f770-ef06-5923-b759-b731ceabe08a)]</sup> Information about victims may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://app.tidalcyber.com/technique/d97c3d34-1210-4c71-b305-59dcccab8f45) or [Search Victim-Owned Websites](https://app.tidalcyber.com/technique/c55c0462-d59f-4bd8-9728-05cf711917b0)).<sup>[[OPM Leak](https://app.tidalcyber.com/references/b67ed4e9-ed44-460a-bd59-c978bdfda32f)]</sup><sup>[[Register Deloitte](https://app.tidalcyber.com/references/e6b10687-8666-4c9c-ac77-1988378e096d)]</sup><sup>[[Register Uber](https://app.tidalcyber.com/references/89b85928-a962-4230-875c-63742b3c9d37)]</sup><sup>[[Detectify Slack Tokens](https://app.tidalcyber.com/references/46c40ed4-5a15-4b38-b625-bebc569dbf69)]</sup><sup>[[Forbes GitHub Creds](https://app.tidalcyber.com/references/303f8801-bdd6-4a0c-a90a-37867898c99c)]</sup><sup>[[GitHub truffleHog](https://app.tidalcyber.com/references/324a563f-55ee-49e9-9fc7-2b8e35f36875)]</sup><sup>[[GitHub Gitrob](https://app.tidalcyber.com/references/1dee0842-15cc-4835-b8a8-938e0c94807b)]</sup><sup>[[CNET Leaks](https://app.tidalcyber.com/references/46df3a49-e7c4-4169-b35c-0aecc78c31ea)]</sup>\n\nGathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6) or [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06)), establishing operational resources (ex: [Compromise Accounts](https://app.tidalcyber.com/technique/c6374cbe-799a-4648-b1e2-2a66bb42d3f3)), and/or initial access (ex: [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533) or [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406)).",
"meta": {
"platforms": [
"PRE"
@ -1916,7 +1923,7 @@
"value": "Gather Victim Org Information"
},
{
"description": "Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path `\\<DOMAIN>\\SYSVOL\\<DOMAIN>\\Policies\\`.<sup>[[TechNet Group Policy Basics](https://app.tidalcyber.com/references/9b9c8c6c-c272-424e-a594-a34b7bf62477)]</sup><sup>[[ADSecurity GPO Persistence 2016](https://app.tidalcyber.com/references/e304715f-7da1-4342-ba5b-d0387d93aeb2)]</sup>\n\nAdversaries may use commands such as <code>gpresult</code> or various publicly available PowerShell functions, such as <code>Get-DomainGPO</code> and <code>Get-DomainGPOLocalGroup</code>, to gather information on Group Policy settings.<sup>[[Microsoft gpresult](https://app.tidalcyber.com/references/88af38e8-e437-4153-80af-a1be8c6a8629)]</sup><sup>[[Github PowerShell Empire](https://app.tidalcyber.com/references/017ec673-454c-492a-a65b-10d3a20dfdab)]</sup> Adversaries may use this information to shape follow-on behaviors, including determining potential attack paths within the target network as well as opportunities to manipulate Group Policy settings (i.e. [Domain Policy Modification](https://app.tidalcyber.com/technique/d092a9e1-63d0-415d-8cd0-666a261be5d9)) for their benefit.",
"description": "Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path `\\<DOMAIN>\\SYSVOL\\<DOMAIN>\\Policies\\`.<sup>[[TechNet Group Policy Basics](https://app.tidalcyber.com/references/9b9c8c6c-c272-424e-a594-a34b7bf62477)]</sup><sup>[[ADSecurity GPO Persistence 2016](https://app.tidalcyber.com/references/e304715f-7da1-4342-ba5b-d0387d93aeb2)]</sup>\n\nAdversaries may use commands such as <code>gpresult</code> or various publicly available PowerShell functions, such as <code>Get-DomainGPO</code> and <code>Get-DomainGPOLocalGroup</code>, to gather information on Group Policy settings.<sup>[[Microsoft gpresult](https://app.tidalcyber.com/references/88af38e8-e437-4153-80af-a1be8c6a8629)]</sup><sup>[[Github PowerShell Empire](https://app.tidalcyber.com/references/017ec673-454c-492a-a65b-10d3a20dfdab)]</sup> Adversaries may use this information to shape follow-on behaviors, including determining potential attack paths within the target network as well as opportunities to manipulate Group Policy settings (i.e. [Domain or Tenant Policy Modification](https://app.tidalcyber.com/technique/d092a9e1-63d0-415d-8cd0-666a261be5d9)) for their benefit.",
"meta": {
"platforms": [
"Windows"
@ -1971,6 +1978,26 @@
"uuid": "f37f0cd5-0446-415f-9309-94e25aa1165d",
"value": "Hide Artifacts"
},
{
"description": "Adversaries may manipulate network traffic in order to hide and evade detection of their C2 infrastructure. This can be accomplished in various ways including by identifying and filtering traffic from defensive tools,<sup>[[TA571](https://app.tidalcyber.com/references/5b463ad7-f425-5e70-b0b0-28514730a888)]</sup> masking malicious domains to obfuscate the true destination from both automated scanning tools and security researchers,<sup>[[Schema-abuse](https://app.tidalcyber.com/references/75b860d9-a48d-57de-ba1e-b0db970abb1b)]</sup><sup>[[Facad1ng](https://app.tidalcyber.com/references/bd80f3d7-e653-5f8f-ba8a-00b8780ae935)]</sup><sup>[[Browser-updates](https://app.tidalcyber.com/references/89e913a8-1d52-53fe-b692-fb72e21d794f)]</sup> and otherwise hiding malicious artifacts to delay discovery and prolong the effectiveness of adversary infrastructure that could otherwise be identified, blocked, or taken down entirely.\n\nC2 networks may include the use of [Proxy](https://app.tidalcyber.com/technique/ba6a869a-c870-4be6-bc08-e078f0efdc3b) or VPNs to disguise IP addresses, which can allow adversaries to blend in with normal network traffic and bypass conditional access policies or anti-abuse protections. For example, an adversary may use a virtual private cloud to spoof their IP address to closer align with a victim's IP address ranges. This may also bypass security measures relying on geolocation of the source IP address.<sup>[[sysdig](https://app.tidalcyber.com/references/80cb54c2-2c44-5e19-bbc5-da9f4aaf976a)]</sup><sup>[[Orange Residential Proxies](https://app.tidalcyber.com/references/df4b99f3-1796-57b3-a352-37be5380badc)]</sup>\n\nAdversaries may also attempt to filter network traffic in order to evade defensive tools in numerous ways, including blocking/redirecting common incident responder or security appliance user agents.<sup>[[mod_rewrite](https://app.tidalcyber.com/references/3568b09c-7368-5fc2-85b3-d16ee9b9c686)]</sup><sup>[[SocGholish-update](https://app.tidalcyber.com/references/01d9c3ba-29e2-5090-b399-0e7adf50a6b9)]</sup> Filtering traffic based on IP and geo-fencing may also avoid automated sandboxing or researcher activity (i.e., [Virtualization/Sandbox Evasion](https://app.tidalcyber.com/technique/63baf71d-f46f-4ac8-a3a6-8345ddd2f7a8)).<sup>[[TA571](https://app.tidalcyber.com/references/5b463ad7-f425-5e70-b0b0-28514730a888)]</sup><sup>[[mod_rewrite](https://app.tidalcyber.com/references/3568b09c-7368-5fc2-85b3-d16ee9b9c686)]</sup>\n\nHiding C2 infrastructure may also be supported by [Resource Development](https://app.tidalcyber.com/tactics/989d09c2-12b8-4419-9b34-a328cf295fff) activities such as [Acquire Infrastructure](https://app.tidalcyber.com/technique/66ce76fb-5e1b-4462-9b46-d59bdfc6d3f3) and [Compromise Infrastructure](https://app.tidalcyber.com/technique/c12d81d3-abe4-43d7-8a65-f4b3150e722d). For example, using widely trusted hosting services or domains such as prominent URL shortening providers or marketing services for C2 networks may enable adversaries to present benign content that later redirects victims to malicious web pages or infrastructure once specific conditions are met.<sup>[[StarBlizzard](https://app.tidalcyber.com/references/68b16960-1893-51a1-b46c-974a09d4a0c4)]</sup><sup>[[QR-cofense](https://app.tidalcyber.com/references/eda8270f-c76f-5d01-b45f-74246945ec50)]</sup>",
"meta": {
"platforms": [
"Linux",
"macOS",
"Network",
"Windows"
],
"source": "MITRE"
},
"related": [
{
"dest-uuid": "94ffe549-1c29-438d-9c7f-e27f7acee0bb",
"type": "uses"
}
],
"uuid": "a3a2a527-39e7-58b4-a3cc-932eb0cef562",
"value": "Hide Infrastructure"
},
{
"description": "Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.\n\nThere are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.",
"meta": {
@ -2102,11 +2129,12 @@
"value": "Indirect Command Execution"
},
{
"description": "Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://app.tidalcyber.com/software/062deac9-8f05-44e2-b347-96b59ba166ca). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://app.tidalcyber.com/technique/3dea57fc-3131-408b-a1fd-ff2eea1d858f)). \n\nOn Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`, [certutil](https://app.tidalcyber.com/software/2fe21578-ee31-4ee8-b6ab-b5f76f97d043), and [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code> and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.<sup>[[t1105_lolbas](https://app.tidalcyber.com/references/80e649f5-6c74-4d66-a452-4f4cd51501da)]</sup>\n\nAdversaries may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts.\n\nFiles can also be transferred using various [Web Service](https://app.tidalcyber.com/technique/a729feee-8e21-444e-8eea-2ec595b09931)s as well as native or otherwise present tools on the victim system.<sup>[[PTSecurity Cobalt Dec 2016](https://app.tidalcyber.com/references/2de4d38f-c99d-4149-89e6-0349a4902aa2)]</sup> In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers the file onto the victim's machine.<sup>[[Dropbox Malware Sync](https://app.tidalcyber.com/references/06ca63fa-8c6c-501c-96d3-5e7e45ca1e04)]</sup>",
"description": "Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://app.tidalcyber.com/software/062deac9-8f05-44e2-b347-96b59ba166ca). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://app.tidalcyber.com/technique/3dea57fc-3131-408b-a1fd-ff2eea1d858f)). \n\nOn Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`, [certutil](https://app.tidalcyber.com/software/2fe21578-ee31-4ee8-b6ab-b5f76f97d043), and [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code> and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.<sup>[[t1105_lolbas](https://app.tidalcyber.com/references/80e649f5-6c74-4d66-a452-4f4cd51501da)]</sup>\n\nAdversaries may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows `search-ms` protocol handler, to deliver malicious files to victims through remote file searches invoked by [User Execution](https://app.tidalcyber.com/technique/b84435ab-2ff4-4b6f-ba71-b4b815474872) (typically after interacting with [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533) lures).<sup>[[T1105: Trellix_search-ms](https://app.tidalcyber.com/references/7079d170-9ead-5be4-bbc8-13c3f082b3dd)]</sup>\n\nFiles can also be transferred using various [Web Service](https://app.tidalcyber.com/technique/a729feee-8e21-444e-8eea-2ec595b09931)s as well as native or otherwise present tools on the victim system.<sup>[[PTSecurity Cobalt Dec 2016](https://app.tidalcyber.com/references/2de4d38f-c99d-4149-89e6-0349a4902aa2)]</sup> In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers the file onto the victim's machine.<sup>[[Dropbox Malware Sync](https://app.tidalcyber.com/references/06ca63fa-8c6c-501c-96d3-5e7e45ca1e04)]</sup>",
"meta": {
"platforms": [
"Linux",
"macOS",
"Network",
"Windows"
],
"source": "MITRE"
@ -2121,7 +2149,7 @@
"value": "Ingress Tool Transfer"
},
{
"description": "Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.<sup>[[Talos Olympic Destroyer 2018](https://app.tidalcyber.com/references/25a2e179-7abd-4091-8af4-e9d2bf24ef11)]</sup><sup>[[FireEye WannaCry 2017](https://app.tidalcyber.com/references/34b15fe1-c550-4150-87bc-ac9662547247)]</sup> This may deny access to available backups and recovery options.\n\nOperating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://app.tidalcyber.com/technique/e5016c2b-85fe-4e6b-917d-0dd5b441cc34) and [Data Encrypted for Impact](https://app.tidalcyber.com/technique/f0c36d24-263c-4811-8784-f716c77ec6b3).<sup>[[Talos Olympic Destroyer 2018](https://app.tidalcyber.com/references/25a2e179-7abd-4091-8af4-e9d2bf24ef11)]</sup><sup>[[FireEye WannaCry 2017](https://app.tidalcyber.com/references/34b15fe1-c550-4150-87bc-ac9662547247)]</sup> Furthermore, adversaries may disable recovery notifications, then corrupt backups.<sup>[[disable_notif_synology_ransom](https://app.tidalcyber.com/references/d53e8f89-df78-565b-a316-cf2644c5ed36)]</sup>\n\nA number of native Windows utilities have been used by adversaries to disable or delete system recovery features:\n\n* <code>vssadmin.exe</code> can be used to delete all volume shadow copies on a system - <code>vssadmin.exe delete shadows /all /quiet</code>\n* [Windows Management Instrumentation](https://app.tidalcyber.com/technique/c37795d9-8970-461f-9491-3086d6b4b69a) can be used to delete volume shadow copies - <code>wmic shadowcopy delete</code>\n* <code>wbadmin.exe</code> can be used to delete the Windows Backup Catalog - <code>wbadmin.exe delete catalog -quiet</code>\n* <code>bcdedit.exe</code> can be used to disable automatic Windows recovery features by modifying boot configuration data - <code>bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no</code>\n* <code>REAgentC.exe</code> can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system\n\nOn network devices, adversaries may leverage [Disk Wipe](https://app.tidalcyber.com/technique/ea2b3980-05fd-41a3-8ab9-3106e833c821) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://app.tidalcyber.com/technique/24787dca-6afd-4ab3-ab6c-32e9486ec418) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.\n\nAdversaries may also delete “online” backups that are connected to their network whether via network storage media or through folders that sync to cloud services.<sup>[[ZDNet Ransomware Backups 2020](https://app.tidalcyber.com/references/301da9c8-60de-58f0-989f-6b504e3457a3)]</sup> In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.<sup>[[Dark Reading Code Spaces Cyber Attack](https://app.tidalcyber.com/references/e5a3028a-f4cc-537c-9ddd-769792ab33be)]</sup><sup>[[Rhino Security Labs AWS S3 Ransomware](https://app.tidalcyber.com/references/785c6b11-c5f0-5cb4-931b-cf75fcc368a1)]</sup>",
"description": "Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.<sup>[[Talos Olympic Destroyer 2018](https://app.tidalcyber.com/references/25a2e179-7abd-4091-8af4-e9d2bf24ef11)]</sup><sup>[[FireEye WannaCry 2017](https://app.tidalcyber.com/references/34b15fe1-c550-4150-87bc-ac9662547247)]</sup> This may deny access to available backups and recovery options.\n\nOperating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://app.tidalcyber.com/technique/e5016c2b-85fe-4e6b-917d-0dd5b441cc34) and [Data Encrypted for Impact](https://app.tidalcyber.com/technique/f0c36d24-263c-4811-8784-f716c77ec6b3).<sup>[[Talos Olympic Destroyer 2018](https://app.tidalcyber.com/references/25a2e179-7abd-4091-8af4-e9d2bf24ef11)]</sup><sup>[[FireEye WannaCry 2017](https://app.tidalcyber.com/references/34b15fe1-c550-4150-87bc-ac9662547247)]</sup> Furthermore, adversaries may disable recovery notifications, then corrupt backups.<sup>[[disable_notif_synology_ransom](https://app.tidalcyber.com/references/d53e8f89-df78-565b-a316-cf2644c5ed36)]</sup>\n\nA number of native Windows utilities have been used by adversaries to disable or delete system recovery features:\n\n* <code>vssadmin.exe</code> can be used to delete all volume shadow copies on a system - <code>vssadmin.exe delete shadows /all /quiet</code>\n* [Windows Management Instrumentation](https://app.tidalcyber.com/technique/c37795d9-8970-461f-9491-3086d6b4b69a) can be used to delete volume shadow copies - <code>wmic shadowcopy delete</code>\n* <code>wbadmin.exe</code> can be used to delete the Windows Backup Catalog - <code>wbadmin.exe delete catalog -quiet</code>\n* <code>bcdedit.exe</code> can be used to disable automatic Windows recovery features by modifying boot configuration data - <code>bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no</code>\n* <code>REAgentC.exe</code> can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system\n* <code>diskshadow.exe</code> can be used to delete all volume shadow copies on a system - <code>diskshadow delete shadows all</code> <sup>[[Diskshadow](https://app.tidalcyber.com/references/9e8b57a5-7e31-5add-ac3e-8b9c0f7f27aa)]</sup> <sup>[[Crytox Ransomware](https://app.tidalcyber.com/references/7c22d9d0-a2d8-5936-a6b1-5c696a2a19c6)]</sup>\n\nOn network devices, adversaries may leverage [Disk Wipe](https://app.tidalcyber.com/technique/ea2b3980-05fd-41a3-8ab9-3106e833c821) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://app.tidalcyber.com/technique/24787dca-6afd-4ab3-ab6c-32e9486ec418) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.\n\nAdversaries may also delete “online” backups that are connected to their network whether via network storage media or through folders that sync to cloud services.<sup>[[ZDNet Ransomware Backups 2020](https://app.tidalcyber.com/references/301da9c8-60de-58f0-989f-6b504e3457a3)]</sup> In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.<sup>[[Dark Reading Code Spaces Cyber Attack](https://app.tidalcyber.com/references/e5a3028a-f4cc-537c-9ddd-769792ab33be)]</sup><sup>[[Rhino Security Labs AWS S3 Ransomware](https://app.tidalcyber.com/references/785c6b11-c5f0-5cb4-931b-cf75fcc368a1)]</sup>",
"meta": {
"platforms": [
"Containers",
@ -2167,7 +2195,7 @@
"value": "Input Capture"
},
{
"description": "Adversaries may use internal spearphishing to gain access to additional information or exploit other users within the same organization after they already have access to accounts or systems within the environment. Internal spearphishing is multi-staged campaign where an email account is owned either by controlling the user's device with previously installed malware or by compromising the account credentials of the user. Adversaries attempt to take advantage of a trusted internal account to increase the likelihood of tricking the target into falling for the phish attempt.<sup>[[Trend Micro When Phishing Starts from the Inside 2017](https://app.tidalcyber.com/references/dbdc2009-a468-439b-bd96-e6153b3fb8a1)]</sup>\n\nAdversaries may leverage [Spearphishing Attachment](https://app.tidalcyber.com/technique/ba553ad4-5699-4458-ae4e-76e1faa43291) or [Spearphishing Link](https://app.tidalcyber.com/technique/d08a9977-9fc2-46bb-84f9-dbb5187c426d) as part of internal spearphishing to deliver a payload or redirect to an external site to capture credentials through [Input Capture](https://app.tidalcyber.com/technique/5ee96331-a7b7-4c32-a8f1-3fb164078f5f) on sites that mimic email login interfaces.\n\nThere have been notable incidents where internal spearphishing has been used. The Eye Pyramid campaign used phishing emails with malicious attachments for lateral movement between victims, compromising nearly 18,000 email accounts in the process.<sup>[[Trend Micro When Phishing Starts from the Inside 2017](https://app.tidalcyber.com/references/dbdc2009-a468-439b-bd96-e6153b3fb8a1)]</sup> The Syrian Electronic Army (SEA) compromised email accounts at the Financial Times (FT) to steal additional account credentials. Once FT learned of the campaign and began warning employees of the threat, the SEA sent phishing emails mimicking the Financial Times IT department and were able to compromise even more users.<sup>[[THE FINANCIAL TIMES LTD 2019.](https://app.tidalcyber.com/references/5a01f0b7-86f7-44a1-bf35-46a631402ceb)]</sup>",
"description": "After they already have access to accounts or systems within the environment, adversaries may use internal spearphishing to gain access to additional information or compromise other users within the same organization. Internal spearphishing is multi-staged campaign where a legitimate account is initially compromised either by controlling the user's device or by compromising the account credentials of the user. Adversaries may then attempt to take advantage of the trusted internal account to increase the likelihood of tricking more victims into falling for phish attempts, often incorporating [Impersonation](https://app.tidalcyber.com/technique/20417e43-6ffa-5d36-a2ef-e27cd5a4b8f1).<sup>[[Trend Micro - Int SP](https://app.tidalcyber.com/references/1c21c911-11db-560c-b623-5937dc478b74)]</sup>\n\nFor example, adversaries may leverage [Spearphishing Attachment](https://app.tidalcyber.com/technique/ba553ad4-5699-4458-ae4e-76e1faa43291) or [Spearphishing Link](https://app.tidalcyber.com/technique/d08a9977-9fc2-46bb-84f9-dbb5187c426d) as part of internal spearphishing to deliver a payload or redirect to an external site to capture credentials through [Input Capture](https://app.tidalcyber.com/technique/5ee96331-a7b7-4c32-a8f1-3fb164078f5f) on sites that mimic login interfaces.\n\nAdversaries may also leverage internal chat apps, such as Microsoft Teams, to spread malicious content or engage users in attempts to capture sensitive information and/or credentials.<sup>[[Int SP - chat apps](https://app.tidalcyber.com/references/8d0db0f2-9b29-5216-8c9c-de8bf0c541de)]</sup>",
"meta": {
"platforms": [
"Google Workspace",
@ -2247,7 +2275,7 @@
"value": "Log Enumeration"
},
{
"description": "Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.\n\nRenaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://app.tidalcyber.com/technique/a0adacc1-8d2a-4e0b-92c1-3766264df4fd).<sup>[[LOLBAS Main Site](https://app.tidalcyber.com/references/615f6fa5-3059-49fc-9fa4-5ca0aeff4331)]</sup> Masquerading may also include the use of [Proxy](https://app.tidalcyber.com/technique/ba6a869a-c870-4be6-bc08-e078f0efdc3b) or VPNs to disguise IP addresses, which can allow adversaries to blend in with normal network traffic and bypass conditional access policies or anti-abuse protections.",
"description": "Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.\n\nRenaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://app.tidalcyber.com/technique/a0adacc1-8d2a-4e0b-92c1-3766264df4fd).<sup>[[LOLBAS Main Site](https://app.tidalcyber.com/references/615f6fa5-3059-49fc-9fa4-5ca0aeff4331)]</sup>",
"meta": {
"platforms": [
"Containers",
@ -2370,7 +2398,7 @@
"value": "Multi-Factor Authentication Interception"
},
{
"description": "Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.\n\nAdversaries in possession of credentials to [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406) may be unable to complete the login process if they lack access to the 2FA or MFA mechanisms required as an additional credential and security control. To circumvent this, adversaries may abuse the automatic generation of push notifications to MFA services such as Duo Push, Microsoft Authenticator, Okta, or similar services to have the user grant access to their account.\n\nIn some cases, adversaries may continuously repeat login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls, potentially resulting in the user finally accepting the authentication request in response to “MFA fatigue.”<sup>[[Russian 2FA Push Annoyance - Cimpanu](https://app.tidalcyber.com/references/ad2b0648-b657-4daa-9510-82375a252fc4)]</sup><sup>[[MFA Fatigue Attacks - PortSwigger](https://app.tidalcyber.com/references/1b7b0f00-71ba-4762-ae81-bce24591cff4)]</sup><sup>[[Suspected Russian Activity Targeting Government and Business Entities Around the Globe](https://app.tidalcyber.com/references/f45a0551-8d49-4d40-989f-659416dc25ec)]</sup>",
"description": "Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.\n\nAdversaries in possession of credentials to [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406) may be unable to complete the login process if they lack access to the 2FA or MFA mechanisms required as an additional credential and security control. To circumvent this, adversaries may abuse the automatic generation of push notifications to MFA services such as Duo Push, Microsoft Authenticator, Okta, or similar services to have the user grant access to their account. If adversaries lack credentials to victim accounts, they may also abuse automatic push notification generation when this option is configured for self-service password reset (SSPR).<sup>[[Obsidian SSPR Abuse 2023](https://app.tidalcyber.com/references/7f28f770-ef06-5923-b759-b731ceabe08a)]</sup>\n\nIn some cases, adversaries may continuously repeat login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls, potentially resulting in the user finally accepting the authentication request in response to “MFA fatigue.”<sup>[[Russian 2FA Push Annoyance - Cimpanu](https://app.tidalcyber.com/references/ad2b0648-b657-4daa-9510-82375a252fc4)]</sup><sup>[[MFA Fatigue Attacks - PortSwigger](https://app.tidalcyber.com/references/1b7b0f00-71ba-4762-ae81-bce24591cff4)]</sup><sup>[[Suspected Russian Activity Targeting Government and Business Entities Around the Globe](https://app.tidalcyber.com/references/f45a0551-8d49-4d40-989f-659416dc25ec)]</sup>",
"meta": {
"platforms": [
"Azure AD",
@ -2515,7 +2543,7 @@
"value": "Network Share Discovery"
},
{
"description": "Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n\nData captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://app.tidalcyber.com/technique/b44a263f-76b2-4a1f-baeb-dd285974eca6), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.\n\nNetwork sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.\n\nIn cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.<sup>[[AWS Traffic Mirroring](https://app.tidalcyber.com/references/6b77a2f3-39b8-4574-8dee-cde7ba9debff)]</sup><sup>[[GCP Packet Mirroring](https://app.tidalcyber.com/references/c91c6399-3520-4410-936d-48c3b13235ca)]</sup><sup>[[Azure Virtual Network TAP](https://app.tidalcyber.com/references/3f106d7e-f101-4adb-bbd1-d8c04a347f85)]</sup> Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.<sup>[[Rhino Security Labs AWS VPC Traffic Mirroring](https://app.tidalcyber.com/references/09cac813-862c-47c8-a47f-154c5436afbb)]</sup><sup>[[SpecterOps AWS Traffic Mirroring](https://app.tidalcyber.com/references/6ab2cfa1-230f-498e-8049-fcdd2f7296dd)]</sup> The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.<sup>[[Rhino Security Labs AWS VPC Traffic Mirroring](https://app.tidalcyber.com/references/09cac813-862c-47c8-a47f-154c5436afbb)]</sup>\n\nOn network devices, adversaries may perform network captures using [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) commands such as `monitor capture`.<sup>[[US-CERT-TA18-106A](https://app.tidalcyber.com/references/1fe55557-94af-4697-a675-884701f70f2a)]</sup><sup>[[capture_embedded_packet_on_software](https://app.tidalcyber.com/references/5d973180-a28a-5c8f-b13a-45d21331700f)]</sup>",
"description": "Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n\nData captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://app.tidalcyber.com/technique/b44a263f-76b2-4a1f-baeb-dd285974eca6), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.\n\nNetwork sniffing may reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent [Lateral Movement](https://app.tidalcyber.com/tactics/50ba4930-7c8e-4ef9-bc36-70e7dae661eb) and/or [Defense Evasion](https://app.tidalcyber.com/tactics/8e29c6c9-0c10-4bb0-827d-ff0ab8922726) activities. Adversaries may likely also utilize network sniffing during [Adversary-in-the-Middle](https://app.tidalcyber.com/technique/d98dbf30-c454-42ff-a9f3-2cd3319cc0d9) (AiTM) to passively gain additional knowledge about the environment.\n\nIn cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.<sup>[[AWS Traffic Mirroring](https://app.tidalcyber.com/references/6b77a2f3-39b8-4574-8dee-cde7ba9debff)]</sup><sup>[[GCP Packet Mirroring](https://app.tidalcyber.com/references/c91c6399-3520-4410-936d-48c3b13235ca)]</sup><sup>[[Azure Virtual Network TAP](https://app.tidalcyber.com/references/3f106d7e-f101-4adb-bbd1-d8c04a347f85)]</sup> Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.<sup>[[Rhino Security Labs AWS VPC Traffic Mirroring](https://app.tidalcyber.com/references/09cac813-862c-47c8-a47f-154c5436afbb)]</sup><sup>[[SpecterOps AWS Traffic Mirroring](https://app.tidalcyber.com/references/6ab2cfa1-230f-498e-8049-fcdd2f7296dd)]</sup> The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.<sup>[[Rhino Security Labs AWS VPC Traffic Mirroring](https://app.tidalcyber.com/references/09cac813-862c-47c8-a47f-154c5436afbb)]</sup>\n\nOn network devices, adversaries may perform network captures using [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) commands such as `monitor capture`.<sup>[[US-CERT-TA18-106A](https://app.tidalcyber.com/references/1fe55557-94af-4697-a675-884701f70f2a)]</sup><sup>[[capture_embedded_packet_on_software](https://app.tidalcyber.com/references/5d973180-a28a-5c8f-b13a-45d21331700f)]</sup>",
"meta": {
"platforms": [
"IaaS",
@ -2584,6 +2612,7 @@
"platforms": [
"Linux",
"macOS",
"Network",
"Windows"
],
"source": "MITRE"
@ -2633,7 +2662,7 @@
"value": "Office Application Startup"
},
{
"description": "Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform [Lateral Movement](https://app.tidalcyber.com/tactics/50ba4930-7c8e-4ef9-bc36-70e7dae661eb) and access restricted information.\n\nSeveral of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.\n",
"description": "Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.<sup>[[Brining MimiKatz to Unix](https://app.tidalcyber.com/references/5ad06565-6694-4c42-81c9-880d66f6d07f)]</sup> Credentials can then be used to perform [Lateral Movement](https://app.tidalcyber.com/tactics/50ba4930-7c8e-4ef9-bc36-70e7dae661eb) and access restricted information.\n\nSeveral of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.\n",
"meta": {
"platforms": [
"Linux",
@ -2817,7 +2846,7 @@
"value": "Pre-OS Boot"
},
{
"description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from [Process Discovery](https://app.tidalcyber.com/technique/710ae610-0556-44e5-9de9-8be6159a23dd) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nIn Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://app.tidalcyber.com/software/abae8f19-9497-4a71-82b6-ae6edd26ad98) utility via [cmd](https://app.tidalcyber.com/software/98d89476-63ec-4baf-b2b3-86c52170f5d8) or <code>Get-Process</code> via [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde). Information about processes can also be extracted from the output of [Native API](https://app.tidalcyber.com/technique/1120f5ec-ef1b-4596-8d8b-a3979a766560) calls such as <code>CreateToolhelp32Snapshot</code>. In Mac and Linux, this is accomplished with the <code>ps</code> command. Adversaries may also opt to enumerate processes via /proc.\n\nOn network devices, [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) commands such as `show processes` can be used to display current running processes.<sup>[[US-CERT-TA18-106A](https://app.tidalcyber.com/references/1fe55557-94af-4697-a675-884701f70f2a)]</sup><sup>[[show_processes_cisco_cmd](https://app.tidalcyber.com/references/944e529b-5e8a-54a1-b205-71dcb7dd304f)]</sup>",
"description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Administrator or otherwise elevated access may provide better process details. Adversaries may use the information from [Process Discovery](https://app.tidalcyber.com/technique/710ae610-0556-44e5-9de9-8be6159a23dd) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nIn Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://app.tidalcyber.com/software/abae8f19-9497-4a71-82b6-ae6edd26ad98) utility via [cmd](https://app.tidalcyber.com/software/98d89476-63ec-4baf-b2b3-86c52170f5d8) or <code>Get-Process</code> via [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde). Information about processes can also be extracted from the output of [Native API](https://app.tidalcyber.com/technique/1120f5ec-ef1b-4596-8d8b-a3979a766560) calls such as <code>CreateToolhelp32Snapshot</code>. In Mac and Linux, this is accomplished with the <code>ps</code> command. Adversaries may also opt to enumerate processes via `/proc`. \n\nOn network devices, [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) commands such as `show processes` can be used to display current running processes.<sup>[[US-CERT-TA18-106A](https://app.tidalcyber.com/references/1fe55557-94af-4697-a675-884701f70f2a)]</sup><sup>[[show_processes_cisco_cmd](https://app.tidalcyber.com/references/944e529b-5e8a-54a1-b205-71dcb7dd304f)]</sup>",
"meta": {
"platforms": [
"Linux",
@ -2916,7 +2945,7 @@
"value": "Query Registry"
},
{
"description": "Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk. Reflectively loaded payloads may be compiled binaries, anonymous files (only present in RAM), or just snubs of fileless executable code (ex: position-independent shellcode).<sup>[[Introducing Donut](https://app.tidalcyber.com/references/8fd099c6-e002-44d0-8b7f-65f290a42c07)]</sup><sup>[[S1 Custom Shellcode Tool](https://app.tidalcyber.com/references/f49bfd00-48d5-4d84-a7b7-cb23fcdf861b)]</sup><sup>[[Stuart ELF Memory](https://app.tidalcyber.com/references/402745e1-a65a-4fa1-a86d-99b37221095c)]</sup><sup>[[00sec Droppers](https://app.tidalcyber.com/references/7569e79b-5a80-4f42-b467-8548cc9fc319)]</sup><sup>[[Mandiant BYOL](https://app.tidalcyber.com/references/445efe8b-659a-4023-afc7-aa7cd21ee5a1)]</sup>\n\nReflective code injection is very similar to [Process Injection](https://app.tidalcyber.com/technique/7a6208ac-c75e-4e73-8969-0aaf6085cb6e) except that the “injection” loads code into the processes own memory instead of that of a separate process. Reflective loading may evade process-based detections since the execution of the arbitrary code may be masked within a legitimate or otherwise benign process. Reflectively loading payloads directly into memory may also avoid creating files or other artifacts on disk, while also enabling malware to keep these payloads encrypted (or otherwise obfuscated) until execution.<sup>[[Stuart ELF Memory](https://app.tidalcyber.com/references/402745e1-a65a-4fa1-a86d-99b37221095c)]</sup><sup>[[00sec Droppers](https://app.tidalcyber.com/references/7569e79b-5a80-4f42-b467-8548cc9fc319)]</sup><sup>[[Intezer ACBackdoor](https://app.tidalcyber.com/references/e6cb833f-cf18-498b-a233-848853423412)]</sup><sup>[[S1 Old Rat New Tricks](https://app.tidalcyber.com/references/20ef3645-fb92-4e13-a5a8-99367869bcba)]</sup>",
"description": "Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk (e.g., [Shared Modules](https://app.tidalcyber.com/technique/8941d1f4-d80c-4aaa-821a-a059c2a0f854)).\n\nReflectively loaded payloads may be compiled binaries, anonymous files (only present in RAM), or just snubs of fileless executable code (ex: position-independent shellcode).<sup>[[Introducing Donut](https://app.tidalcyber.com/references/8fd099c6-e002-44d0-8b7f-65f290a42c07)]</sup><sup>[[S1 Custom Shellcode Tool](https://app.tidalcyber.com/references/f49bfd00-48d5-4d84-a7b7-cb23fcdf861b)]</sup><sup>[[Stuart ELF Memory](https://app.tidalcyber.com/references/402745e1-a65a-4fa1-a86d-99b37221095c)]</sup><sup>[[00sec Droppers](https://app.tidalcyber.com/references/7569e79b-5a80-4f42-b467-8548cc9fc319)]</sup><sup>[[Mandiant BYOL](https://app.tidalcyber.com/references/445efe8b-659a-4023-afc7-aa7cd21ee5a1)]</sup> For example, the `Assembly.Load()` method executed by [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) may be abused to load raw code into the running process.<sup>[[Microsoft AssemblyLoad](https://app.tidalcyber.com/references/3d980d7a-7074-5812-9bb1-ca8e27e028bd)]</sup>\n\nReflective code injection is very similar to [Process Injection](https://app.tidalcyber.com/technique/7a6208ac-c75e-4e73-8969-0aaf6085cb6e) except that the “injection” loads code into the processes own memory instead of that of a separate process. Reflective loading may evade process-based detections since the execution of the arbitrary code may be masked within a legitimate or otherwise benign process. Reflectively loading payloads directly into memory may also avoid creating files or other artifacts on disk, while also enabling malware to keep these payloads encrypted (or otherwise obfuscated) until execution.<sup>[[Stuart ELF Memory](https://app.tidalcyber.com/references/402745e1-a65a-4fa1-a86d-99b37221095c)]</sup><sup>[[00sec Droppers](https://app.tidalcyber.com/references/7569e79b-5a80-4f42-b467-8548cc9fc319)]</sup><sup>[[Intezer ACBackdoor](https://app.tidalcyber.com/references/e6cb833f-cf18-498b-a233-848853423412)]</sup><sup>[[S1 Old Rat New Tricks](https://app.tidalcyber.com/references/20ef3645-fb92-4e13-a5a8-99367869bcba)]</sup>",
"meta": {
"platforms": [
"Linux",
@ -2935,7 +2964,7 @@
"value": "Reflective Code Loading"
},
{
"description": "An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.<sup>[[Symantec Living off the Land](https://app.tidalcyber.com/references/4bad4659-f501-4eb6-b3ca-0359e3ba824e)]</sup><sup>[[CrowdStrike 2015 Global Threat Report](https://app.tidalcyber.com/references/50d467da-286b-45f3-8d5a-e9d8632f7bf1)]</sup><sup>[[CrySyS Blog TeamSpy](https://app.tidalcyber.com/references/f21ea3e2-7983-44d2-b78f-80d84bbc4f52)]</sup>\n\nRemote access software may be installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system.\n \nAdversaries may similarly abuse response features included in EDR and other defensive tools that enable remote access.\n\nInstallation of many remote access software may also include persistence (e.g., the software's installation routine creates a [Windows Service](https://app.tidalcyber.com/technique/31c6dd3c-3eb2-46a9-ab85-9e8e145810a1)).",
"description": "An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.<sup>[[Symantec Living off the Land](https://app.tidalcyber.com/references/4bad4659-f501-4eb6-b3ca-0359e3ba824e)]</sup><sup>[[CrowdStrike 2015 Global Threat Report](https://app.tidalcyber.com/references/50d467da-286b-45f3-8d5a-e9d8632f7bf1)]</sup><sup>[[CrySyS Blog TeamSpy](https://app.tidalcyber.com/references/f21ea3e2-7983-44d2-b78f-80d84bbc4f52)]</sup>\n\nRemote access software may be installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary-controlled system.\n \nAdversaries may similarly abuse response features included in EDR and other defensive tools that enable remote access.\n\nInstallation of many remote access software may also include persistence (e.g., the software's installation routine creates a [Windows Service](https://app.tidalcyber.com/technique/31c6dd3c-3eb2-46a9-ab85-9e8e145810a1)). Remote access modules/features may also exist as part of otherwise existing software (e.g., Google Chromes Remote Desktop).<sup>[[Google Chrome Remote Desktop](https://app.tidalcyber.com/references/70c87a07-38eb-53d2-8b63-013eb3ce62c8)]</sup><sup>[[Chrome Remote Desktop](https://app.tidalcyber.com/references/c1b2d0e9-2396-5080-aea3-58a99c027d20)]</sup>",
"meta": {
"platforms": [
"Linux",
@ -3302,12 +3331,13 @@
"value": "Shared Modules"
},
{
"description": "Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.). \n\nAccess to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints. Network infrastructure may also have administration tools that can be similarly abused by adversaries. <sup>[[Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation](https://app.tidalcyber.com/references/a43dd8ce-23d6-5768-8522-6973dc45e1ac)]</sup>\n\nThe permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it's intended purpose.",
"description": "Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management and software deployment applications may be used in an enterprise network or cloud environment for routine administration purposes. These systems may also be integrated into CI/CD pipelines. Examples of such solutions include: SCCM, HBSS, Altiris, AWS Systems Manager, Microsoft Intune, Azure Arc, and GCP Deployment Manager. \n\nAccess to network-wide or enterprise-wide endpoint management software may enable an adversary to achieve remote code execution on all connected systems. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.\n\nSaaS-based configuration management services may allow for broad [Cloud Administration Command](https://app.tidalcyber.com/technique/944a7b91-c58e-567d-9e2c-515b93713c50) on cloud-hosted instances, as well as the execution of arbitrary commands on on-premises endpoints. For example, Microsoft Configuration Manager allows Global or Intune Administrators to run scripts as SYSTEM on on-premises devices joined to Azure AD.<sup>[[SpecterOps Lateral Movement from Azure to On-Prem AD 2020](https://app.tidalcyber.com/references/eb97d3d6-21cb-5f27-9a78-1e8576acecdc)]</sup> Such services may also utilize [Web Protocols](https://app.tidalcyber.com/technique/9a21ec7b-9714-4073-9bf3-4df41995c698) to communicate back to adversary owned infrastructure.<sup>[[Mitiga Security Advisory: SSM Agent as Remote Access Trojan](https://app.tidalcyber.com/references/88fecbcd-a89b-536a-a1f6-6ddfb2b452da)]</sup>\n\nNetwork infrastructure devices may also have configuration management tools that can be similarly abused by adversaries.<sup>[[Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation](https://app.tidalcyber.com/references/a43dd8ce-23d6-5768-8522-6973dc45e1ac)]</sup>\n\nThe permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to access specific functionality.",
"meta": {
"platforms": [
"Linux",
"macOS",
"Network",
"SaaS",
"Windows"
],
"source": "MITRE"
@ -3326,16 +3356,12 @@
"value": "Software Deployment Tools"
},
{
"description": "Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from [Software Discovery](https://app.tidalcyber.com/technique/e9bff6ff-3142-4910-8f67-19b868912602) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nAdversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to [Exploitation for Privilege Escalation](https://app.tidalcyber.com/technique/9cc715d7-9969-485f-87a2-c9f7ed3cc44c).",
"description": "Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from [Software Discovery](https://app.tidalcyber.com/technique/e9bff6ff-3142-4910-8f67-19b868912602) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nSuch software may be deployed widely across the environment for configuration management or security reasons, such as [Software Deployment Tools](https://app.tidalcyber.com/technique/1bcf9fb5-6848-44d9-b394-ffbd3c357058), and may allow adversaries broad access to infect devices or move laterally.\n\nAdversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to [Exploitation for Privilege Escalation](https://app.tidalcyber.com/technique/9cc715d7-9969-485f-87a2-c9f7ed3cc44c).",
"meta": {
"platforms": [
"Azure AD",
"Google Workspace",
"IaaS",
"Linux",
"macOS",
"Office 365",
"SaaS",
"Windows"
],
"source": "MITRE"
@ -3367,7 +3393,7 @@
"value": "Stage Capabilities"
},
{
"description": "Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.\n\nApplication access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications and software-as-a-service (SaaS).<sup>[[Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019](https://app.tidalcyber.com/references/8ec52402-7e54-463d-8906-f373e5855018)]</sup> OAuth is one commonly implemented framework that issues tokens to users for access to systems. Adversaries who steal account API tokens in cloud and containerized environments may be able to access data and perform actions with the permissions of these accounts, which can lead to privilege escalation and further compromise of the environment.\n\nIn Kubernetes environments, processes running inside a container communicate with the Kubernetes API server using service account tokens. If a container is compromised, an attacker may be able to steal the containers token and thereby gain access to Kubernetes API commands.<sup>[[Kubernetes Service Accounts](https://app.tidalcyber.com/references/a74ffa28-8a2e-4bfd-bc66-969b463bebd9)]</sup>\n\nToken theft can also occur through social engineering, in which case user action may be required to grant access. An application desiring access to cloud-based services or protected APIs can gain entry using OAuth 2.0 through a variety of authorization protocols. An example commonly-used sequence is Microsoft's Authorization Code Grant flow.<sup>[[Microsoft Identity Platform Protocols May 2019](https://app.tidalcyber.com/references/a99d2292-be39-4e55-a952-30c9d6a3d0a3)]</sup><sup>[[Microsoft - OAuth Code Authorization flow - June 2019](https://app.tidalcyber.com/references/a41c2123-8b8d-4f98-a535-e58e3e746b69)]</sup> An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested by the application without obtaining user credentials. \n \nAdversaries can leverage OAuth authorization by constructing a malicious application designed to be granted access to resources with the target user's OAuth token.<sup>[[Amnesty OAuth Phishing Attacks, August 2019](https://app.tidalcyber.com/references/0b0f9cf6-f0af-4f86-9699-a63ff36c49e2)]</sup><sup>[[Trend Micro Pawn Storm OAuth 2017](https://app.tidalcyber.com/references/7d12c764-facd-4086-acd0-5c0287344520)]</sup> The adversary will need to complete registration of their application with the authorization server, for example Microsoft Identity Platform using Azure Portal, the Visual Studio IDE, the command-line interface, PowerShell, or REST API calls.<sup>[[Microsoft - Azure AD App Registration - May 2019](https://app.tidalcyber.com/references/36a06c99-55ca-4163-9450-c3b84ae10039)]</sup> Then, they can send a [Spearphishing Link](https://app.tidalcyber.com/technique/d08a9977-9fc2-46bb-84f9-dbb5187c426d) to the target user to entice them to grant access to the application. Once the OAuth access token is granted, the application can gain potentially long-term access to features of the user account through [Application Access Token](https://app.tidalcyber.com/technique/8592f37d-850a-43d1-86f2-cc981ad7d7dc).<sup>[[Microsoft - Azure AD Identity Tokens - Aug 2019](https://app.tidalcyber.com/references/44767d53-8cd7-44dd-a69d-8a7bebc1d87d)]</sup>\n\nApplication access tokens may function within a limited lifetime, limiting how long an adversary can utilize the stolen token. However, in some cases, adversaries can also steal application refresh tokens<sup>[[Auth0 Understanding Refresh Tokens](https://app.tidalcyber.com/references/84eb3d8a-f6b1-4bb5-9411-2c8da29b5946)]</sup>, allowing them to obtain new access tokens without prompting the user. \n\n",
"description": "Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.\n\nApplication access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications and software-as-a-service (SaaS).<sup>[[Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019](https://app.tidalcyber.com/references/8ec52402-7e54-463d-8906-f373e5855018)]</sup> Adversaries who steal account API tokens in cloud and containerized environments may be able to access data and perform actions with the permissions of these accounts, which can lead to privilege escalation and further compromise of the environment.\n\nFor example, in Kubernetes environments, processes running inside a container may communicate with the Kubernetes API server using service account tokens. If a container is compromised, an adversary may be able to steal the containers token and thereby gain access to Kubernetes API commands.<sup>[[Kubernetes Service Accounts](https://app.tidalcyber.com/references/a74ffa28-8a2e-4bfd-bc66-969b463bebd9)]</sup> Similarly, instances within continuous-development / continuous-integration (CI/CD) pipelines will often use API tokens to authenticate to other services for testing and deployment.<sup>[[Cider Security Top 10 CICD Security Risks](https://app.tidalcyber.com/references/512974b7-b464-52af-909a-2cb880b524e5)]</sup> If these pipelines are compromised, adversaries may be able to steal these tokens and leverage their privileges.\n\nToken theft can also occur through social engineering, in which case user action may be required to grant access. OAuth is one commonly implemented framework that issues tokens to users for access to systems. An application desiring access to cloud-based services or protected APIs can gain entry using OAuth 2.0 through a variety of authorization protocols. An example commonly-used sequence is Microsoft's Authorization Code Grant flow.<sup>[[Microsoft Identity Platform Protocols May 2019](https://app.tidalcyber.com/references/a99d2292-be39-4e55-a952-30c9d6a3d0a3)]</sup><sup>[[Microsoft - OAuth Code Authorization flow - June 2019](https://app.tidalcyber.com/references/a41c2123-8b8d-4f98-a535-e58e3e746b69)]</sup> An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested by the application without obtaining user credentials. \n \nAdversaries can leverage OAuth authorization by constructing a malicious application designed to be granted access to resources with the target user's OAuth token.<sup>[[Amnesty OAuth Phishing Attacks, August 2019](https://app.tidalcyber.com/references/0b0f9cf6-f0af-4f86-9699-a63ff36c49e2)]</sup><sup>[[Trend Micro Pawn Storm OAuth 2017](https://app.tidalcyber.com/references/7d12c764-facd-4086-acd0-5c0287344520)]</sup> The adversary will need to complete registration of their application with the authorization server, for example Microsoft Identity Platform using Azure Portal, the Visual Studio IDE, the command-line interface, PowerShell, or REST API calls.<sup>[[Microsoft - Azure AD App Registration - May 2019](https://app.tidalcyber.com/references/36a06c99-55ca-4163-9450-c3b84ae10039)]</sup> Then, they can send a [Spearphishing Link](https://app.tidalcyber.com/technique/d08a9977-9fc2-46bb-84f9-dbb5187c426d) to the target user to entice them to grant access to the application. Once the OAuth access token is granted, the application can gain potentially long-term access to features of the user account through [Application Access Token](https://app.tidalcyber.com/technique/8592f37d-850a-43d1-86f2-cc981ad7d7dc).<sup>[[Microsoft - Azure AD Identity Tokens - Aug 2019](https://app.tidalcyber.com/references/44767d53-8cd7-44dd-a69d-8a7bebc1d87d)]</sup>\n\nApplication access tokens may function within a limited lifetime, limiting how long an adversary can utilize the stolen token. However, in some cases, adversaries can also steal application refresh tokens<sup>[[Auth0 Understanding Refresh Tokens](https://app.tidalcyber.com/references/84eb3d8a-f6b1-4bb5-9411-2c8da29b5946)]</sup>, allowing them to obtain new access tokens without prompting the user. \n\n",
"meta": {
"platforms": [
"Azure AD",
@ -3427,7 +3453,7 @@
"value": "Steal or Forge Kerberos Tickets"
},
{
"description": "An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.\n\nCookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.<sup>[[Pass The Cookie](https://app.tidalcyber.com/references/dc67930f-5c7b-41be-97e9-d8f4a55e6019)]</sup>\n\nThere are several examples of malware targeting cookies from web browsers on the local system.<sup>[[Kaspersky TajMahal April 2019](https://app.tidalcyber.com/references/1ed20522-52ae-4d0c-b42e-c680490958ac)]</sup><sup>[[Unit 42 Mac Crypto Cookies January 2019](https://app.tidalcyber.com/references/0a88e730-8ed2-4983-8f11-2cb2e4abfe3e)]</sup> There are also open source frameworks such as `Evilginx2` and `Muraena` that can gather session cookies through a malicious proxy (ex: [Adversary-in-the-Middle](https://app.tidalcyber.com/technique/d98dbf30-c454-42ff-a9f3-2cd3319cc0d9)) that can be set up by an adversary and used in phishing campaigns.<sup>[[Github evilginx2](https://app.tidalcyber.com/references/322e5d90-5095-47ea-b0e2-e7e5fb45fcca)]</sup><sup>[[GitHub Mauraena](https://app.tidalcyber.com/references/578ecf62-b546-4f52-9d50-92557edf2dd4)]</sup>\n\nAfter an adversary acquires a valid cookie, they can then perform a [Web Session Cookie](https://app.tidalcyber.com/technique/d36a5323-e249-44e8-9c8b-5cc9c023a5e1) technique to login to the corresponding web application.",
"description": "An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.\n\nCookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.<sup>[[Pass The Cookie](https://app.tidalcyber.com/references/dc67930f-5c7b-41be-97e9-d8f4a55e6019)]</sup>\n\nThere are several examples of malware targeting cookies from web browsers on the local system.<sup>[[Kaspersky TajMahal April 2019](https://app.tidalcyber.com/references/1ed20522-52ae-4d0c-b42e-c680490958ac)]</sup><sup>[[Unit 42 Mac Crypto Cookies January 2019](https://app.tidalcyber.com/references/0a88e730-8ed2-4983-8f11-2cb2e4abfe3e)]</sup> Adversaries may also steal cookies by injecting malicious JavaScript content into websites or relying on [User Execution](https://app.tidalcyber.com/technique/b84435ab-2ff4-4b6f-ba71-b4b815474872) by tricking victims into running malicious JavaScript in their browser.<sup>[[Talos Roblox Scam 2023](https://app.tidalcyber.com/references/9371ee4a-ac23-5acb-af3f-132ef3645392)]</sup><sup>[[Krebs Discord Bookmarks 2023](https://app.tidalcyber.com/references/1d0a21f4-9a8e-5514-894a-3d55263ff973)]</sup>\n\nThere are also open source frameworks such as `Evilginx2` and `Muraena` that can gather session cookies through a malicious proxy (e.g., [Adversary-in-the-Middle](https://app.tidalcyber.com/technique/d98dbf30-c454-42ff-a9f3-2cd3319cc0d9)) that can be set up by an adversary and used in phishing campaigns.<sup>[[Github evilginx2](https://app.tidalcyber.com/references/322e5d90-5095-47ea-b0e2-e7e5fb45fcca)]</sup><sup>[[GitHub Mauraena](https://app.tidalcyber.com/references/578ecf62-b546-4f52-9d50-92557edf2dd4)]</sup>\n\nAfter an adversary acquires a valid cookie, they can then perform a [Web Session Cookie](https://app.tidalcyber.com/technique/d36a5323-e249-44e8-9c8b-5cc9c023a5e1) technique to login to the corresponding web application.",
"meta": {
"platforms": [
"Google Workspace",
@ -3683,9 +3709,11 @@
"value": "System Shutdown/Reboot"
},
{
"description": "An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. <sup>[[MSDN System Time](https://app.tidalcyber.com/references/5e15e03b-be8b-4f3d-a3ae-0df7a4ecfbec)]</sup><sup>[[Technet Windows Time Service](https://app.tidalcyber.com/references/0d908e07-abc1-40fc-b147-9b9fd483b262)]</sup>\n\nSystem time information may be gathered in a number of ways, such as with [Net](https://app.tidalcyber.com/software/c9b8522f-126d-40ff-b44e-1f46098bd8cc) on Windows by performing <code>net time \\\\hostname</code> to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using <code>w32tm /tz</code>.<sup>[[Technet Windows Time Service](https://app.tidalcyber.com/references/0d908e07-abc1-40fc-b147-9b9fd483b262)]</sup>\n\nOn network devices, [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) commands such as `show clock detail` can be used to see the current time configuration.<sup>[[show_clock_detail_cisco_cmd](https://app.tidalcyber.com/references/a2215813-31b0-5624-92d8-479e7bd1a30b)]</sup>\n\nThis information could be useful for performing other techniques, such as executing a file with a [Scheduled Task/Job](https://app.tidalcyber.com/technique/0baf02af-ffaa-403f-9f0d-da51f463a1d8)<sup>[[RSA EU12 They're Inside](https://app.tidalcyber.com/references/8330ab88-9c73-4332-97d6-c1fb95b1a155)]</sup>, or to discover locality information based on time zone to assist in victim targeting (i.e. [System Location Discovery](https://app.tidalcyber.com/technique/90e6a093-3e87-4d74-8b68-38c7d7e5e93c)). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.<sup>[[AnyRun TimeBomb](https://app.tidalcyber.com/references/cd369bf9-80a8-426f-a0aa-c9745b40696c)]</sup>",
"description": "An adversary may gather the system time and/or time zone settings from a local or remote system. The system time is set and stored by services, such as the Windows Time Service on Windows or <code>systemsetup</code> on macOS.<sup>[[MSDN System Time](https://app.tidalcyber.com/references/5e15e03b-be8b-4f3d-a3ae-0df7a4ecfbec)]</sup><sup>[[Technet Windows Time Service](https://app.tidalcyber.com/references/0d908e07-abc1-40fc-b147-9b9fd483b262)]</sup><sup>[[systemsetup mac time](https://app.tidalcyber.com/references/a85bd111-a2ca-5e66-b90e-f52ff780fc5c)]</sup> These time settings may also be synchronized between systems and services in an enterprise network, typically accomplished with a network time server within a domain.<sup>[[Mac Time Sync](https://app.tidalcyber.com/references/b36dd8af-045d-57b0-b0a9-45d831fe6373)]</sup><sup>[[linux system time](https://app.tidalcyber.com/references/2dfd22d7-c78b-5967-b732-736f37ea5489)]</sup>\n\nSystem time information may be gathered in a number of ways, such as with [Net](https://app.tidalcyber.com/software/c9b8522f-126d-40ff-b44e-1f46098bd8cc) on Windows by performing <code>net time \\\\hostname</code> to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using <code>w32tm /tz</code>.<sup>[[Technet Windows Time Service](https://app.tidalcyber.com/references/0d908e07-abc1-40fc-b147-9b9fd483b262)]</sup> In addition, adversaries can discover device uptime through functions such as <code>GetTickCount()</code> to determine how long it has been since the system booted up.<sup>[[Virtualization/Sandbox Evasion](https://app.tidalcyber.com/references/a3031616-f21a-574f-a9a5-a808a6230aa8)]</sup>\n\nOn network devices, [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) commands such as `show clock detail` can be used to see the current time configuration.<sup>[[show_clock_detail_cisco_cmd](https://app.tidalcyber.com/references/a2215813-31b0-5624-92d8-479e7bd1a30b)]</sup>\n\nIn addition, system calls such as <code>time()</code> have been used to collect the current time on Linux devices.<sup>[[MAGNET GOBLIN](https://app.tidalcyber.com/references/955b6449-4cd5-5512-a5f3-2bcb91def3ef)]</sup> On macOS systems, adversaries may use commands such as <code>systemsetup -gettimezone</code> or <code>timeIntervalSinceNow</code> to gather current time zone information or current date and time.<sup>[[System Information Discovery Technique](https://app.tidalcyber.com/references/6123fbd4-c6fc-504c-92f2-5d405730c298)]</sup><sup>[[ESET DazzleSpy Jan 2022](https://app.tidalcyber.com/references/212012ac-9084-490f-8dd2-5cc9ac6e6de1)]</sup>\n\nThis information could be useful for performing other techniques, such as executing a file with a [Scheduled Task/Job](https://app.tidalcyber.com/technique/0baf02af-ffaa-403f-9f0d-da51f463a1d8)<sup>[[RSA EU12 They're Inside](https://app.tidalcyber.com/references/8330ab88-9c73-4332-97d6-c1fb95b1a155)]</sup>, or to discover locality information based on time zone to assist in victim targeting (i.e. [System Location Discovery](https://app.tidalcyber.com/technique/90e6a093-3e87-4d74-8b68-38c7d7e5e93c)). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.<sup>[[AnyRun TimeBomb](https://app.tidalcyber.com/references/cd369bf9-80a8-426f-a0aa-c9745b40696c)]</sup>",
"meta": {
"platforms": [
"Linux",
"macOS",
"Network",
"Windows"
],
@ -3767,10 +3795,13 @@
"value": "Traffic Signaling"
},
{
"description": "Adversaries may exfiltrate data by transferring the data, including backups of cloud environments, to another cloud account they control on the same service to avoid typical file transfers/downloads and network-based exfiltration detection.\n\nA defender who is monitoring for large transfers to outside the cloud environment through normal file transfers or over command and control channels may not be watching for data transfers to another account within the same cloud provider. Such transfers may utilize existing cloud provider APIs and the internal address space of the cloud provider to blend into normal traffic or avoid data transfers over external network interfaces.\n\nIncidents have been observed where adversaries have created backups of cloud instances and transferred them to separate accounts.<sup>[[DOJ GRU Indictment Jul 2018](https://app.tidalcyber.com/references/d65f371b-19d0-49de-b92b-94a2bea1d988)]</sup> ",
"description": "Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service.\n\nA defender who is monitoring for large transfers to outside the cloud environment through normal file transfers or over command and control channels may not be watching for data transfers to another account within the same cloud provider. Such transfers may utilize existing cloud provider APIs and the internal address space of the cloud provider to blend into normal traffic or avoid data transfers over external network interfaces.<sup>[[TLDRSec AWS Attacks](https://app.tidalcyber.com/references/b8de9dd2-3c57-5417-a24f-0260dff6afc6)]</sup>\n\nAdversaries may also use cloud-native mechanisms to share victim data with adversary-controlled cloud accounts, such as creating anonymous file sharing links or, in Azure, a shared access signature (SAS) URI.<sup>[[Microsoft Azure Storage Shared Access Signature](https://app.tidalcyber.com/references/9031357f-04ac-5c07-a59d-97b9e32edf79)]</sup>\n\nIncidents have been observed where adversaries have created backups of cloud instances and transferred them to separate accounts.<sup>[[DOJ GRU Indictment Jul 2018](https://app.tidalcyber.com/references/d65f371b-19d0-49de-b92b-94a2bea1d988)]</sup> ",
"meta": {
"platforms": [
"IaaS"
"Google Workspace",
"IaaS",
"Office 365",
"SaaS"
],
"source": "MITRE"
},
@ -3823,7 +3854,7 @@
"value": "Trusted Relationship"
},
{
"description": "Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Bash History](https://app.tidalcyber.com/technique/065d1cca-8ca5-4f8b-a333-2340706f589e)), operating system or application-specific repositories (e.g. [Credentials in Registry](https://app.tidalcyber.com/technique/cdac2469-52ca-42a8-aefe-0321a7e3d658)), or other specialized files/artifacts (e.g. [Private Keys](https://app.tidalcyber.com/technique/e493bf4a-0eba-4e60-a7a6-c699084dc98a)).",
"description": "Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Bash History](https://app.tidalcyber.com/technique/065d1cca-8ca5-4f8b-a333-2340706f589e)), operating system or application-specific repositories (e.g. [Credentials in Registry](https://app.tidalcyber.com/technique/cdac2469-52ca-42a8-aefe-0321a7e3d658)), or other specialized files/artifacts (e.g. [Private Keys](https://app.tidalcyber.com/technique/e493bf4a-0eba-4e60-a7a6-c699084dc98a)).<sup>[[Brining MimiKatz to Unix](https://app.tidalcyber.com/references/5ad06565-6694-4c42-81c9-880d66f6d07f)]</sup>",
"meta": {
"platforms": [
"Azure AD",
@ -3892,7 +3923,7 @@
"value": "Use Alternate Authentication Material"
},
{
"description": "An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533).\n\nWhile [User Execution](https://app.tidalcyber.com/technique/b84435ab-2ff4-4b6f-ba71-b4b815474872) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://app.tidalcyber.com/technique/4f4ea659-7653-4bfd-a525-b2af32c5899b).\n\nAdversaries may also deceive users into performing actions such as enabling [Remote Access Software](https://app.tidalcyber.com/technique/acf828f4-7e7e-43e1-bf15-ceab42021430), allowing direct control of the system to the adversary, or downloading and executing malware for [User Execution](https://app.tidalcyber.com/technique/b84435ab-2ff4-4b6f-ba71-b4b815474872). For example, tech support scams can be facilitated through [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533), vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or [Remote Access Software](https://app.tidalcyber.com/technique/acf828f4-7e7e-43e1-bf15-ceab42021430).<sup>[[Telephone Attack Delivery](https://app.tidalcyber.com/references/9670da7b-0600-4072-9ecc-65a918b89ac5)]</sup>",
"description": "An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533).\n\nWhile [User Execution](https://app.tidalcyber.com/technique/b84435ab-2ff4-4b6f-ba71-b4b815474872) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://app.tidalcyber.com/technique/4f4ea659-7653-4bfd-a525-b2af32c5899b).\n\nAdversaries may also deceive users into performing actions such as enabling [Remote Access Software](https://app.tidalcyber.com/technique/acf828f4-7e7e-43e1-bf15-ceab42021430), allowing direct control of the system to the adversary; running malicious JavaScript in their browser, allowing adversaries to [Steal Web Session Cookie](https://app.tidalcyber.com/technique/17f9e46d-4e3d-4491-a0d9-0cc042531d6e)s; or downloading and executing malware for [User Execution](https://app.tidalcyber.com/technique/b84435ab-2ff4-4b6f-ba71-b4b815474872).<sup>[[Talos Roblox Scam 2023](https://app.tidalcyber.com/references/9371ee4a-ac23-5acb-af3f-132ef3645392)]</sup><sup>[[Krebs Discord Bookmarks 2023](https://app.tidalcyber.com/references/1d0a21f4-9a8e-5514-894a-3d55263ff973)]</sup>\n\nFor example, tech support scams can be facilitated through [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533), vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or [Remote Access Software](https://app.tidalcyber.com/technique/acf828f4-7e7e-43e1-bf15-ceab42021430).<sup>[[Telephone Attack Delivery](https://app.tidalcyber.com/references/9670da7b-0600-4072-9ecc-65a918b89ac5)]</sup>",
"meta": {
"platforms": [
"Containers",
@ -4029,7 +4060,7 @@
"value": "Web Service"
},
{
"description": "Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://app.tidalcyber.com/technique/30ef3f13-5e9b-4712-9adf-f0da4ef157a1) such as [Distributed Component Object Model](https://app.tidalcyber.com/technique/ebc5fabb-5634-49f2-8979-94ea98da114a) (DCOM) and [Windows Remote Management](https://app.tidalcyber.com/technique/c2866fd3-754e-4b40-897a-e73a8c1fcf7b) (WinRM).<sup>[[MSDN WMI](https://app.tidalcyber.com/references/210ca539-71f6-4494-91ea-402a3e0e2a10)]</sup> Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.<sup>[[MSDN WMI](https://app.tidalcyber.com/references/210ca539-71f6-4494-91ea-402a3e0e2a10)]</sup><sup>[[FireEye WMI 2015](https://app.tidalcyber.com/references/135ccd72-2714-4453-9c8f-f5fde31905ee)]</sup>\n\nAn adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as remote Execution of files as part of Lateral Movement. <sup>[[FireEye WMI SANS 2015](https://app.tidalcyber.com/references/a9333ef5-5637-4a4c-9aaf-fdc9daf8b860)]</sup> <sup>[[FireEye WMI 2015](https://app.tidalcyber.com/references/135ccd72-2714-4453-9c8f-f5fde31905ee)]</sup>",
"description": "Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.<sup>[[WMI 1-3](https://app.tidalcyber.com/references/fe0a3b0c-8526-5a0d-acb8-660bbc0c9328)]</sup> WMI is an administration feature that provides a uniform environment to access Windows system components.\n\nThe WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://app.tidalcyber.com/technique/30ef3f13-5e9b-4712-9adf-f0da4ef157a1) such as [Distributed Component Object Model](https://app.tidalcyber.com/technique/ebc5fabb-5634-49f2-8979-94ea98da114a) and [Windows Remote Management](https://app.tidalcyber.com/technique/c2866fd3-754e-4b40-897a-e73a8c1fcf7b).<sup>[[WMI 1-3](https://app.tidalcyber.com/references/fe0a3b0c-8526-5a0d-acb8-660bbc0c9328)]</sup> Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.<sup>[[WMI 1-3](https://app.tidalcyber.com/references/fe0a3b0c-8526-5a0d-acb8-660bbc0c9328)]</sup> <sup>[[Mandiant WMI](https://app.tidalcyber.com/references/8d237948-7b10-5055-b9e6-52e6cab16f32)]</sup>\n\nAn adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for [Discovery](https://app.tidalcyber.com/tactics/ee7e5a85-a940-46e4-b408-12956f3baafa) as well as [Execution](https://app.tidalcyber.com/tactics/dad2337d-6d35-410a-acc5-da36ff83ee44) of commands and payloads.<sup>[[Mandiant WMI](https://app.tidalcyber.com/references/8d237948-7b10-5055-b9e6-52e6cab16f32)]</sup> For example, `wmic.exe` can be abused by an adversary to delete shadow copies with the command `wmic.exe Shadowcopy Delete` (i.e., [Inhibit System Recovery](https://app.tidalcyber.com/technique/d207c03b-fbe7-420e-a053-339f4650c043)).<sup>[[WMI 6](https://app.tidalcyber.com/references/df07a086-0d38-570b-b0c5-9f5061212db7)]</sup>\n\n**Note:** `wmic.exe` is deprecated as of January of 2024, with the WMIC feature being “disabled by default” on Windows 11+. WMIC will be removed from subsequent Windows releases and replaced by [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) as the primary WMI interface.<sup>[[WMI 7,8](https://app.tidalcyber.com/references/819cecb2-5bd3-5c20-bbda-372516b00d6e)]</sup> In addition to PowerShell and tools like `wbemtool.exe`, COM APIs can also be used to programmatically interact with WMI via C++, .NET, VBScript, etc.<sup>[[WMI 7,8](https://app.tidalcyber.com/references/819cecb2-5bd3-5c20-bbda-372516b00d6e)]</sup>",
"meta": {
"platforms": [
"Windows"