diff --git a/galaxy.html b/galaxy.html
index d8ba535..1f5e568 100755
--- a/galaxy.html
+++ b/galaxy.html
@@ -9232,7 +9232,7 @@ Banker is a cluster galaxy available in JSON format at authors
-Unknown
+Unknown - raw-data
@@ -10485,6 +10485,49 @@ The speed at which mining operations conduct mathematical operations to unlock n
+
+
+
+
The banker is distributed through malicious email spam campaigns. Instead of using complex process injection methods to monitor browsing activity, the malware hooks key Windows message loop events in order to inspect values of the window objects for banking activity. The payload is delivered as a modified version of a legitimate application that is partially overwritten by the malicious payload
+
+
+
+
+
+
+
Trojan under development and already being distributed through the RIG Exploit Kit. Observed code similarities with other well-known bankers such as Ramnit, Vawtrak and TrickBot. Karius works in a rather traditional fashion to other banking malware and consists of three components (injector32\64.exe, proxy32\64.dll and mod32\64.dll), these components essentially work together to deploy webinjects in several browsers.
+
+
+
@@ -10525,7 +10568,7 @@ Botnet is a cluster galaxy available in JSON format at
-Table 467. Table References
+Table 469. Table References
@@ -10561,7 +10604,7 @@ Botnet is a cluster galaxy available in JSON format at
-Table 468. Table References
+Table 470. Table References
@@ -10603,7 +10646,7 @@ Botnet is a cluster galaxy available in JSON format at
-Table 469. Table References
+Table 471. Table References
@@ -10636,7 +10679,7 @@ Botnet is a cluster galaxy available in JSON format at
-Table 470. Table References
+Table 472. Table References
@@ -10678,7 +10721,7 @@ Botnet is a cluster galaxy available in JSON format at
-Table 471. Table References
+Table 473. Table References
@@ -10708,7 +10751,7 @@ Botnet is a cluster galaxy available in JSON format at
-Table 472. Table References
+Table 474. Table References
@@ -10738,7 +10781,7 @@ Botnet is a cluster galaxy available in JSON format at
-Table 473. Table References
+Table 475. Table References
@@ -10771,7 +10814,7 @@ Botnet is a cluster galaxy available in JSON format at
-Table 474. Table References
+Table 476. Table References
@@ -10791,7 +10834,7 @@ Botnet is a cluster galaxy available in JSON format at
-Table 475. Table References
+Table 477. Table References
@@ -10824,7 +10867,7 @@ Botnet is a cluster galaxy available in JSON format at
-Table 476. Table References
+Table 478. Table References
@@ -10844,7 +10887,7 @@ Botnet is a cluster galaxy available in JSON format at
-Table 477. Table References
+Table 479. Table References
@@ -10874,7 +10917,7 @@ Botnet is a cluster galaxy available in JSON format at
-Table 478. Table References
+Table 480. Table References
@@ -10922,7 +10965,7 @@ Botnet is a cluster galaxy available in JSON format at
-Table 479. Table References
+Table 481. Table References
@@ -10942,7 +10985,7 @@ Botnet is a cluster galaxy available in JSON format at
-Table 480. Table References
+Table 482. Table References
@@ -10981,7 +11024,7 @@ Botnet is a cluster galaxy available in JSON format at
-Table 481. Table References
+Table 483. Table References
@@ -11014,7 +11057,7 @@ Botnet is a cluster galaxy available in JSON format at
-Table 482. Table References
+Table 484. Table References
@@ -11034,7 +11077,7 @@ Botnet is a cluster galaxy available in JSON format at
-Table 483. Table References
+Table 485. Table References
@@ -11051,7 +11094,7 @@ Botnet is a cluster galaxy available in JSON format at
-Table 484. Table References
+Table 486. Table References
@@ -11084,7 +11127,7 @@ Botnet is a cluster galaxy available in JSON format at
-Table 485. Table References
+Table 487. Table References
@@ -11101,7 +11144,7 @@ Botnet is a cluster galaxy available in JSON format at
-Table 486. Table References
+Table 488. Table References
@@ -11118,7 +11161,7 @@ Botnet is a cluster galaxy available in JSON format at
-Table 487. Table References
+Table 489. Table References
@@ -11157,7 +11200,7 @@ Botnet is a cluster galaxy available in JSON format at
-Table 488. Table References
+Table 490. Table References
@@ -11193,7 +11236,7 @@ Botnet is a cluster galaxy available in JSON format at
-Table 489. Table References
+Table 491. Table References
@@ -11213,7 +11256,7 @@ Botnet is a cluster galaxy available in JSON format at
-Table 490. Table References
+Table 492. Table References
@@ -11243,7 +11286,7 @@ Botnet is a cluster galaxy available in JSON format at
-Table 491. Table References
+Table 493. Table References
@@ -11276,7 +11319,7 @@ Botnet is a cluster galaxy available in JSON format at
-Table 492. Table References
+Table 494. Table References
@@ -11306,7 +11349,7 @@ Botnet is a cluster galaxy available in JSON format at
-Table 493. Table References
+Table 495. Table References
@@ -11336,7 +11379,7 @@ Botnet is a cluster galaxy available in JSON format at
-Table 494. Table References
+Table 496. Table References
@@ -11366,7 +11409,7 @@ Botnet is a cluster galaxy available in JSON format at
-Table 495. Table References
+Table 497. Table References
@@ -11386,7 +11429,7 @@ Botnet is a cluster galaxy available in JSON format at
-Table 496. Table References
+Table 498. Table References
@@ -11438,7 +11481,7 @@ Botnet is a cluster galaxy available in JSON format at
-Table 497. Table References
+Table 499. Table References
@@ -11483,7 +11526,7 @@ Botnet is a cluster galaxy available in JSON format at
-Table 498. Table References
+Table 500. Table References
@@ -11513,7 +11556,7 @@ Botnet is a cluster galaxy available in JSON format at
-Table 499. Table References
+Table 501. Table References
@@ -11533,7 +11576,7 @@ Botnet is a cluster galaxy available in JSON format at
-Table 500. Table References
+Table 502. Table References
@@ -11572,7 +11615,7 @@ Botnet is a cluster galaxy available in JSON format at
-Table 501. Table References
+Table 503. Table References
@@ -11592,7 +11635,7 @@ Botnet is a cluster galaxy available in JSON format at
-Table 502. Table References
+Table 504. Table References
@@ -11622,7 +11665,7 @@ Botnet is a cluster galaxy available in JSON format at
-Table 503. Table References
+Table 505. Table References
@@ -11650,7 +11693,7 @@ Botnet is a cluster galaxy available in JSON format at
-Table 504. Table References
+Table 506. Table References
@@ -11679,7 +11722,7 @@ Crooks have used Tsunami initially for DDoS attacks, but its feature-set has gre
The Muhstik version of Tsunami, according to a Netlab report published today, can launch DDoS attacks, install the XMRig Monero miner, or install the CGMiner to mine Dash cryptocurrency on infected hosts. Muhstik operators are using these three payloads to make money via the infected hosts.
-Table 505. Table References
+Table 507. Table References
@@ -11716,7 +11759,7 @@ By placing itself in this menu, the device’s OS will automatically start t
-Table 506. Table References
+Table 508. Table References
@@ -11739,7 +11782,7 @@ By placing itself in this menu, the device’s OS will automatically start t
Command-and-control panel and the scanner of this botnet is hosted on a server residing in Vietnam. Attackers have been utilizing an open-sourced Mettle attack module to implant malware on vulnerable routers.
-Table 507. Table References
+Table 509. Table References
@@ -11759,7 +11802,7 @@ By placing itself in this menu, the device’s OS will automatically start t
IoT botnet, Mirai variant that has added three exploits to its arsenal. After a successful exploit, this bot downloads its payload, Owari bot - another Mirai variant - or Omni bot.
-Table 508. Table References
+Table 510. Table References
@@ -11779,7 +11822,7 @@ By placing itself in this menu, the device’s OS will automatically start t
Brain Food is usually the second step in a chain of redirections, its PHP code is polymorphic and obfuscated with multiple layers of base64 encoding. Backdoor functionalities are also embedded in the code allowing remote execution of shell code on web servers which are configured to allow the PHP 'system' command.
-Table 509. Table References
+Table 511. Table References
@@ -11809,7 +11852,7 @@ By placing itself in this menu, the device’s OS will automatically start t
-Table 510. Table References
+Table 512. Table References
@@ -11841,7 +11884,7 @@ By placing itself in this menu, the device’s OS will automatically start t
-Branded Vulnerability is a cluster galaxy available in JSON format at https://github.com/MISP/misp-galaxy/blob/master/clusters/branded vulnerability.json[this location] The JSON format can be freely reused in your application or automatically enabled in MISP.
+Branded Vulnerability is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
|
@@ -11934,7 +11977,7 @@ During a code audit Qualys researchers discovered a buffer overflow in the __nss
-Cert EU GovSector is a cluster galaxy available in JSON format at https://github.com/MISP/misp-galaxy/blob/master/clusters/cert eu govsector.json[this location] The JSON format can be freely reused in your application or automatically enabled in MISP.
+Cert EU GovSector is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
|
@@ -12015,7 +12058,7 @@ Exploit-Kit is a cluster galaxy available in JSON format at
-Table 511. Table References
+Table 513. Table References
@@ -12057,7 +12100,7 @@ Exploit-Kit is a cluster galaxy available in JSON format at
-Table 512. Table References
+Table 514. Table References
@@ -12090,7 +12133,7 @@ Exploit-Kit is a cluster galaxy available in JSON format at
-Table 513. Table References
+Table 515. Table References
@@ -12126,7 +12169,7 @@ Exploit-Kit is a cluster galaxy available in JSON format at
-Table 514. Table References
+Table 516. Table References
@@ -12149,7 +12192,7 @@ Exploit-Kit is a cluster galaxy available in JSON format at
-Table 515. Table References
+Table 517. Table References
@@ -12179,7 +12222,7 @@ Exploit-Kit is a cluster galaxy available in JSON format at
-Table 516. Table References
+Table 518. Table References
@@ -12215,7 +12258,7 @@ Exploit-Kit is a cluster galaxy available in JSON format at
-Table 517. Table References
+Table 519. Table References
@@ -12244,7 +12287,7 @@ Exploit-Kit is a cluster galaxy available in JSON format at
-Table 518. Table References
+Table 520. Table References
@@ -12267,7 +12310,7 @@ Exploit-Kit is a cluster galaxy available in JSON format at
-Table 519. Table References
+Table 521. Table References
@@ -12287,7 +12330,7 @@ Exploit-Kit is a cluster galaxy available in JSON format at
-Table 520. Table References
+Table 522. Table References
@@ -12326,7 +12369,7 @@ Exploit-Kit is a cluster galaxy available in JSON format at
-Table 521. Table References
+Table 523. Table References
@@ -12365,7 +12408,7 @@ Exploit-Kit is a cluster galaxy available in JSON format at
-Table 522. Table References
+Table 524. Table References
@@ -12401,7 +12444,7 @@ Exploit-Kit is a cluster galaxy available in JSON format at
-Table 523. Table References
+Table 525. Table References
@@ -12431,7 +12474,7 @@ Exploit-Kit is a cluster galaxy available in JSON format at
-Table 524. Table References
+Table 526. Table References
@@ -12464,7 +12507,7 @@ Exploit-Kit is a cluster galaxy available in JSON format at
-Table 525. Table References
+Table 527. Table References
@@ -12494,7 +12537,7 @@ Exploit-Kit is a cluster galaxy available in JSON format at
-Table 526. Table References
+Table 528. Table References
@@ -12530,7 +12573,7 @@ Exploit-Kit is a cluster galaxy available in JSON format at
-Table 527. Table References
+Table 529. Table References
@@ -12556,7 +12599,7 @@ Exploit-Kit is a cluster galaxy available in JSON format at
-Table 528. Table References
+Table 530. Table References
@@ -12586,7 +12629,7 @@ Exploit-Kit is a cluster galaxy available in JSON format at
-Table 529. Table References
+Table 531. Table References
@@ -12622,7 +12665,7 @@ Exploit-Kit is a cluster galaxy available in JSON format at
-Table 530. Table References
+Table 532. Table References
@@ -12658,7 +12701,7 @@ Exploit-Kit is a cluster galaxy available in JSON format at
-Table 531. Table References
+Table 533. Table References
@@ -12697,7 +12740,7 @@ Exploit-Kit is a cluster galaxy available in JSON format at
-Table 532. Table References
+Table 534. Table References
@@ -12730,7 +12773,7 @@ Exploit-Kit is a cluster galaxy available in JSON format at
-Table 533. Table References
+Table 535. Table References
@@ -12769,7 +12812,7 @@ Exploit-Kit is a cluster galaxy available in JSON format at
-Table 534. Table References
+Table 536. Table References
@@ -12792,7 +12835,7 @@ Exploit-Kit is a cluster galaxy available in JSON format at
-Table 535. Table References
+Table 537. Table References
@@ -12825,7 +12868,7 @@ Exploit-Kit is a cluster galaxy available in JSON format at
-Table 536. Table References
+Table 538. Table References
@@ -12851,7 +12894,7 @@ Exploit-Kit is a cluster galaxy available in JSON format at
-Table 537. Table References
+Table 539. Table References
@@ -12890,7 +12933,7 @@ Exploit-Kit is a cluster galaxy available in JSON format at
-Table 538. Table References
+Table 540. Table References
@@ -12910,7 +12953,7 @@ Exploit-Kit is a cluster galaxy available in JSON format at
-Table 539. Table References
+Table 541. Table References
@@ -12943,7 +12986,7 @@ Exploit-Kit is a cluster galaxy available in JSON format at
-Table 540. Table References
+Table 542. Table References
@@ -12966,7 +13009,7 @@ Exploit-Kit is a cluster galaxy available in JSON format at
-Table 541. Table References
+Table 543. Table References
@@ -12992,7 +13035,7 @@ Exploit-Kit is a cluster galaxy available in JSON format at
-Table 542. Table References
+Table 544. Table References
@@ -13028,7 +13071,7 @@ Exploit-Kit is a cluster galaxy available in JSON format at
-Table 543. Table References
+Table 545. Table References
@@ -13061,7 +13104,7 @@ Exploit-Kit is a cluster galaxy available in JSON format at
-Table 544. Table References
+Table 546. Table References
@@ -13103,7 +13146,7 @@ Exploit-Kit is a cluster galaxy available in JSON format at
-Table 545. Table References
+Table 547. Table References
@@ -13133,7 +13176,7 @@ Exploit-Kit is a cluster galaxy available in JSON format at
-Table 546. Table References
+Table 548. Table References
@@ -13166,7 +13209,7 @@ Exploit-Kit is a cluster galaxy available in JSON format at
-Table 547. Table References
+Table 549. Table References
@@ -13189,7 +13232,7 @@ Exploit-Kit is a cluster galaxy available in JSON format at
-Table 548. Table References
+Table 550. Table References
@@ -13215,7 +13258,7 @@ Exploit-Kit is a cluster galaxy available in JSON format at
-Table 549. Table References
+Table 551. Table References
@@ -13251,7 +13294,7 @@ Exploit-Kit is a cluster galaxy available in JSON format at
-Table 550. Table References
+Table 552. Table References
@@ -13287,7 +13330,7 @@ Exploit-Kit is a cluster galaxy available in JSON format at
-Table 551. Table References
+Table 553. Table References
@@ -13323,7 +13366,7 @@ Exploit-Kit is a cluster galaxy available in JSON format at
-Table 552. Table References
+Table 554. Table References
@@ -13343,7 +13386,7 @@ Exploit-Kit is a cluster galaxy available in JSON format at
-Table 553. Table References
+Table 555. Table References
@@ -13369,7 +13412,7 @@ Exploit-Kit is a cluster galaxy available in JSON format at
-Table 554. Table References
+Table 556. Table References
@@ -13389,7 +13432,7 @@ Exploit-Kit is a cluster galaxy available in JSON format at
-Table 555. Table References
+Table 557. Table References
@@ -13424,7 +13467,7 @@ Exploit-Kit is a cluster galaxy available in JSON format at
-Microsoft Activity Group actor is a cluster galaxy available in JSON format at https://github.com/MISP/misp-galaxy/blob/master/clusters/microsoft activity group actor.json[this location] The JSON format can be freely reused in your application or automatically enabled in MISP.
+Microsoft Activity Group actor is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
|
@@ -13443,7 +13486,7 @@ Microsoft Activity Group actor is a cluster galaxy available in JSON format at <
PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.
-Table 556. Table References
+Table 558. Table References
@@ -13463,7 +13506,7 @@ Microsoft Activity Group actor is a cluster galaxy available in JSON format at <
NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird. This backdoor’s characteristics closely match FinFisher, a government-grade commercial surveillance package. Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks.
-Table 557. Table References
+Table 559. Table References
@@ -13483,7 +13526,7 @@ Microsoft Activity Group actor is a cluster galaxy available in JSON format at <
Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names.
-Table 558. Table References
+Table 560. Table References
@@ -13540,7 +13583,7 @@ Microsoft Activity Group actor is a cluster galaxy available in JSON format at <
-Table 559. Table References
+Table 561. Table References
@@ -13576,7 +13619,7 @@ Microsoft Activity Group actor is a cluster galaxy available in JSON format at <
-Table 560. Table References
+Table 562. Table References
@@ -13605,7 +13648,7 @@ Microsoft Activity Group actor is a cluster galaxy available in JSON format at <
PLATINUM has been targeting its victims since at least as early as 2009, and may have been active for several years prior. Its activities are distinctly different not only from those typically seen in untargeted attacks, but from many targeted attacks as well. A large share of targeted attacks can be characterized as opportunistic: the activity group changes its target profiles and attack geographies based on geopolitical seasons, and may attack institutions all over the world. Like many such groups, PLATINUM seeks to steal sensitive intellectual property related to government interests, but its range of preferred targets is consistently limited to specific governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. The group’s persistent use of spear phishing tactics (phishing attempts aimed at specific individuals) and access to previously undiscovered zero-day exploits have made it a highly resilient threat.
-Table 561. Table References
+Table 563. Table References
@@ -13628,7 +13671,7 @@ Microsoft Activity Group actor is a cluster galaxy available in JSON format at <
Microsoft Threat Intelligence associates Winnti with multiple activity groups—collections of malware, supporting infrastructure, online personas, victimology, and other attack artifacts that the Microsoft intelligent security graph uses to categorize and attribute threat activity. Microsoft labels activity groups using code names derived from elements in the periodic table. In the case of this malware, the activity groups strongly associated with Winnti are BARIUM and LEAD. But even though they share the use of Winnti, the BARIUM and LEAD activity groups are involved in very different intrusion scenarios. BARIUM begins its attacks by cultivating relationships with potential victims—particularly those working in Business Development or Human Resources—on various social media platforms. Once BARIUM has established rapport, they spear-phish the victim using a variety of unsophisticated malware installation vectors, including malicious shortcut (.lnk) files with hidden payloads, compiled HTML help (.chm) files, or Microsoft Office documents containing macros or exploits. Initial intrusion stages feature the Win32/Barlaiy implant—notable for its use of social network profiles, collaborative document editing sites, and blogs for C&C. Later stages of the intrusions rely upon Winnti for persistent access. The majority of victims recorded to date have been in electronic gaming, multimedia, and Internet content industries, although occasional intrusions against technology companies have occurred.
-Table 562. Table References
+Table 564. Table References
@@ -13648,7 +13691,7 @@ Microsoft Activity Group actor is a cluster galaxy available in JSON format at <
In contrast, LEAD has established a far greater reputation for industrial espionage. In the past few years, LEAD’s victims have included: Multinational, multi-industry companies involved in the manufacture of textiles, chemicals, and electronics Pharmaceutical companies A company in the chemical industry University faculty specializing in aeronautical engineering and research A company involved in the design and manufacture of motor vehicles A cybersecurity company focusing on protecting industrial control systems During these intrusions, LEAD’s objective was to steal sensitive data, including research materials, process documents, and project plans. LEAD also steals code-signing certificates to sign its malware in subsequent attacks. In most cases, LEAD’s attacks do not feature any advanced exploit techniques. The group also does not make special effort to cultivate victims prior to an attack. Instead, the group often simply emails a Winnti installer to potential victims, relying on basic social engineering tactics to convince recipients to run the attached malware. In some other cases, LEAD gains access to a target by brute-forcing remote access login credentials, performing SQL injection, or exploiting unpatched web servers, and then they copy the Winnti installer directly to compromised machines.
-Table 563. Table References
+Table 565. Table References
@@ -13668,7 +13711,7 @@ Microsoft Activity Group actor is a cluster galaxy available in JSON format at <
In addition to strengthening generic detection of EoP exploits, Microsoft security researchers are actively gathering threat intelligence and indicators attributable to ZIRCONIUM, the activity group using the CVE-2017-0005 exploit.
-Table 564. Table References
+Table 566. Table References
@@ -13697,7 +13740,7 @@ Microsoft Activity Group actor is a cluster galaxy available in JSON format at <
-Attack Pattern is a cluster galaxy available in JSON format at https://github.com/MISP/misp-galaxy/blob/master/clusters/attack pattern.json[this location] The JSON format can be freely reused in your application or automatically enabled in MISP.
+Attack Pattern is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
|
@@ -13725,7 +13768,7 @@ Attack Pattern is a cluster galaxy available in JSON format at
-Table 565. Table References
+Table 567. Table References
@@ -13760,7 +13803,7 @@ Attack Pattern is a cluster galaxy available in JSON format at
-Table 566. Table References
+Table 568. Table References
@@ -13795,7 +13838,7 @@ Attack Pattern is a cluster galaxy available in JSON format at
-Table 567. Table References
+Table 569. Table References
@@ -13848,7 +13891,7 @@ Attack Pattern is a cluster galaxy available in JSON format at
-Table 568. Table References
+Table 570. Table References
@@ -13898,7 +13941,7 @@ Attack Pattern is a cluster galaxy available in JSON format at
-Table 569. Table References
+Table 571. Table References
@@ -13951,7 +13994,7 @@ Attack Pattern is a cluster galaxy available in JSON format at
-Table 570. Table References
+Table 572. Table References
@@ -14007,7 +14050,7 @@ Attack Pattern is a cluster galaxy available in JSON format at
-Table 571. Table References
+Table 573. Table References
@@ -14045,7 +14088,7 @@ Attack Pattern is a cluster galaxy available in JSON format at
-Table 572. Table References
+Table 574. Table References
@@ -14083,7 +14126,7 @@ Attack Pattern is a cluster galaxy available in JSON format at
-Table 573. Table References
+Table 575. Table References
@@ -14124,7 +14167,7 @@ Attack Pattern is a cluster galaxy available in JSON format at
-Table 574. Table References
+Table 576. Table References
@@ -14159,7 +14202,7 @@ Attack Pattern is a cluster galaxy available in JSON format at
-Table 575. Table References
+Table 577. Table References
@@ -14200,7 +14243,7 @@ Attack Pattern is a cluster galaxy available in JSON format at
-Table 576. Table References
+Table 578. Table References
@@ -14235,7 +14278,7 @@ Attack Pattern is a cluster galaxy available in JSON format at
-Table 577. Table References
+Table 579. Table References
@@ -14273,7 +14316,7 @@ Attack Pattern is a cluster galaxy available in JSON format at
-Table 578. Table References
+Table 580. Table References
@@ -14311,7 +14354,7 @@ Attack Pattern is a cluster galaxy available in JSON format at
-Table 579. Table References
+Table 581. Table References
@@ -14343,7 +14386,7 @@ Attack Pattern is a cluster galaxy available in JSON format at
-Table 580. Table References
+Table 582. Table References
@@ -14381,7 +14424,7 @@ Attack Pattern is a cluster galaxy available in JSON format at
-Table 581. Table References
+Table 583. Table References
@@ -14413,7 +14456,7 @@ Attack Pattern is a cluster galaxy available in JSON format at
-Table 582. Table References
+Table 584. Table References
@@ -14451,7 +14494,7 @@ Attack Pattern is a cluster galaxy available in JSON format at
-Table 583. Table References
+Table 585. Table References
@@ -14492,7 +14535,7 @@ Attack Pattern is a cluster galaxy available in JSON format at
-Table 584. Table References
+Table 586. Table References
@@ -14575,7 +14618,7 @@ Attack Pattern is a cluster galaxy available in JSON format at
-Table 585. Table References
+Table 587. Table References
@@ -14631,7 +14674,7 @@ Attack Pattern is a cluster galaxy available in JSON format at
-Table 586. Table References
+Table 588. Table References
@@ -14660,7 +14703,7 @@ Attack Pattern is a cluster galaxy available in JSON format at
-Table 587. Table References
+Table 589. Table References
@@ -14743,7 +14786,7 @@ Attack Pattern is a cluster galaxy available in JSON format at
-Table 588. Table References
+Table 590. Table References
@@ -14778,7 +14821,7 @@ Attack Pattern is a cluster galaxy available in JSON format at
-Table 589. Table References
+Table 591. Table References
@@ -14822,7 +14865,7 @@ Attack Pattern is a cluster galaxy available in JSON format at
-Table 590. Table References
+Table 592. Table References
@@ -14866,7 +14909,7 @@ Attack Pattern is a cluster galaxy available in JSON format at
-Table 591. Table References
+Table 593. Table References
@@ -14919,7 +14962,7 @@ Attack Pattern is a cluster galaxy available in JSON format at
-Table 592. Table References
+Table 594. Table References
@@ -14957,7 +15000,7 @@ Attack Pattern is a cluster galaxy available in JSON format at
-Table 593. Table References
+Table 595. Table References
@@ -15013,7 +15056,7 @@ Attack Pattern is a cluster galaxy available in JSON format at
-Table 594. Table References
+Table 596. Table References
@@ -15048,7 +15091,7 @@ Attack Pattern is a cluster galaxy available in JSON format at
-Table 595. Table References
+Table 597. Table References
@@ -15077,7 +15120,7 @@ Attack Pattern is a cluster galaxy available in JSON format at
-Table 596. Table References
+Table 598. Table References
@@ -15112,7 +15155,7 @@ Attack Pattern is a cluster galaxy available in JSON format at
-Table 597. Table References
+Table 599. Table References
@@ -15147,7 +15190,7 @@ Attack Pattern is a cluster galaxy available in JSON format at
-Table 598. Table References
+Table 600. Table References
@@ -15185,7 +15228,7 @@ Attack Pattern is a cluster galaxy available in JSON format at
-Table 599. Table References
+Table 601. Table References
@@ -15217,7 +15260,7 @@ Attack Pattern is a cluster galaxy available in JSON format at
-Table 600. Table References
+Table 602. Table References
@@ -15252,7 +15295,7 @@ Attack Pattern is a cluster galaxy available in JSON format at
-Table 601. Table References
+Table 603. Table References
@@ -15293,7 +15336,7 @@ Attack Pattern is a cluster galaxy available in JSON format at
-Table 602. Table References
+Table 604. Table References
@@ -15325,7 +15368,7 @@ Attack Pattern is a cluster galaxy available in JSON format at
-Table 603. Table References
+Table 605. Table References
@@ -15357,7 +15400,7 @@ Attack Pattern is a cluster galaxy available in JSON format at
-Table 604. Table References
+Table 606. Table References
@@ -15417,7 +15460,7 @@ Many applications create these hidden files and folders to store information so
Data Sources: File monitoring, Process Monitoring, Process command-line parameters
-Table 605. Table References
+Table 607. Table References
@@ -15458,7 +15501,7 @@ Many applications create these hidden files and folders to store information so
Data Sources: DLL monitoring, Windows Registry, Loaded DLLs
-Table 606. Table References
+Table 608. Table References
@@ -15499,7 +15542,7 @@ Many applications create these hidden files and folders to store information so
Data Sources: Packet capture, Process use of network, Malware reverse engineering, Process monitoring
-Table 607. Table References
+Table 609. Table References
@@ -15534,7 +15577,7 @@ Many applications create these hidden files and folders to store information so
Platforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Windows 10
-Table 608. Table References
+Table 610. Table References
@@ -15578,7 +15621,7 @@ Many applications create these hidden files and folders to store information so
Data Sources: File monitoring, Process Monitoring
-Table 609. Table References
+Table 611. Table References
@@ -15619,7 +15662,7 @@ Many applications create these hidden files and folders to store information so
Data Sources: WMI Objects
-Table 610. Table References
+Table 612. Table References
@@ -15660,7 +15703,7 @@ Many applications create these hidden files and folders to store information so
Data Sources: API monitoring, File monitoring, Services, Windows Registry, Process command-line parameters, Anti-virus
-Table 611. Table References
+Table 613. Table References
@@ -15689,7 +15732,7 @@ Many applications create these hidden files and folders to store information so
Platforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Windows 10
-Table 612. Table References
+Table 614. Table References
@@ -15721,7 +15764,7 @@ Many applications create these hidden files and folders to store information so
Data Sources: File monitoring, Process monitoring, Process command-line parameters, Binary file metadata
-Table 613. Table References
+Table 615. Table References
@@ -15774,7 +15817,7 @@ Many applications create these hidden files and folders to store information so
Data Sources: API monitoring, Process monitoring, Process command-line parameters
-Table 614. Table References
+Table 616. Table References
@@ -15806,7 +15849,7 @@ Many applications create these hidden files and folders to store information so
Data Sources: Authentication logs
-Table 615. Table References
+Table 617. Table References
@@ -15841,7 +15884,7 @@ Many applications create these hidden files and folders to store information so
Data Sources: Authentication logs, File monitoring
-Table 616. Table References
+Table 618. Table References
@@ -15870,7 +15913,7 @@ Many applications create these hidden files and folders to store information so
Data Sources: File monitoring, Process monitoring, Process command-line parameters
-Table 617. Table References
+Table 619. Table References
@@ -15908,7 +15951,7 @@ Many applications create these hidden files and folders to store information so
Effective Permissions: Administrator, root
-Table 618. Table References
+Table 620. Table References
@@ -15943,7 +15986,7 @@ Many applications create these hidden files and folders to store information so
Contributors: John Strand
-Table 619. Table References
+Table 621. Table References
@@ -15984,7 +16027,7 @@ Many applications create these hidden files and folders to store information so
Data Sources: Windows Registry, File monitoring, Process monitoring, Process command-line parameters
-Table 620. Table References
+Table 622. Table References
@@ -16031,7 +16074,7 @@ Many applications create these hidden files and folders to store information so
Data Sources: API monitoring, Process monitoring, File monitoring
-Table 621. Table References
+Table 623. Table References
@@ -16067,7 +16110,7 @@ AppleEvent messages can be sent independently or as part of a script. These even
Data Sources: API monitoring, System calls, Process Monitoring, Process command-line parameters
-Table 622. Table References
+Table 624. Table References
@@ -16102,7 +16145,7 @@ AppleEvent messages can be sent independently or as part of a script. These even
Data Sources: File monitoring, Process Monitoring, Process command-line parameters
-Table 623. Table References
+Table 625. Table References
@@ -16137,7 +16180,7 @@ AppleEvent messages can be sent independently or as part of a script. These even
Data Sources: Process use of network, Process monitoring, Process command-line parameters, Anti-virus, Binary file metadata
-Table 624. Table References
+Table 626. Table References
@@ -16173,7 +16216,7 @@ If the program is configured to run at a higher privilege level than the current
Effective Permissions: Administrator, root
-Table 625. Table References
+Table 627. Table References
@@ -16217,7 +16260,7 @@ If the program is configured to run at a higher privilege level than the current
Contributors: Stefan Kanthak
-Table 626. Table References
+Table 628. Table References
@@ -16255,7 +16298,7 @@ If the program is configured to run at a higher privilege level than the current
Data Sources: File monitoring, Process Monitoring
-Table 627. Table References
+Table 629. Table References
@@ -16299,7 +16342,7 @@ If the program is configured to run at a higher privilege level than the current
Data Sources: Authentication logs, File monitoring, Process monitoring, Process use of network
-Table 628. Table References
+Table 630. Table References
@@ -16343,7 +16386,7 @@ If the program is configured to run at a higher privilege level than the current
Data Sources: Process monitoring, Process command-line parameters
-Table 629. Table References
+Table 631. Table References
@@ -16384,7 +16427,7 @@ If the program is configured to run at a higher privilege level than the current
Data Sources: Process monitoring, Process command-line parameters
-Table 630. Table References
+Table 632. Table References
@@ -16422,7 +16465,7 @@ If the program is configured to run at a higher privilege level than the current
Contributors: John Lambert, Microsoft Threat Intelligence Center
-Table 631. Table References
+Table 633. Table References
@@ -16476,7 +16519,7 @@ If the program is configured to run at a higher privilege level than the current
Contributors: Stefan Kanthak
-Table 632. Table References
+Table 634. Table References
@@ -16514,7 +16557,7 @@ If the program is configured to run at a higher privilege level than the current
Contributors: ENDGAME
-Table 633. Table References
+Table 635. Table References
@@ -16564,7 +16607,7 @@ If the program is configured to run at a higher privilege level than the current
Data Sources: API monitoring
-Table 634. Table References
+Table 636. Table References
@@ -16605,7 +16648,7 @@ If the program is configured to run at a higher privilege level than the current
Contributors: Casey Smith
-Table 635. Table References
+Table 637. Table References
@@ -16640,7 +16683,7 @@ If the program is configured to run at a higher privilege level than the current
Data Sources: Packet capture, Process use of network, Process monitoring, Network protocol analysis
-Table 636. Table References
+Table 638. Table References
@@ -16672,7 +16715,7 @@ If the program is configured to run at a higher privilege level than the current
Data Sources: File monitoring, Process monitoring, Process command-line parameters
-Table 637. Table References
+Table 639. Table References
@@ -16701,7 +16744,7 @@ If the program is configured to run at a higher privilege level than the current
Data Sources: Network protocol analysis, Process use of network, File monitoring, Malware reverse engineering, Binary file metadata
-Table 638. Table References
+Table 640. Table References
@@ -16736,7 +16779,7 @@ If the program is configured to run at a higher privilege level than the current
Data Sources: Process monitoring, File monitoring, API monitoring
-Table 639. Table References
+Table 641. Table References
@@ -16768,7 +16811,7 @@ If the program is configured to run at a higher privilege level than the current
Platforms: MacOS, OS X
-Table 640. Table References
+Table 642. Table References
@@ -16815,7 +16858,7 @@ If the program is configured to run at a higher privilege level than the current
Contributors: ENDGAME
-Table 641. Table References
+Table 643. Table References
@@ -16850,7 +16893,7 @@ If the program is configured to run at a higher privilege level than the current
Data Sources: Process use of network, Process monitoring, Loaded DLLs
-Table 642. Table References
+Table 644. Table References
@@ -16885,7 +16928,7 @@ If the program is configured to run at a higher privilege level than the current
Data Sources: File monitoring, Process monitoring, Process use of network
-Table 643. Table References
+Table 645. Table References
@@ -16917,7 +16960,7 @@ If the program is configured to run at a higher privilege level than the current
Data Sources: Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process use of network, Process command-line parameters
-Table 644. Table References
+Table 646. Table References
@@ -16952,7 +16995,7 @@ If the program is configured to run at a higher privilege level than the current
Data Sources: File monitoring, Process Monitoring, Process command-line parameters, Process use of network
-Table 645. Table References
+Table 647. Table References
@@ -16981,7 +17024,7 @@ If the program is configured to run at a higher privilege level than the current
Data Sources: File monitoring, Process monitoring, Process command-line parameters
-Table 646. Table References
+Table 648. Table References
@@ -17013,7 +17056,7 @@ If the program is configured to run at a higher privilege level than the current
Data Sources: File monitoring, Data loss prevention
-Table 647. Table References
+Table 649. Table References
@@ -17045,7 +17088,7 @@ If the program is configured to run at a higher privilege level than the current
Data Sources: Authentication logs, Netflow/Enclave netflow, Process monitoring
-Table 648. Table References
+Table 650. Table References
@@ -17083,7 +17126,7 @@ If the program is configured to run at a higher privilege level than the current
Data Sources: Netflow/Enclave netflow, Process use of network, Process monitoring
-Table 649. Table References
+Table 651. Table References
@@ -17131,7 +17174,7 @@ If the program is configured to run at a higher privilege level than the current
Contributors: Stefan Kanthak, Casey Smith
-Table 650. Table References
+Table 652. Table References
@@ -17202,7 +17245,7 @@ If the program is configured to run at a higher privilege level than the current
Data Sources: File monitoring, Process monitoring
-Table 651. Table References
+Table 653. Table References
@@ -17249,7 +17292,7 @@ If the program is configured to run at a higher privilege level than the current
Contributors: Walker Johnson
-Table 652. Table References
+Table 654. Table References
@@ -17290,7 +17333,7 @@ If the program is configured to run at a higher privilege level than the current
Effective Permissions: root
-Table 653. Table References
+Table 655. Table References
@@ -17367,7 +17410,7 @@ If the program is configured to run at a higher privilege level than the current
Contributors: Loic Jaquemet, Ricardo Dias
-Table 654. Table References
+Table 656. Table References
@@ -17426,7 +17469,7 @@ If the program is configured to run at a higher privilege level than the current
Contributors: Casey Smith
-Table 655. Table References
+Table 657. Table References
@@ -17467,7 +17510,7 @@ If the program is configured to run at a higher privilege level than the current
Data Sources: File monitoring, Process monitoring, Process command-line parameters
-Table 656. Table References
+Table 658. Table References
@@ -17512,7 +17555,7 @@ If the program is configured to run at a higher privilege level than the current
Data Sources: Packet capture, Netflow/Enclave netflow, Process use of network, Process monitoring
-Table 657. Table References
+Table 659. Table References
@@ -17547,7 +17590,7 @@ If the program is configured to run at a higher privilege level than the current
Contributors: Itzik Kotler, SafeBreach
-Table 658. Table References
+Table 660. Table References
@@ -17585,7 +17628,7 @@ If the program is configured to run at a higher privilege level than the current
Data Sources: File monitoring, Process command-line parameters
-Table 659. Table References
+Table 661. Table References
@@ -17632,7 +17675,7 @@ If the program is configured to run at a higher privilege level than the current
Data Sources: Windows Registry, File monitoring, Process monitoring, Process command-line parameters
-Table 660. Table References
+Table 662. Table References
@@ -17694,7 +17737,7 @@ If the program is configured to run at a higher privilege level than the current
Data Sources: File monitoring, Process monitoring, Process command-line parameters
-Table 661. Table References
+Table 663. Table References
@@ -17723,7 +17766,7 @@ If the program is configured to run at a higher privilege level than the current
Data Sources: File monitoring, Process Monitoring, Process command-line parameters
-Table 662. Table References
+Table 664. Table References
@@ -17758,7 +17801,7 @@ If the program is configured to run at a higher privilege level than the current
Data Sources: Windows Registry, File monitoring, Process monitoring, Process command-line parameters
-Table 663. Table References
+Table 665. Table References
@@ -17799,7 +17842,7 @@ If the program is configured to run at a higher privilege level than the current
Data Sources: Packet capture, Netflow/Enclave netflow, Malware reverse engineering, Process use of network, Process monitoring, SSL/TLS inspection
-Table 664. Table References
+Table 666. Table References
@@ -17849,7 +17892,7 @@ If the program is configured to run at a higher privilege level than the current
Contributors: Itzik Kotler, SafeBreach
-Table 665. Table References
+Table 667. Table References
@@ -17899,7 +17942,7 @@ If the program is configured to run at a higher privilege level than the current
Effective Permissions: User, Administrator
-Table 666. Table References
+Table 668. Table References
@@ -17934,7 +17977,7 @@ If the program is configured to run at a higher privilege level than the current
Data Sources: Binary file metadata, Malware reverse engineering, Process Monitoring
-Table 667. Table References
+Table 669. Table References
@@ -17969,7 +18012,7 @@ If the program is configured to run at a higher privilege level than the current
Data Sources: Process monitoring, Process command-line parameters
-Table 668. Table References
+Table 670. Table References
@@ -17998,7 +18041,7 @@ If the program is configured to run at a higher privilege level than the current
Data Sources: File monitoring, Process monitoring, Process command-line parameters
-Table 669. Table References
+Table 671. Table References
@@ -18027,7 +18070,7 @@ If the program is configured to run at a higher privilege level than the current
Data Sources: Packet capture, Netflow/Enclave netflow, Process use of network, Malware reverse engineering, Process monitoring
-Table 670. Table References
+Table 672. Table References
@@ -18071,7 +18114,7 @@ If the program is configured to run at a higher privilege level than the current
Contributors: Ryan Becwar
-Table 671. Table References
+Table 673. Table References
@@ -18112,7 +18155,7 @@ If the program is configured to run at a higher privilege level than the current
Data Sources: File monitoring, Authentication logs, Netflow/Enclave netflow, Process monitoring, Process command-line parameters
-Table 672. Table References
+Table 674. Table References
@@ -18153,7 +18196,7 @@ If the program is configured to run at a higher privilege level than the current
Data Sources: API monitoring, Process monitoring, File monitoring
-Table 673. Table References
+Table 675. Table References
@@ -18191,7 +18234,7 @@ If the program is configured to run at a higher privilege level than the current
Data Sources: Packet capture, Netflow/Enclave netflow, Process use of network, Malware reverse engineering, Process monitoring
-Table 674. Table References
+Table 676. Table References
@@ -18232,7 +18275,7 @@ If the program is configured to run at a higher privilege level than the current
Data Sources: File monitoring, Process monitoring, Process command-line parameters, Binary file metadata
-Table 675. Table References
+Table 677. Table References
@@ -18261,7 +18304,7 @@ If the program is configured to run at a higher privilege level than the current
Data Sources: Packet capture, Netflow/Enclave netflow, Malware reverse engineering, Process use of network, Process monitoring
-Table 676. Table References
+Table 678. Table References
@@ -18299,7 +18342,7 @@ If the program is configured to run at a higher privilege level than the current
Contributors: John Lambert, Microsoft Threat Intelligence Center
-Table 677. Table References
+Table 679. Table References
@@ -18334,7 +18377,7 @@ If the program is configured to run at a higher privilege level than the current
Data Sources: Authentication logs, File monitoring
-Table 678. Table References
+Table 680. Table References
@@ -18366,7 +18409,7 @@ If the program is configured to run at a higher privilege level than the current
Platforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Windows 10, Linux, MacOS, OS X
-Table 679. Table References
+Table 681. Table References
@@ -18392,7 +18435,7 @@ If the program is configured to run at a higher privilege level than the current
Platforms: MacOS, OS X
-Table 680. Table References
+Table 682. Table References
@@ -18436,7 +18479,7 @@ If the program is configured to run at a higher privilege level than the current
Data Sources: Process monitoring, Process use of network, Packet capture, Network protocol analysis, File monitoring, Authentication logs, Binary file metadata
-Table 681. Table References
+Table 683. Table References
@@ -18477,7 +18520,7 @@ If the program is configured to run at a higher privilege level than the current
Data Sources: File monitoring, Process monitoring, Process command-line parameters, Binary file metadata
-Table 682. Table References
+Table 684. Table References
@@ -18530,7 +18573,7 @@ If the program is configured to run at a higher privilege level than the current
Contributors: Stefan Kanthak
-Table 683. Table References
+Table 685. Table References
@@ -18580,7 +18623,7 @@ If the program is configured to run at a higher privilege level than the current
Data Sources: File monitoring, Process monitoring, Process command-line parameters
-Table 684. Table References
+Table 686. Table References
@@ -18618,7 +18661,7 @@ If the program is configured to run at a higher privilege level than the current
Effective Permissions: Administrator, SYSTEM
-Table 685. Table References
+Table 687. Table References
@@ -18659,7 +18702,7 @@ If the program is configured to run at a higher privilege level than the current
Platforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Linux, Windows 10, MacOS, OS X
-Table 686. Table References
+Table 688. Table References
@@ -18698,7 +18741,7 @@ Adversaries can modify these plist files to point to their own code, can use the
Data Sources: File monitoring, Process Monitoring, Process command-line parameters
-Table 687. Table References
+Table 689. Table References
@@ -18739,7 +18782,7 @@ Adversaries can modify these plist files to point to their own code, can use the
Contributors: Matthew Demaske, Adaptforward
-Table 688. Table References
+Table 690. Table References
@@ -18780,7 +18823,7 @@ Adversaries can modify these plist files to point to their own code, can use the
Data Sources: Authentication logs, API monitoring, Windows event logs
-Table 689. Table References
+Table 691. Table References
@@ -18824,7 +18867,7 @@ Adversaries can modify these plist files to point to their own code, can use the
Data Sources: Network protocol analysis, Process monitoring, Process use of network, Process command-line parameters
-Table 690. Table References
+Table 692. Table References
@@ -18871,7 +18914,7 @@ Adversaries can modify these plist files to point to their own code, can use the
Data Sources: API monitoring, Process monitoring, Process command-line parameters
-Table 691. Table References
+Table 693. Table References
@@ -18906,7 +18949,7 @@ Adversaries can modify these plist files to point to their own code, can use the
Contributors: Walker Johnson
-Table 692. Table References
+Table 694. Table References
@@ -18947,7 +18990,7 @@ Adversaries can modify these plist files to point to their own code, can use the
Contributors: Stefan Kanthak
-Table 693. Table References
+Table 695. Table References
@@ -18997,7 +19040,7 @@ Adversaries can modify these plist files to point to their own code, can use the
Data Sources: Binary file metadata, Process Monitoring, Process command-line parameters, File monitoring
-Table 694. Table References
+Table 696. Table References
@@ -19043,7 +19086,7 @@ The MBR passes control of the boot process to the VBR. Similar to the case of MB
Data Sources: API monitoring, MBR, VBR
-Table 695. Table References
+Table 697. Table References
@@ -19078,7 +19121,7 @@ The MBR passes control of the boot process to the VBR. Similar to the case of MB
Data Sources: File monitoring, Process monitoring, Process command-line parameters
-Table 696. Table References
+Table 698. Table References
@@ -19107,7 +19150,7 @@ The MBR passes control of the boot process to the VBR. Similar to the case of MB
Platforms: MacOS, OS X
-Table 697. Table References
+Table 699. Table References
@@ -19142,7 +19185,7 @@ The MBR passes control of the boot process to the VBR. Similar to the case of MB
Contributors: Itzik Kotler, SafeBreach
-Table 698. Table References
+Table 700. Table References
@@ -19171,7 +19214,7 @@ The MBR passes control of the boot process to the VBR. Similar to the case of MB
Data Sources: File monitoring, Process monitoring, Process command-line parameters
-Table 699. Table References
+Table 701. Table References
@@ -19203,7 +19246,7 @@ The MBR passes control of the boot process to the VBR. Similar to the case of MB
Effective Permissions: User, SYSTEM
-Table 700. Table References
+Table 702. Table References
@@ -19238,7 +19281,7 @@ The MBR passes control of the boot process to the VBR. Similar to the case of MB
Effective Permissions: SYSTEM
-Table 701. Table References
+Table 703. Table References
@@ -19273,7 +19316,7 @@ The MBR passes control of the boot process to the VBR. Similar to the case of MB
Data Sources: Process use of network, Authentication logs, Process monitoring, Process command-line parameters
-Table 702. Table References
+Table 704. Table References
@@ -19323,7 +19366,7 @@ The MBR passes control of the boot process to the VBR. Similar to the case of MB
Data Sources: Windows Registry, File monitoring, Process monitoring
-Table 703. Table References
+Table 705. Table References
@@ -19361,7 +19404,7 @@ The MBR passes control of the boot process to the VBR. Similar to the case of MB
Data Sources: Process Monitoring, Process command-line parameters, Network protocol analysis, Process use of network
-Table 704. Table References
+Table 706. Table References
@@ -19396,7 +19439,7 @@ The MBR passes control of the boot process to the VBR. Similar to the case of MB
Data Sources: Authentication logs
-Table 705. Table References
+Table 707. Table References
@@ -19447,7 +19490,7 @@ The MBR passes control of the boot process to the VBR. Similar to the case of MB
Contributors: Paul Speulstra, AECOM Global Security Operations Center
-Table 706. Table References
+Table 708. Table References
@@ -19485,7 +19528,7 @@ The MBR passes control of the boot process to the VBR. Similar to the case of MB
Data Sources: File monitoring, Process monitoring
-Table 707. Table References
+Table 709. Table References
@@ -19520,7 +19563,7 @@ The MBR passes control of the boot process to the VBR. Similar to the case of MB
Contributors: Daniel Oakley
-Table 708. Table References
+Table 710. Table References
@@ -19555,7 +19598,7 @@ The MBR passes control of the boot process to the VBR. Similar to the case of MB
Data Sources: File monitoring, Process use of network, Process monitoring
-Table 709. Table References
+Table 711. Table References
@@ -19587,7 +19630,7 @@ The MBR passes control of the boot process to the VBR. Similar to the case of MB
Data Sources: File monitoring, Data loss prevention, Process command-line parameters
-Table 710. Table References
+Table 712. Table References
@@ -19617,7 +19660,7 @@ The MBR passes control of the boot process to the VBR. Similar to the case of MB
Data Sources: DLL monitoring, Windows Registry, Loaded DLLs
-Table 711. Table References
+Table 713. Table References
@@ -19652,7 +19695,7 @@ The MBR passes control of the boot process to the VBR. Similar to the case of MB
Data Sources: Process Monitoring, Authentication logs, File monitoring, Environment variable
-Table 712. Table References
+Table 714. Table References
@@ -19681,7 +19724,7 @@ The MBR passes control of the boot process to the VBR. Similar to the case of MB
Data Sources: File monitoring, Process monitoring, Process command-line parameters, Binary file metadata
-Table 713. Table References
+Table 715. Table References
@@ -19713,7 +19756,7 @@ The MBR passes control of the boot process to the VBR. Similar to the case of MB
Data Sources: Network device logs, Host network interface, Netflow/Enclave netflow
-Table 714. Table References
+Table 716. Table References
@@ -19755,7 +19798,7 @@ The MBR passes control of the boot process to the VBR. Similar to the case of MB
Contributors: Stefan Kanthak
-Table 715. Table References
+Table 717. Table References
@@ -19796,7 +19839,7 @@ The MBR passes control of the boot process to the VBR. Similar to the case of MB
Data Sources: Process Monitoring, File monitoring, Process command-line parameters
-Table 716. Table References
+Table 718. Table References
@@ -19828,7 +19871,7 @@ The MBR passes control of the boot process to the VBR. Similar to the case of MB
Data Sources: Binary file metadata
-Table 717. Table References
+Table 719. Table References
@@ -19866,7 +19909,7 @@ The MBR passes control of the boot process to the VBR. Similar to the case of MB
Data Sources: API monitoring, Process monitoring, Process command-line parameters
-Table 718. Table References
+Table 720. Table References
@@ -19895,7 +19938,7 @@ The MBR passes control of the boot process to the VBR. Similar to the case of MB
Data Sources: System calls
-Table 719. Table References
+Table 721. Table References
@@ -19945,7 +19988,7 @@ The MBR passes control of the boot process to the VBR. Similar to the case of MB
Data Sources: API monitoring, Process monitoring, PowerShell logs, Process command-line parameters
-Table 720. Table References
+Table 722. Table References
@@ -19983,7 +20026,7 @@ The MBR passes control of the boot process to the VBR. Similar to the case of MB
Data Sources: Host network interface, Netflow/Enclave netflow, Network protocol analysis, Packet capture
-Table 721. Table References
+Table 723. Table References
@@ -20015,7 +20058,7 @@ The MBR passes control of the boot process to the VBR. Similar to the case of MB
Data Sources: Windows Registry, Process monitoring, Process command-line parameters
-Table 722. Table References
+Table 724. Table References
@@ -20062,7 +20105,7 @@ The MBR passes control of the boot process to the VBR. Similar to the case of MB
Data Sources: File monitoring, Third-party application logs, Windows Registry, Process monitoring, Process use of network, Binary file metadata
-Table 723. Table References
+Table 725. Table References
@@ -20097,7 +20140,7 @@ The MBR passes control of the boot process to the VBR. Similar to the case of MB
Data Sources: File monitoring, Packet capture, Process use of network, Netflow/Enclave netflow, Network protocol analysis, Process monitoring
-Table 724. Table References
+Table 726. Table References
@@ -20126,7 +20169,7 @@ The MBR passes control of the boot process to the VBR. Similar to the case of MB
Data Sources: API monitoring
-Table 725. Table References
+Table 727. Table References
@@ -20164,7 +20207,7 @@ The MBR passes control of the boot process to the VBR. Similar to the case of MB
Data Sources: File monitoring, Process monitoring
-Table 726. Table References
+Table 728. Table References
@@ -20196,7 +20239,7 @@ The MBR passes control of the boot process to the VBR. Similar to the case of MB
Data Sources: Sensor health and status, Process monitoring, Process command-line parameters
-Table 727. Table References
+Table 729. Table References
@@ -20232,7 +20275,7 @@ The MBR passes control of the boot process to the VBR. Similar to the case of MB
Data Sources: User interface, Process Monitoring
-Table 728. Table References
+Table 730. Table References
@@ -20267,7 +20310,7 @@ The MBR passes control of the boot process to the VBR. Similar to the case of MB
Data Sources: Data loss prevention, File monitoring
-Table 729. Table References
+Table 731. Table References
@@ -20296,7 +20339,7 @@ The MBR passes control of the boot process to the VBR. Similar to the case of MB
Data Sources: Process monitoring, Process command-line parameters, API monitoring
-Table 730. Table References
+Table 732. Table References
@@ -20358,7 +20401,7 @@ The MBR passes control of the boot process to the VBR. Similar to the case of MB
Contributors: Stefan Kanthak
-Table 731. Table References
+Table 733. Table References
@@ -20399,7 +20442,7 @@ The MBR passes control of the boot process to the VBR. Similar to the case of MB
Contributors: Itzik Kotler, SafeBreach
-Table 732. Table References
+Table 734. Table References
@@ -20437,7 +20480,7 @@ The MBR passes control of the boot process to the VBR. Similar to the case of MB
Data Sources: Packet capture, Netflow/Enclave netflow, Process use of network, Process monitoring
-Table 733. Table References
+Table 735. Table References
@@ -20469,7 +20512,7 @@ The MBR passes control of the boot process to the VBR. Similar to the case of MB
-Course of Action is a cluster galaxy available in JSON format at https://github.com/MISP/misp-galaxy/blob/master/clusters/course of action.json[this location] The JSON format can be freely reused in your application or automatically enabled in MISP.
+Course of Action is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
|
@@ -21679,7 +21722,7 @@ Course of Action is a cluster galaxy available in JSON format at
-Enterprise Attack - Attack Pattern is a cluster galaxy available in JSON format at https://github.com/MISP/misp-galaxy/blob/master/clusters/enterprise attack - attack pattern.json[this location] The JSON format can be freely reused in your application or automatically enabled in MISP.
+Enterprise Attack - Attack Pattern is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
|
@@ -21710,7 +21753,7 @@ Enterprise Attack - Attack Pattern is a cluster galaxy available in JSON format
Requires Network: Yes
-Table 734. Table References
+Table 736. Table References
@@ -21748,7 +21791,7 @@ Enterprise Attack - Attack Pattern is a cluster galaxy available in JSON format
Requires Network: Yes
-Table 735. Table References
+Table 737. Table References
@@ -21783,7 +21826,7 @@ Enterprise Attack - Attack Pattern is a cluster galaxy available in JSON format
Requires Network: No
-Table 736. Table References
+Table 738. Table References
@@ -21863,7 +21906,7 @@ Often found in development environments alongside Atlassian JIRA, Confluence is
Contributors: Milos Stojadinovic
-Table 737. Table References
+Table 739. Table References
@@ -21916,7 +21959,7 @@ Often found in development environments alongside Atlassian JIRA, Confluence is
Contributors: Bartosz Jerzman
-Table 738. Table References
+Table 740. Table References
@@ -21974,7 +22017,7 @@ Often found in development environments alongside Atlassian JIRA, Confluence is
Contributors: Sudhanshu Chauhan, @Sudhanshu_C
-Table 739. Table References
+Table 741. Table References
@@ -22012,7 +22055,7 @@ Often found in development environments alongside Atlassian JIRA, Confluence is
Requires Network: Yes
-Table 740. Table References
+Table 742. Table References
@@ -22071,7 +22114,7 @@ Often found in development environments alongside Atlassian JIRA, Confluence is
Contributors: Stefan Kanthak, Travis Smith, Tripwire
-Table 741. Table References
+Table 743. Table References
@@ -22115,7 +22158,7 @@ Often found in development environments alongside Atlassian JIRA, Confluence is
Permissions Required: User
-Table 742. Table References
+Table 744. Table References
@@ -22168,7 +22211,7 @@ Often found in development environments alongside Atlassian JIRA, Confluence is
Permissions Required: User
-Table 743. Table References
+Table 745. Table References
@@ -22222,7 +22265,7 @@ AppleEvent messages can be sent independently or as part of a script. These even
Remote Support: Yes
-Table 744. Table References
+Table 746. Table References
@@ -22260,7 +22303,7 @@ AppleEvent messages can be sent independently or as part of a script. These even
System Requirements: Privileges to access removable media drive and files
-Table 745. Table References
+Table 747. Table References
@@ -22298,7 +22341,7 @@ AppleEvent messages can be sent independently or as part of a script. These even
Defense Bypassed: Windows User Account Control
-Table 746. Table References
+Table 748. Table References
@@ -22357,7 +22400,7 @@ Similar to Process Injection, this value can be abused to obtain persistence and
Permissions Required: Administrator, SYSTEM
-Table 747. Table References
+Table 749. Table References
@@ -22404,7 +22447,7 @@ Similar to Process Injection, this value can be abused to obtain persistence and
Permissions Required: Administrator, SYSTEM, root
-Table 748. Table References
+Table 750. Table References
@@ -22445,7 +22488,7 @@ Similar to Process Injection, this value can be abused to obtain persistence and
Permissions Required: User
-Table 749. Table References
+Table 751. Table References
@@ -22495,7 +22538,7 @@ Similar to Process Injection, this value can be abused to obtain persistence and
Remote Support: No
-Table 750. Table References
+Table 752. Table References
@@ -22530,7 +22573,7 @@ Similar to Process Injection, this value can be abused to obtain persistence and
Requires Network: Yes
-Table 751. Table References
+Table 753. Table References
@@ -22568,7 +22611,7 @@ Similar to Process Injection, this value can be abused to obtain persistence and
Permissions Required: User
-Table 752. Table References
+Table 754. Table References
@@ -22606,7 +22649,7 @@ Similar to Process Injection, this value can be abused to obtain persistence and
Requires Network: Yes
-Table 753. Table References
+Table 755. Table References
@@ -22638,7 +22681,7 @@ Similar to Process Injection, this value can be abused to obtain persistence and
Permissions Required: root
-Table 754. Table References
+Table 756. Table References
@@ -22682,7 +22725,7 @@ Similar to Process Injection, this value can be abused to obtain persistence and
Data Sources: File monitoring, Packet capture, Mail server, Network intrusion detection system, Detonation chamber, Email gateway
-Table 755. Table References
+Table 757. Table References
@@ -22762,7 +22805,7 @@ Similar to Process Injection, this value can be abused to obtain persistence and
Permissions Required: Administrator
-Table 756. Table References
+Table 758. Table References
@@ -22815,7 +22858,7 @@ Similar to Process Injection, this value can be abused to obtain persistence and
Contributors: John Lambert, Microsoft Threat Intelligence Center
-Table 757. Table References
+Table 759. Table References
@@ -22865,7 +22908,7 @@ Similar to Process Injection, this value can be abused to obtain persistence and
Contributors: Casey Smith
-Table 758. Table References
+Table 760. Table References
@@ -22968,7 +23011,7 @@ RCSI: .NET 4.5 or later, Visual Studio 2012
Contributors: Casey Smith, Matthew Demaske, Adaptforward
-Table 759. Table References
+Table 761. Table References
@@ -23030,7 +23073,7 @@ RCSI: .NET 4.5 or later, Visual Studio 2012
Permissions Required: User
-Table 760. Table References
+Table 762. Table References
@@ -23088,7 +23131,7 @@ RCSI: .NET 4.5 or later, Visual Studio 2012
Contributors: Travis Smith, Tripwire, Leo Loobeek, @leoloobeek, Alain Homewood, Insomnia Security
-Table 761. Table References
+Table 763. Table References
@@ -23138,7 +23181,7 @@ RCSI: .NET 4.5 or later, Visual Studio 2012
Remote Support: No
-Table 762. Table References
+Table 764. Table References
@@ -23181,7 +23224,7 @@ SMB authentication.
Remote Support: Yes
-Table 763. Table References
+Table 765. Table References
@@ -23240,7 +23283,7 @@ SMB authentication.
Contributors: Red Canary
-Table 764. Table References
+Table 766. Table References
@@ -23311,7 +23354,7 @@ SMB authentication.
Contributors: Matt Kelly, @breakersall
-Table 765. Table References
+Table 767. Table References
@@ -23352,7 +23395,7 @@ SMB authentication.
Permissions Required: User
-Table 766. Table References
+Table 768. Table References
@@ -23405,7 +23448,7 @@ SMB authentication.
System Requirements: Administrator, SYSTEM may provide better process ownership details
-Table 767. Table References
+Table 769. Table References
@@ -23446,7 +23489,7 @@ SMB authentication.
Contributors: Ryan Becwar, McAfee
-Table 768. Table References
+Table 770. Table References
@@ -23508,7 +23551,7 @@ SMB authentication.
Permissions Required: User, Administrator
-Table 769. Table References
+Table 771. Table References
@@ -23549,7 +23592,7 @@ SMB authentication.
Remote Support: Yes
-Table 770. Table References
+Table 772. Table References
@@ -23581,7 +23624,7 @@ SMB authentication.
Requires Network: Yes
-Table 771. Table References
+Table 773. Table References
@@ -23631,7 +23674,7 @@ SMB authentication.
Contributors: Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank
-Table 772. Table References
+Table 774. Table References
@@ -23699,7 +23742,7 @@ SMB authentication.
Remote Support: No
-Table 773. Table References
+Table 775. Table References
@@ -23755,7 +23798,7 @@ SMB authentication.
Permissions Required: Administrator, SYSTEM
-Table 774. Table References
+Table 776. Table References
@@ -23820,7 +23863,7 @@ SMB authentication.
Contributors: John Lambert, Microsoft Threat Intelligence Center
-Table 775. Table References
+Table 777. Table References
@@ -23858,7 +23901,7 @@ SMB authentication.
Permissions Required: Administrator
-Table 776. Table References
+Table 778. Table References
@@ -23905,7 +23948,7 @@ SMB authentication.
Contributors: Justin Warner, ICEBRG
-Table 777. Table References
+Table 779. Table References
@@ -23952,7 +23995,7 @@ SMB authentication.
Contributors: John Lambert, Microsoft Threat Intelligence Center
-Table 778. Table References
+Table 780. Table References
@@ -23990,7 +24033,7 @@ SMB authentication.
Permissions Required: User
-Table 779. Table References
+Table 781. Table References
@@ -24043,7 +24086,7 @@ SMB authentication.
Contributors: Vincent Le Toux
-Table 780. Table References
+Table 782. Table References
@@ -24090,7 +24133,7 @@ SMB authentication.
Data Sources: File monitoring, Process monitoring, Process command-line parameters
-Table 781. Table References
+Table 783. Table References
@@ -24128,7 +24171,7 @@ SMB authentication.
Data Sources: SSL/TLS inspection, Anti-virus, Web proxy
-Table 782. Table References
+Table 784. Table References
@@ -24172,7 +24215,7 @@ SMB authentication.
Permissions Required: Administrator, SYSTEM
-Table 783. Table References
+Table 785. Table References
@@ -24219,7 +24262,7 @@ SMB authentication.
System Requirements: Established network share connection to a remote system. Level of access depends on permissions of the account used.
-Table 784. Table References
+Table 786. Table References
@@ -24266,7 +24309,7 @@ SMB authentication.
Contributors: Itzik Kotler, SafeBreach
-Table 785. Table References
+Table 787. Table References
@@ -24329,7 +24372,7 @@ SMB authentication.
Permissions Required: User, Administrator, SYSTEM
-Table 786. Table References
+Table 788. Table References
@@ -24379,7 +24422,7 @@ SMB authentication.
Data Sources: Application Logs, Authentication logs, Third-party application logs
-Table 787. Table References
+Table 789. Table References
@@ -24426,7 +24469,7 @@ SMB authentication.
Remote Support: No
-Table 788. Table References
+Table 790. Table References
@@ -24491,7 +24534,7 @@ SMB authentication.
Permissions Required: User
-Table 789. Table References
+Table 791. Table References
@@ -24532,7 +24575,7 @@ SMB authentication.
Permissions Required: root
-Table 790. Table References
+Table 792. Table References
@@ -24612,7 +24655,7 @@ SMB authentication.
Contributors: Anastasios Pingios
-Table 791. Table References
+Table 793. Table References
@@ -24692,7 +24735,7 @@ SMB authentication.
Permissions Required: Administrator
-Table 792. Table References
+Table 794. Table References
@@ -24739,7 +24782,7 @@ SMB authentication.
Requires Network: Yes
-Table 793. Table References
+Table 795. Table References
@@ -24783,7 +24826,7 @@ SMB authentication.
System Requirements: Ability to update component device firmware from the host operating system.
-Table 794. Table References
+Table 796. Table References
@@ -24836,7 +24879,7 @@ SMB authentication.
Permissions Required: User
-Table 795. Table References
+Table 797. Table References
@@ -24874,7 +24917,7 @@ SMB authentication.
Permissions Required: Administrator, SYSTEM
-Table 796. Table References
+Table 798. Table References
@@ -24918,7 +24961,7 @@ SMB authentication.
Defense Bypassed: Anti-virus, File monitoring, Host intrusion prevention systems, Signature-based detection, Log analysis
-Table 797. Table References
+Table 799. Table References
@@ -24950,7 +24993,7 @@ SMB authentication.
Permissions Required: User, Administrator, SYSTEM
-Table 798. Table References
+Table 800. Table References
@@ -24985,7 +25028,7 @@ SMB authentication.
Requires Network: No
-Table 799. Table References
+Table 801. Table References
@@ -25047,7 +25090,7 @@ SMB authentication.
Contributors: Travis Smith, Tripwire
-Table 800. Table References
+Table 802. Table References
@@ -25085,7 +25128,7 @@ SMB authentication.
Contributors: Travis Smith, Tripwire
-Table 801. Table References
+Table 803. Table References
@@ -25126,7 +25169,7 @@ SMB authentication.
Remote Support: No
-Table 802. Table References
+Table 804. Table References
@@ -25161,7 +25204,7 @@ SMB authentication.
Permissions Required: User, Administrator, SYSTEM
-Table 803. Table References
+Table 805. Table References
@@ -25214,7 +25257,7 @@ SMB authentication.
Contributors: John Strand
-Table 804. Table References
+Table 806. Table References
@@ -25270,7 +25313,7 @@ SMB authentication.
Contributors: Bartosz Jerzman, Travis Smith, Tripwire
-Table 805. Table References
+Table 807. Table References
@@ -25323,7 +25366,7 @@ SMB authentication.
Contributors: Vincent Le Toux
-Table 806. Table References
+Table 808. Table References
@@ -25367,7 +25410,7 @@ SMB authentication.
Contributors: Erye Hernandez, Palo Alto Networks
-Table 807. Table References
+Table 809. Table References
@@ -25411,7 +25454,7 @@ SMB authentication.
Data Sources: API monitoring, Process monitoring, File monitoring
-Table 808. Table References
+Table 810. Table References
@@ -25458,7 +25501,7 @@ SMB authentication.
System Requirements: Unpatched software or otherwise vulnerable target. Depending on the target and goal, the system and exploitable service may need to be remotely accessible from the internal network.
-Table 809. Table References
+Table 811. Table References
@@ -25505,7 +25548,7 @@ SMB authentication.
Defense Bypassed: Anti-virus, Log analysis, Host intrusion prevention systems
-Table 810. Table References
+Table 812. Table References
@@ -25555,7 +25598,7 @@ SMB authentication.
Contributors: Stefan Kanthak, Travis Smith, Tripwire
-Table 811. Table References
+Table 813. Table References
@@ -25608,7 +25651,7 @@ SMB authentication.
Contributors: Praetorian
-Table 812. Table References
+Table 814. Table References
@@ -25658,7 +25701,7 @@ SMB authentication.
Data Sources: Authentication logs, File monitoring, Process monitoring, Process use of network
-Table 813. Table References
+Table 815. Table References
@@ -25705,7 +25748,7 @@ SMB authentication.
Permissions Required: User
-Table 814. Table References
+Table 816. Table References
@@ -25752,7 +25795,7 @@ SMB authentication.
Permissions Required: User, Administrator
-Table 815. Table References
+Table 817. Table References
@@ -25808,7 +25851,7 @@ SMB authentication.
Contributors: Anastasios Pingios
-Table 816. Table References
+Table 818. Table References
@@ -25879,7 +25922,7 @@ SMB authentication.
Contributors: John Lambert, Microsoft Threat Intelligence Center
-Table 817. Table References
+Table 819. Table References
@@ -25939,7 +25982,7 @@ SMB authentication.
Contributors: Stefan Kanthak
-Table 818. Table References
+Table 820. Table References
@@ -25983,7 +26026,7 @@ SMB authentication.
Contributors: ENDGAME
-Table 819. Table References
+Table 821. Table References
@@ -26033,7 +26076,7 @@ SMB authentication.
Data Sources: API monitoring
-Table 820. Table References
+Table 822. Table References
@@ -26071,7 +26114,7 @@ SMB authentication.
Permissions Required: User
-Table 821. Table References
+Table 823. Table References
@@ -26112,7 +26155,7 @@ SMB authentication.
Contributors: Matt Kelly, @breakersall
-Table 822. Table References
+Table 824. Table References
@@ -26150,7 +26193,7 @@ SMB authentication.
Permissions Required: User, Administrator
-Table 823. Table References
+Table 825. Table References
@@ -26212,7 +26255,7 @@ SyncAppvPublishingServer.exe can be used to run powershell scripts without execu
Contributors: Praetorian
-Table 824. Table References
+Table 826. Table References
@@ -26265,7 +26308,7 @@ SyncAppvPublishingServer.exe can be used to run powershell scripts without execu
Contributors: Casey Smith, Travis Smith, Tripwire
-Table 825. Table References
+Table 827. Table References
@@ -26300,7 +26343,7 @@ SyncAppvPublishingServer.exe can be used to run powershell scripts without execu
Requires Network: Yes
-Table 826. Table References
+Table 828. Table References
@@ -26338,7 +26381,7 @@ SyncAppvPublishingServer.exe can be used to run powershell scripts without execu
Contributors: Travis Smith, Tripwire
-Table 827. Table References
+Table 829. Table References
@@ -26373,7 +26416,7 @@ SyncAppvPublishingServer.exe can be used to run powershell scripts without execu
Permissions Required: User, Administrator
-Table 828. Table References
+Table 830. Table References
@@ -26450,7 +26493,7 @@ SyncAppvPublishingServer.exe can be used to run powershell scripts without execu
Contributors: Red Canary, Christiaan Beek, @ChristiaanBeek
-Table 829. Table References
+Table 831. Table References
@@ -26524,7 +26567,7 @@ SyncAppvPublishingServer.exe can be used to run powershell scripts without execu
Contributors: Praetorian
-Table 830. Table References
+Table 832. Table References
@@ -26582,7 +26625,7 @@ Another variation of this technique includes malicious binaries changing the nam
Contributors: ENDGAME, Bartosz Jerzman
-Table 831. Table References
+Table 833. Table References
@@ -26632,7 +26675,7 @@ Another variation of this technique includes malicious binaries changing the nam
Defense Bypassed: Anti-virus, Process whitelisting
-Table 832. Table References
+Table 834. Table References
@@ -26673,7 +26716,7 @@ Another variation of this technique includes malicious binaries changing the nam
Requires Network: Yes
-Table 833. Table References
+Table 835. Table References
@@ -26708,7 +26751,7 @@ Another variation of this technique includes malicious binaries changing the nam
Permissions Required: User, Administrator, SYSTEM
-Table 834. Table References
+Table 836. Table References
@@ -26743,7 +26786,7 @@ Another variation of this technique includes malicious binaries changing the nam
System Requirements: Removable media allowed, Autorun enabled or vulnerability present that allows for code execution
-Table 835. Table References
+Table 837. Table References
@@ -26790,7 +26833,7 @@ Another variation of this technique includes malicious binaries changing the nam
Contributors: Matthew Demaske, Adaptforward
-Table 836. Table References
+Table 838. Table References
@@ -26840,7 +26883,7 @@ Another variation of this technique includes malicious binaries changing the nam
Requires Network: Yes
-Table 837. Table References
+Table 839. Table References
@@ -26913,7 +26956,7 @@ Another variation of this technique includes malicious binaries changing the nam
Contributors: Stefan Kanthak, Casey Smith
-Table 838. Table References
+Table 840. Table References
@@ -26975,7 +27018,7 @@ Another variation of this technique includes malicious binaries changing the nam
Data Sources: Application logs, Packet capture, Web logs, Web application firewall logs
-Table 839. Table References
+Table 841. Table References
@@ -27031,7 +27074,7 @@ Another variation of this technique includes malicious binaries changing the nam
System Requirements: Write access to system or domain logon scripts
-Table 840. Table References
+Table 842. Table References
@@ -27081,7 +27124,7 @@ Another variation of this technique includes malicious binaries changing the nam
Contributors: Walker Johnson
-Table 841. Table References
+Table 843. Table References