2017-08-16 10:17:00 +00:00
{
2017-10-26 08:28:53 +00:00
"authors" : [
"MITRE"
] ,
2018-10-19 08:23:09 +00:00
"category" : "tool" ,
2017-10-26 08:28:53 +00:00
"description" : "Name of ATT&CK software" ,
2023-11-16 14:32:08 +00:00
"name" : "mitre-tool" ,
2017-10-26 08:28:53 +00:00
"source" : "https://github.com/mitre/cti" ,
2018-08-13 15:06:29 +00:00
"type" : "mitre-tool" ,
"uuid" : "d700dc5c-78f6-11e7-a476-5f748c8e4fe0" ,
2017-10-26 08:28:53 +00:00
"values" : [
{
2018-12-09 08:16:03 +00:00
"description" : "[Windows Credential Editor](https://attack.mitre.org/software/S0005) is a password dumping tool. (Citation: Amplia WCE)" ,
2017-10-26 08:28:53 +00:00
"meta" : {
2018-12-09 08:16:03 +00:00
"external_id" : "S0005" ,
"mitre_platforms" : [
"Windows"
] ,
2017-10-26 08:28:53 +00:00
"refs" : [
2022-05-25 19:00:57 +00:00
"http://www.ampliasecurity.com/research/wcefaq.html" ,
"https://attack.mitre.org/software/S0005"
2017-10-26 08:28:53 +00:00
] ,
"synonyms" : [
"Windows Credential Editor" ,
"WCE"
2018-12-09 08:16:03 +00:00
]
2017-10-26 08:28:53 +00:00
} ,
2018-12-09 08:16:03 +00:00
"related" : [
{
2020-10-18 18:00:48 +00:00
"dest-uuid" : "65f2d882-3f41-4d48-8a06-29af77ec9f90" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
2024-02-15 10:59:17 +00:00
} ,
{
"dest-uuid" : "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" ,
"tags" : [
"estimative-language:likelihood-probability=\"almost-certain\""
] ,
"type" : "uses"
2018-12-09 08:16:03 +00:00
}
] ,
"uuid" : "242f3da3-4425-4d11-8f5c-b842886da966" ,
"value" : "Windows Credential Editor - S0005"
2017-10-26 08:28:53 +00:00
} ,
2023-05-08 14:04:50 +00:00
{
"description" : "[Brute Ratel C4](https://attack.mitre.org/software/S1063) is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. [Brute Ratel C4](https://attack.mitre.org/software/S1063) was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities, and deploys agents called badgers to enable arbitrary command execution for lateral movement, privilege escalation, and persistence. In September 2022, a cracked version of [Brute Ratel C4](https://attack.mitre.org/software/S1063) was leaked in the cybercriminal underground, leading to its use by threat actors.(Citation: Dark Vortex Brute Ratel C4)(Citation: Palo Alto Brute Ratel July 2022)(Citation: MDSec Brute Ratel August 2022)(Citation: SANS Brute Ratel October 2022)(Citation: Trend Micro Black Basta October 2022)" ,
"meta" : {
"external_id" : "S1063" ,
"mitre_platforms" : [
"Windows"
] ,
"refs" : [
"https://attack.mitre.org/software/S1063" ,
"https://bruteratel.com/" ,
"https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/" ,
"https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/" ,
"https://www.sans.org/blog/cracked-brute-ratel-c4-framework-proliferates-across-the-cybercriminal-underground/" ,
"https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html"
] ,
"synonyms" : [
"Brute Ratel C4" ,
"BRc4"
]
} ,
"related" : [
{
"dest-uuid" : "01a5a209-b94c-450b-b7f9-946497d91055" ,
"type" : "uses"
} ,
{
"dest-uuid" : "0259baeb-9f63-4c69-bf10-eb038c390688" ,
"type" : "uses"
} ,
{
"dest-uuid" : "1996eef1-ced3-4d7f-bf94-33298cabbf72" ,
"type" : "uses"
} ,
{
"dest-uuid" : "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2" ,
"type" : "uses"
} ,
{
"dest-uuid" : "208884f1-7b83-4473-ac22-4e1cf6c41471" ,
"type" : "uses"
} ,
{
"dest-uuid" : "21875073-b0ee-49e3-9077-1e2a885359af" ,
"type" : "uses"
} ,
{
"dest-uuid" : "232b7f21-adf9-4b42-b936-b9d6f7df856e" ,
"type" : "uses"
} ,
{
"dest-uuid" : "2aed01ad-3df3-4410-a8cb-11ea4ded587c" ,
"type" : "uses"
} ,
{
"dest-uuid" : "2fee9321-3e71-4cf4-af24-d4d40d355b34" ,
"type" : "uses"
} ,
{
"dest-uuid" : "391d824f-0ef1-47a0-b0ee-c59a75e27670" ,
"type" : "uses"
} ,
{
"dest-uuid" : "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" ,
"type" : "uses"
} ,
{
"dest-uuid" : "3ccef7ae-cb5e-48f6-8302-897105fbf55c" ,
"type" : "uses"
} ,
{
"dest-uuid" : "4933e63b-9b77-476e-ab29-761bc5b7d15a" ,
"type" : "uses"
} ,
{
"dest-uuid" : "4bed873f-0b7d-41d4-b93a-b6905d1f90b0" ,
"type" : "uses"
} ,
{
"dest-uuid" : "4f9ca633-15c5-463c-9724-bdcd54fde541" ,
"type" : "uses"
} ,
{
"dest-uuid" : "4fe28b27-b13c-453e-a386-c2ef362a573b" ,
"type" : "uses"
} ,
{
"dest-uuid" : "54a649ff-439a-41a4-9856-8d144a2551ba" ,
"type" : "uses"
} ,
{
"dest-uuid" : "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65" ,
"type" : "uses"
} ,
{
"dest-uuid" : "74d2a63f-3c7b-4852-92da-02d8fbab16da" ,
"type" : "uses"
} ,
{
"dest-uuid" : "767dbf9e-df3f-45cb-8998-4903ab5f80c0" ,
"type" : "uses"
} ,
{
"dest-uuid" : "830c9528-df21-472c-8c14-a036bf17d665" ,
"type" : "uses"
} ,
{
"dest-uuid" : "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ,
"type" : "uses"
} ,
{
"dest-uuid" : "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ,
"type" : "uses"
} ,
{
"dest-uuid" : "c21d5a77-d422-4a69-acd7-2c53c1faa34b" ,
"type" : "uses"
} ,
{
"dest-uuid" : "cba37adb-d6fb-4610-b069-dd04c0643384" ,
"type" : "uses"
} ,
{
"dest-uuid" : "d1fcf083-a721-4223-aedf-bf8960798d62" ,
"type" : "uses"
} ,
{
"dest-uuid" : "df8b2a25-8bdf-4856-953c-a04372b1c161" ,
"type" : "uses"
} ,
{
"dest-uuid" : "e3a12395-188d-4051-9a16-ea8e14d07b88" ,
"type" : "uses"
} ,
{
"dest-uuid" : "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b" ,
"type" : "uses"
} ,
{
"dest-uuid" : "e6919abc-99f9-4c6c-95a5-14761e7b2add" ,
"type" : "uses"
} ,
{
"dest-uuid" : "ea4c2f9c-9df1-477c-8c42-6da1118f2ac4" ,
"type" : "uses"
} ,
{
"dest-uuid" : "f1951e8a-500e-4a26-8803-76d95c4554b4" ,
"type" : "uses"
} ,
{
"dest-uuid" : "f2877f7f-9a4c-4251-879f-1224e3006bee" ,
"type" : "uses"
}
] ,
"uuid" : "75d8b521-6b6a-42ff-8af3-d97e20ce12a5" ,
"value" : "Brute Ratel C4 - S1063"
} ,
2017-10-26 08:28:53 +00:00
{
2018-12-09 08:16:03 +00:00
"description" : "[Pass-The-Hash Toolkit](https://attack.mitre.org/software/S0122) is a toolkit that allows an adversary to \"pass\" a password hash (without knowing the original password) to log in to systems. (Citation: Mandiant APT1)" ,
2017-10-26 08:28:53 +00:00
"meta" : {
2018-12-09 08:16:03 +00:00
"external_id" : "S0122" ,
2017-10-26 08:28:53 +00:00
"refs" : [
2018-12-09 08:16:03 +00:00
"https://attack.mitre.org/software/S0122" ,
2018-12-09 07:32:48 +00:00
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
2022-05-25 19:03:14 +00:00
]
2018-12-09 07:32:48 +00:00
} ,
2018-12-09 08:16:03 +00:00
"related" : [
{
2020-10-18 18:00:48 +00:00
"dest-uuid" : "e624264c-033a-424d-9fd7-fc9c3bbdb03e" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
2024-02-15 10:59:17 +00:00
} ,
{
"dest-uuid" : "c23b740b-a42b-47a1-aec2-9d48ddd547ff" ,
"tags" : [
"estimative-language:likelihood-probability=\"almost-certain\""
] ,
"type" : "uses"
2018-12-09 08:16:03 +00:00
}
] ,
"uuid" : "a52edc76-328d-4596-85e7-d56ef5a9eb69" ,
"value" : "Pass-The-Hash Toolkit - S0122"
2018-12-09 07:32:48 +00:00
} ,
2021-04-29 16:12:36 +00:00
{
"description" : "[CSPY Downloader](https://attack.mitre.org/software/S0527) is a tool designed to evade analysis and download additional payloads used by [Kimsuky](https://attack.mitre.org/groups/G0094).(Citation: Cybereason Kimsuky November 2020)" ,
"meta" : {
"external_id" : "S0527" ,
"mitre_platforms" : [
"Windows"
] ,
"refs" : [
"https://attack.mitre.org/software/S0527" ,
"https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite"
] ,
"synonyms" : [
"CSPY Downloader"
]
} ,
"related" : [
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "005a06c6-14bf-4118-afa0-ebcd8aebb0c9" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "120d5519-3098-4e1c-9191-2aa61232f073" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "232b7f21-adf9-4b42-b936-b9d6f7df856e" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "29be378d-262d-4e99-b00d-852d573628e6" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
} ,
{
2022-04-25 16:29:57 +00:00
"dest-uuid" : "32901740-b42c-4fdd-bc02-345b5dc57082" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "57340c81-c025-4189-8fa0-fc7ede51bae4" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "799ace7f-e227-4411-baa0-8868704f2a69" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
} ,
{
2022-04-25 16:29:57 +00:00
"dest-uuid" : "d63a3fb8-9452-4e9d-a60a-54be68d5998c" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "deb98323-e13f-4b0c-8d94-175379069062" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "df8b2a25-8bdf-4856-953c-a04372b1c161" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "e6919abc-99f9-4c6c-95a5-14761e7b2add" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
}
] ,
"uuid" : "5256c0f8-9108-4c92-8b09-482dfacdcd94" ,
"value" : "CSPY Downloader - S0527"
} ,
2020-10-18 18:00:48 +00:00
{
"description" : "[Imminent Monitor](https://attack.mitre.org/software/S0434) was a commodity remote access tool (RAT) offered for sale from 2012 until 2019, when an operation was conducted to take down the Imminent Monitor infrastructure. Various cracked versions and variations of this RAT are still in circulation.(Citation: Imminent Unit42 Dec2019)" ,
"meta" : {
"external_id" : "S0434" ,
"mitre_platforms" : [
"Windows"
] ,
"refs" : [
"https://attack.mitre.org/software/S0434" ,
"https://unit42.paloaltonetworks.com/imminent-monitor-a-rat-down-under/"
] ,
"synonyms" : [
"Imminent Monitor"
]
} ,
"related" : [
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "09a60ea3-a8d1-4ae5-976e-5783248b72a4" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-04-25 16:29:57 +00:00
"dest-uuid" : "1035cdf2-3e5f-446f-a7a7-e8f6d7925967" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "391d824f-0ef1-47a0-b0ee-c59a75e27670" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "3ccef7ae-cb5e-48f6-8302-897105fbf55c" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "58a3e6aa-4453-4cc8-a51f-4befe80b31a8" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-04-25 16:29:57 +00:00
"dest-uuid" : "6faf650d-bf31-4eb4-802d-1000cf38efaf" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "7385dfaf-6886-4229-9ecd-6fd678040830" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "7bc57495-ea59-4380-be31-a64af124ef18" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "92d7da27-2d91-488e-a00c-059dc162766d" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "ac08589e-ee59-4935-8667-d845e38fe579" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "cd25c1b4-935c-4f0e-ba8d-552f28bc4783" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "d63a3fb8-9452-4e9d-a60a-54be68d5998c" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "eb062747-2193-45de-8fa2-e62549c37ddf" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-04-25 16:29:57 +00:00
"dest-uuid" : "ec8fc7e2-b356-455c-8db5-2e37be158e7d" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
}
] ,
"uuid" : "8f8cd191-902c-4e83-bf20-b57c8c4640e9" ,
"value" : "Imminent Monitor - S0434"
} ,
2017-10-26 08:28:53 +00:00
{
2018-12-09 08:16:03 +00:00
"description" : "[Invoke-PSImage](https://attack.mitre.org/software/S0231) takes a PowerShell script and embeds the bytes of the script into the pixels of a PNG image. It generates a one liner for executing either from a file of from the web. Example of usage is embedding the PowerShell code from the Invoke-Mimikatz module and embed it into an image file. By calling the image file from a macro for example, the macro will download the picture and execute the PowerShell code, which in this case will dump the passwords. (Citation: GitHub Invoke-PSImage)" ,
2017-10-26 08:28:53 +00:00
"meta" : {
2018-12-09 08:16:03 +00:00
"external_id" : "S0231" ,
2017-10-26 08:28:53 +00:00
"refs" : [
2018-12-09 08:16:03 +00:00
"https://attack.mitre.org/software/S0231" ,
"https://github.com/peewpw/Invoke-PSImage"
2022-11-01 21:39:33 +00:00
] ,
"synonyms" : [
"Invoke-PSImage"
2022-05-25 19:03:14 +00:00
]
2017-10-26 08:28:53 +00:00
} ,
2018-10-12 09:00:00 +00:00
"related" : [
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "0533ab23-3f7d-463f-9bd8-634d27e4dee1" ,
"type" : "uses"
} ,
{
"dest-uuid" : "c2e147a9-d1a8-4074-811a-d8789202d916" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
2024-02-15 10:59:17 +00:00
} ,
{
"dest-uuid" : "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ,
"tags" : [
"estimative-language:likelihood-probability=\"almost-certain\""
] ,
"type" : "uses"
2018-10-12 09:00:00 +00:00
}
] ,
2018-12-09 08:16:03 +00:00
"uuid" : "b52d6583-14a2-4ddc-8527-87fd2142558f" ,
"value" : "Invoke-PSImage - S0231"
2017-10-26 08:28:53 +00:00
} ,
{
2018-12-09 08:16:03 +00:00
"description" : "[ipconfig](https://attack.mitre.org/software/S0100) is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration. (Citation: TechNet Ipconfig)" ,
2017-10-26 08:28:53 +00:00
"meta" : {
2018-12-09 08:16:03 +00:00
"external_id" : "S0100" ,
2017-10-26 08:28:53 +00:00
"refs" : [
2018-12-09 08:16:03 +00:00
"https://attack.mitre.org/software/S0100" ,
"https://technet.microsoft.com/en-us/library/bb490921.aspx"
2022-11-01 21:39:33 +00:00
] ,
"synonyms" : [
2022-11-28 11:48:29 +00:00
"ipconfig"
2022-05-25 19:03:14 +00:00
]
2017-10-26 08:28:53 +00:00
} ,
2018-08-14 07:32:24 +00:00
"related" : [
{
2018-12-09 08:16:03 +00:00
"dest-uuid" : "707399d6-ab3e-4963-9315-d9d3818cd6a0" ,
"type" : "uses"
2024-02-15 10:59:17 +00:00
} ,
{
"dest-uuid" : "707399d6-ab3e-4963-9315-d9d3818cd6a0" ,
"tags" : [
"estimative-language:likelihood-probability=\"almost-certain\""
] ,
"type" : "uses"
2018-08-14 07:32:24 +00:00
}
] ,
2018-12-09 08:16:03 +00:00
"uuid" : "294e2560-bd48-44b2-9da2-833b5588ad11" ,
"value" : "ipconfig - S0100"
2017-10-26 08:28:53 +00:00
} ,
{
2018-12-09 08:16:03 +00:00
"description" : "[Mimikatz](https://attack.mitre.org/software/S0002) is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. (Citation: Deply Mimikatz) (Citation: Adsecurity Mimikatz Guide)" ,
2017-10-26 08:28:53 +00:00
"meta" : {
2018-12-09 08:16:03 +00:00
"external_id" : "S0002" ,
"mitre_platforms" : [
"Windows"
2017-10-26 08:28:53 +00:00
] ,
"refs" : [
2022-05-25 19:00:57 +00:00
"https://adsecurity.org/?page_id=1821" ,
2018-12-09 08:16:03 +00:00
"https://attack.mitre.org/software/S0002" ,
2022-05-25 19:00:57 +00:00
"https://github.com/gentilkiwi/mimikatz"
2017-10-26 08:28:53 +00:00
] ,
2018-12-09 08:16:03 +00:00
"synonyms" : [
"Mimikatz"
]
2017-10-26 08:28:53 +00:00
} ,
2018-10-12 09:00:00 +00:00
"related" : [
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "1644e709-12d2-41e5-a60f-3470991f5011" ,
"type" : "uses"
2018-12-09 08:16:03 +00:00
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "1ecfdab8-7d59-4c98-95d4-dc41970f57fc" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "3fc9b85a-2862-4363-a64d-d692e3ffbee0" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "5095a853-299c-4876-abd7-ac0050fb5462" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "564998d8-ab3e-4123-93fb-eccaa6b9714a" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "58a3e6aa-4453-4cc8-a51f-4befe80b31a8" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "60b508a1-6a5e-46b1-821a-9f7b78752abf" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "65f2d882-3f41-4d48-8a06-29af77ec9f90" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "768dce68-8d0d-477a-b01d-0eea98b963a1" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "7b211ac6-c815-4189-93a9-ab415deca926" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
2022-11-28 11:48:29 +00:00
{
"dest-uuid" : "7de1f7ac-5d0c-4c9c-8873-627202205331" ,
"type" : "uses"
} ,
2020-10-18 18:00:48 +00:00
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "7f3a035d-d83a-45b8-8111-412aa8ade802" ,
2020-10-18 18:00:48 +00:00
"tags" : [
2022-05-25 19:00:57 +00:00
"estimative-language:likelihood-probability=\"likely\""
2020-10-18 18:00:48 +00:00
] ,
2022-05-25 19:00:57 +00:00
"type" : "similar"
2020-10-18 18:00:48 +00:00
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "a10641f4-87b4-45a3-a906-92a149cb2c27" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "b7dc639b-24cd-482d-a7f1-8897eda21023" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "d273434a-448e-4598-8e14-607f4a0d5e27" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "d336b553-5da9-46ca-98a8-0b23f49fb447" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
2019-10-27 20:06:26 +00:00
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "e624264c-033a-424d-9fd7-fc9c3bbdb03e" ,
2019-10-27 20:06:26 +00:00
"type" : "uses"
2021-04-29 16:12:36 +00:00
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "f303a39a-6255-4b89-aecc-18c4d8ca7163" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
2024-02-15 10:59:17 +00:00
} ,
{
"dest-uuid" : "7f3a035d-d83a-45b8-8111-412aa8ade802" ,
"tags" : [
"estimative-language:likelihood-probability=\"likely\""
] ,
"type" : "similar"
} ,
{
"dest-uuid" : "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" ,
"tags" : [
"estimative-language:likelihood-probability=\"almost-certain\""
] ,
"type" : "uses"
2018-10-12 09:00:00 +00:00
}
] ,
2018-12-09 08:16:03 +00:00
"uuid" : "afc079f3-c0ea-4096-b75d-3f05338b7f60" ,
"value" : "Mimikatz - S0002"
2017-10-26 08:28:53 +00:00
} ,
{
2019-04-30 17:07:57 +00:00
"description" : "[HTRAN](https://attack.mitre.org/software/S0040) is a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location. It can be used by adversaries to hide their location when interacting with the victim networks. (Citation: Operation Quantum Entanglement)(Citation: NCSC Joint Report Public Tools)" ,
2017-10-26 08:28:53 +00:00
"meta" : {
2018-12-09 08:16:03 +00:00
"external_id" : "S0040" ,
"mitre_platforms" : [
"Linux" ,
"Windows"
] ,
2017-10-26 08:28:53 +00:00
"refs" : [
2018-12-09 08:16:03 +00:00
"https://attack.mitre.org/software/S0040" ,
2019-04-30 17:07:57 +00:00
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf" ,
2021-04-29 16:12:36 +00:00
"https://www.ncsc.gov.uk/report/joint-report-on-publicly-available-hacking-tools"
2017-10-26 08:28:53 +00:00
] ,
"synonyms" : [
2018-12-09 08:16:03 +00:00
"HTRAN" ,
"HUC Packet Transmit Tool"
]
2017-10-26 08:28:53 +00:00
} ,
2018-12-09 08:16:03 +00:00
"related" : [
2022-05-25 19:00:57 +00:00
{
"dest-uuid" : "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b" ,
"type" : "uses"
} ,
2018-12-09 08:16:03 +00:00
{
"dest-uuid" : "3fb18a77-91ef-4c68-a9a9-fa6bdbea38e8" ,
"tags" : [
"estimative-language:likelihood-probability=\"likely\""
] ,
"type" : "similar"
} ,
{
2022-04-25 16:29:57 +00:00
"dest-uuid" : "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
2019-04-30 17:07:57 +00:00
} ,
{
2022-04-25 16:29:57 +00:00
"dest-uuid" : "731f4f55-b6d0-41d1-a7a9-072a66389aea" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
2024-02-15 10:59:17 +00:00
} ,
{
"dest-uuid" : "3fb18a77-91ef-4c68-a9a9-fa6bdbea38e8" ,
"tags" : [
"estimative-language:likelihood-probability=\"likely\""
] ,
"type" : "similar"
} ,
{
"dest-uuid" : "731f4f55-b6d0-41d1-a7a9-072a66389aea" ,
"tags" : [
"estimative-language:likelihood-probability=\"almost-certain\""
] ,
"type" : "uses"
2018-12-09 08:16:03 +00:00
}
] ,
"uuid" : "d5e96a35-7b0b-4c6a-9533-d63ecbda563e" ,
"value" : "HTRAN - S0040"
2017-10-26 08:28:53 +00:00
} ,
2020-11-25 06:45:48 +00:00
{
"description" : "[MCMD](https://attack.mitre.org/software/S0500) is a remote access tool that provides remote command shell capability used by [Dragonfly 2.0](https://attack.mitre.org/groups/G0074).(Citation: Secureworks MCMD July 2019)" ,
"meta" : {
"external_id" : "S0500" ,
"mitre_platforms" : [
"Windows"
] ,
"refs" : [
"https://attack.mitre.org/software/S0500" ,
"https://www.secureworks.com/research/mcmd-malware-analysis"
] ,
"synonyms" : [
"MCMD"
]
} ,
"related" : [
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "005a06c6-14bf-4118-afa0-ebcd8aebb0c9" ,
2020-11-25 06:45:48 +00:00
"type" : "uses"
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2" ,
2020-11-25 06:45:48 +00:00
"type" : "uses"
} ,
{
2022-04-25 16:29:57 +00:00
"dest-uuid" : "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" ,
2020-11-25 06:45:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "9efb1ea7-c37b-4595-9640-b7680cd84279" ,
2020-11-25 06:45:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ,
2020-11-25 06:45:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "cbb66055-0325-4111-aca0-40547b6ad5b0" ,
2020-11-25 06:45:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "d1fcf083-a721-4223-aedf-bf8960798d62" ,
2020-11-25 06:45:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "d2c4e5ea-dbdf-4113-805a-b1e2a337fb33" ,
2020-11-25 06:45:48 +00:00
"type" : "uses"
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "df8b2a25-8bdf-4856-953c-a04372b1c161" ,
2020-11-25 06:45:48 +00:00
"type" : "uses"
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "e6919abc-99f9-4c6c-95a5-14761e7b2add" ,
2020-11-25 06:45:48 +00:00
"type" : "uses"
}
] ,
"uuid" : "975737f1-b10d-476f-8bda-3ec26ea57172" ,
"value" : "MCMD - S0500"
} ,
2017-10-26 08:28:53 +00:00
{
2018-12-09 08:16:03 +00:00
"description" : "[pwdump](https://attack.mitre.org/software/S0006) is a credential dumper. (Citation: Wikipedia pwdump)" ,
2017-10-26 08:28:53 +00:00
"meta" : {
2018-12-09 08:16:03 +00:00
"external_id" : "S0006" ,
"mitre_platforms" : [
"Windows"
] ,
2017-10-26 08:28:53 +00:00
"refs" : [
2018-12-09 08:16:03 +00:00
"https://attack.mitre.org/software/S0006" ,
"https://en.wikipedia.org/wiki/Pwdump"
2017-10-26 08:28:53 +00:00
] ,
2018-12-09 08:16:03 +00:00
"synonyms" : [
"pwdump"
]
2017-10-26 08:28:53 +00:00
} ,
2018-12-09 08:16:03 +00:00
"related" : [
{
2020-10-18 18:00:48 +00:00
"dest-uuid" : "1644e709-12d2-41e5-a60f-3470991f5011" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
2024-02-15 10:59:17 +00:00
} ,
{
"dest-uuid" : "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" ,
"tags" : [
"estimative-language:likelihood-probability=\"almost-certain\""
] ,
"type" : "uses"
2018-12-09 08:16:03 +00:00
}
] ,
"uuid" : "9de2308e-7bed-43a3-8e58-f194b3586700" ,
"value" : "pwdump - S0006"
2017-10-26 08:28:53 +00:00
} ,
{
2018-12-09 08:16:03 +00:00
"description" : "[gsecdump](https://attack.mitre.org/software/S0008) is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems. (Citation: TrueSec Gsecdump)" ,
2017-10-26 08:28:53 +00:00
"meta" : {
2018-12-09 08:16:03 +00:00
"external_id" : "S0008" ,
"mitre_platforms" : [
"Windows"
] ,
2017-10-26 08:28:53 +00:00
"refs" : [
2018-12-09 08:16:03 +00:00
"https://attack.mitre.org/software/S0008" ,
"https://www.truesec.se/sakerhet/verktyg/saakerhet/gsecdump_v2.0b5"
2017-10-26 08:28:53 +00:00
] ,
2018-12-09 08:16:03 +00:00
"synonyms" : [
"gsecdump"
]
2017-10-26 08:28:53 +00:00
} ,
2018-12-09 07:32:48 +00:00
"related" : [
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "1644e709-12d2-41e5-a60f-3470991f5011" ,
"type" : "uses"
2018-12-09 08:16:03 +00:00
} ,
{
2022-04-25 16:29:57 +00:00
"dest-uuid" : "1ecfdab8-7d59-4c98-95d4-dc41970f57fc" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "8410d208-7450-407d-b56c-e5c1ced19632" ,
2018-12-09 08:16:03 +00:00
"tags" : [
2022-05-25 19:00:57 +00:00
"estimative-language:likelihood-probability=\"likely\""
2018-12-09 08:16:03 +00:00
] ,
2022-05-25 19:00:57 +00:00
"type" : "similar"
2024-02-15 10:59:17 +00:00
} ,
{
"dest-uuid" : "8410d208-7450-407d-b56c-e5c1ced19632" ,
"tags" : [
"estimative-language:likelihood-probability=\"likely\""
] ,
"type" : "similar"
} ,
{
"dest-uuid" : "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" ,
"tags" : [
"estimative-language:likelihood-probability=\"almost-certain\""
] ,
"type" : "uses"
2018-12-09 07:32:48 +00:00
}
] ,
2018-12-09 08:16:03 +00:00
"uuid" : "b07c2c47-fefb-4d7c-a69e-6a3296171f54" ,
"value" : "gsecdump - S0008"
2017-10-26 08:28:53 +00:00
} ,
{
2022-11-28 11:48:29 +00:00
"description" : "[at](https://attack.mitre.org/software/S0110) is used to schedule tasks on a system to run at a specified date or time.(Citation: TechNet At)(Citation: Linux at)" ,
2017-10-26 08:28:53 +00:00
"meta" : {
2018-12-09 08:16:03 +00:00
"external_id" : "S0110" ,
"mitre_platforms" : [
"Linux" ,
"Windows" ,
"macOS"
2017-10-26 08:28:53 +00:00
] ,
"refs" : [
2018-12-09 08:16:03 +00:00
"https://attack.mitre.org/software/S0110" ,
2022-11-28 11:48:29 +00:00
"https://man7.org/linux/man-pages/man1/at.1p.html" ,
2018-12-09 08:16:03 +00:00
"https://technet.microsoft.com/en-us/library/bb490866.aspx"
2017-10-26 08:28:53 +00:00
] ,
"synonyms" : [
2018-12-09 08:16:03 +00:00
"at" ,
"at.exe"
]
2017-10-26 08:28:53 +00:00
} ,
2018-12-09 08:16:03 +00:00
"related" : [
{
2020-10-18 18:00:48 +00:00
"dest-uuid" : "f3d95a1f-bba2-44ce-9af7-37866cd63fd0" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
2024-02-15 10:59:17 +00:00
} ,
{
"dest-uuid" : "35dd844a-b219-4e2b-a6bb-efa9a75995a9" ,
"tags" : [
"estimative-language:likelihood-probability=\"almost-certain\""
] ,
"type" : "uses"
2018-12-09 08:16:03 +00:00
}
] ,
"uuid" : "0c8465c0-d0b4-4670-992e-4eee8d7ff952" ,
"value" : "at - S0110"
2017-10-26 08:28:53 +00:00
} ,
{
2018-12-09 08:16:03 +00:00
"description" : "[ifconfig](https://attack.mitre.org/software/S0101) is a Unix-based utility used to gather information about and interact with the TCP/IP settings on a system. (Citation: Wikipedia Ifconfig)" ,
2017-10-26 08:28:53 +00:00
"meta" : {
2018-12-09 08:16:03 +00:00
"external_id" : "S0101" ,
2017-10-26 08:28:53 +00:00
"refs" : [
2018-12-09 08:16:03 +00:00
"https://attack.mitre.org/software/S0101" ,
"https://en.wikipedia.org/wiki/Ifconfig"
2022-05-25 19:03:14 +00:00
]
2017-10-26 08:28:53 +00:00
} ,
2018-12-09 08:16:03 +00:00
"related" : [
{
"dest-uuid" : "707399d6-ab3e-4963-9315-d9d3818cd6a0" ,
"type" : "uses"
2024-02-15 10:59:17 +00:00
} ,
{
"dest-uuid" : "707399d6-ab3e-4963-9315-d9d3818cd6a0" ,
"tags" : [
"estimative-language:likelihood-probability=\"almost-certain\""
] ,
"type" : "uses"
2018-12-09 08:16:03 +00:00
}
] ,
"uuid" : "362dc67f-4e85-4562-9dac-1b6b7f3ec4b5" ,
"value" : "ifconfig - S0101"
2018-12-09 07:32:48 +00:00
} ,
{
2018-12-09 08:16:03 +00:00
"description" : "[Fgdump](https://attack.mitre.org/software/S0120) is a Windows password hash dumper. (Citation: Mandiant APT1)" ,
2018-12-09 07:32:48 +00:00
"meta" : {
2018-12-09 08:16:03 +00:00
"external_id" : "S0120" ,
"mitre_platforms" : [
"Windows"
] ,
2018-12-09 07:32:48 +00:00
"refs" : [
2018-12-09 08:16:03 +00:00
"https://attack.mitre.org/software/S0120" ,
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
2018-12-09 07:32:48 +00:00
] ,
"synonyms" : [
2018-12-09 08:16:03 +00:00
"Fgdump"
]
2018-12-09 07:32:48 +00:00
} ,
2018-12-09 08:16:03 +00:00
"related" : [
{
2020-10-18 18:00:48 +00:00
"dest-uuid" : "1644e709-12d2-41e5-a60f-3470991f5011" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
2024-02-15 10:59:17 +00:00
} ,
{
"dest-uuid" : "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" ,
"tags" : [
"estimative-language:likelihood-probability=\"almost-certain\""
] ,
"type" : "uses"
2018-12-09 08:16:03 +00:00
}
] ,
"uuid" : "4f45dfeb-fe51-4df0-8db3-edf7dd0513fe" ,
"value" : "Fgdump - S0120"
2018-12-09 07:32:48 +00:00
} ,
{
2018-12-09 08:16:03 +00:00
"description" : "[nbtstat](https://attack.mitre.org/software/S0102) is a utility used to troubleshoot NetBIOS name resolution. (Citation: TechNet Nbtstat)" ,
2018-12-09 07:32:48 +00:00
"meta" : {
2018-12-09 08:16:03 +00:00
"external_id" : "S0102" ,
2017-10-26 08:28:53 +00:00
"refs" : [
2018-12-09 08:16:03 +00:00
"https://attack.mitre.org/software/S0102" ,
2017-10-26 08:28:53 +00:00
"https://technet.microsoft.com/en-us/library/cc940106.aspx"
2022-05-25 19:03:14 +00:00
]
2017-10-26 08:28:53 +00:00
} ,
2018-12-09 08:16:03 +00:00
"related" : [
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "707399d6-ab3e-4963-9315-d9d3818cd6a0" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "7e150503-88e7-4861-866b-ff1ac82c4475" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
2024-02-15 10:59:17 +00:00
} ,
{
"dest-uuid" : "7e150503-88e7-4861-866b-ff1ac82c4475" ,
"tags" : [
"estimative-language:likelihood-probability=\"almost-certain\""
] ,
"type" : "uses"
2018-12-09 08:16:03 +00:00
}
] ,
"uuid" : "b35068ec-107a-4266-bda8-eb7036267aea" ,
"value" : "nbtstat - S0102"
2017-10-26 08:28:53 +00:00
} ,
{
2018-12-09 08:16:03 +00:00
"description" : "[route](https://attack.mitre.org/software/S0103) can be used to find or change information within the local system IP routing table. (Citation: TechNet Route)" ,
2017-10-26 08:28:53 +00:00
"meta" : {
2018-12-09 08:16:03 +00:00
"external_id" : "S0103" ,
2017-10-26 08:28:53 +00:00
"refs" : [
2018-12-09 08:16:03 +00:00
"https://attack.mitre.org/software/S0103" ,
"https://technet.microsoft.com/en-us/library/bb490991.aspx"
2022-05-25 19:03:14 +00:00
]
2017-10-26 08:28:53 +00:00
} ,
2018-12-09 08:16:03 +00:00
"related" : [
{
"dest-uuid" : "707399d6-ab3e-4963-9315-d9d3818cd6a0" ,
"type" : "uses"
2024-02-15 10:59:17 +00:00
} ,
{
"dest-uuid" : "707399d6-ab3e-4963-9315-d9d3818cd6a0" ,
"tags" : [
"estimative-language:likelihood-probability=\"almost-certain\""
] ,
"type" : "uses"
2018-12-09 08:16:03 +00:00
}
] ,
"uuid" : "c11ac61d-50f4-444f-85d8-6f006067f0de" ,
"value" : "route - S0103"
2017-10-26 08:28:53 +00:00
} ,
{
2022-11-28 11:48:29 +00:00
"description" : "[Rclone](https://attack.mitre.org/software/S1040) is a command line program for syncing files with cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA. [Rclone](https://attack.mitre.org/software/S1040) has been used in a number of ransomware campaigns, including those associated with the [Conti](https://attack.mitre.org/software/S0575) and DarkSide Ransomware-as-a-Service operations.(Citation: Rclone)(Citation: Rclone Wars)(Citation: Detecting Rclone)(Citation: DarkSide Ransomware Gang)(Citation: DFIR Conti Bazar Nov 2021)" ,
2017-10-26 08:28:53 +00:00
"meta" : {
2022-11-28 11:48:29 +00:00
"external_id" : "S1040" ,
2022-11-01 21:39:33 +00:00
"mitre_platforms" : [
"Linux" ,
2022-11-28 11:48:29 +00:00
"Windows" ,
2022-11-01 21:39:33 +00:00
"macOS"
] ,
2017-10-26 08:28:53 +00:00
"refs" : [
2022-11-28 11:48:29 +00:00
"https://attack.mitre.org/software/S1040" ,
"https://rclone.org" ,
"https://redcanary.com/blog/rclone-mega-extortion/" ,
"https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/" ,
"https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/" ,
"https://unit42.paloaltonetworks.com/darkside-ransomware/"
2017-10-26 08:28:53 +00:00
] ,
"synonyms" : [
2022-11-28 11:48:29 +00:00
"Rclone"
2018-12-09 08:16:03 +00:00
]
2017-10-26 08:28:53 +00:00
} ,
2018-12-09 08:16:03 +00:00
"related" : [
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "00f90846-cbd1-4fc5-9233-df5c2bf2a662" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "7bc57495-ea59-4380-be31-a64af124ef18" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "bf1b6176-597c-4600-bfcd-ac989670f96b" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "c3888c54-775d-4b2f-b759-75a2ececcbfd" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
2020-10-18 18:00:48 +00:00
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "fb8d023d-45be-47e9-bc51-f56bcae6435b" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
2018-12-09 08:16:03 +00:00
}
] ,
2022-11-28 11:48:29 +00:00
"uuid" : "59096109-a1dd-463b-87e7-a8d110fe3a79" ,
"value" : "Rclone - S1040"
2017-10-26 08:28:53 +00:00
} ,
{
2022-11-28 11:48:29 +00:00
"description" : "[netstat](https://attack.mitre.org/software/S0104) is an operating system utility that displays active TCP connections, listening ports, and network statistics. (Citation: TechNet Netstat)" ,
2017-10-26 08:28:53 +00:00
"meta" : {
2022-11-28 11:48:29 +00:00
"external_id" : "S0104" ,
2017-10-26 08:28:53 +00:00
"refs" : [
2022-11-28 11:48:29 +00:00
"https://attack.mitre.org/software/S0104" ,
"https://technet.microsoft.com/en-us/library/bb490947.aspx"
2017-10-26 08:28:53 +00:00
] ,
2018-12-09 07:32:48 +00:00
"synonyms" : [
2022-11-28 11:48:29 +00:00
"netstat"
2018-12-09 08:16:03 +00:00
]
2017-10-26 08:28:53 +00:00
} ,
2018-08-14 07:32:24 +00:00
"related" : [
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "7e150503-88e7-4861-866b-ff1ac82c4475" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
2024-02-15 10:59:17 +00:00
} ,
{
"dest-uuid" : "7e150503-88e7-4861-866b-ff1ac82c4475" ,
"tags" : [
"estimative-language:likelihood-probability=\"almost-certain\""
] ,
"type" : "uses"
2018-08-14 07:32:24 +00:00
}
] ,
2022-11-28 11:48:29 +00:00
"uuid" : "4664b683-f578-434f-919b-1c1aad2a1111" ,
"value" : "netstat - S0104"
2017-10-26 08:28:53 +00:00
} ,
{
2022-11-28 11:48:29 +00:00
"description" : "[PcShare](https://attack.mitre.org/software/S1050) is an open source remote access tool that has been modified and used by Chinese threat actors, most notably during the FunnyDream campaign since late 2018.(Citation: Bitdefender FunnyDream Campaign November 2020)(Citation: GitHub PcShare 2014)" ,
2017-10-26 08:28:53 +00:00
"meta" : {
2022-11-28 11:48:29 +00:00
"external_id" : "S1050" ,
2018-12-09 08:16:03 +00:00
"mitre_platforms" : [
"Windows"
2017-10-26 08:28:53 +00:00
] ,
"refs" : [
2022-11-28 11:48:29 +00:00
"https://attack.mitre.org/software/S1050" ,
"https://github.com/LiveMirror/pcshare" ,
"https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf"
2017-10-26 08:28:53 +00:00
] ,
"synonyms" : [
2022-11-28 11:48:29 +00:00
"PcShare"
2018-12-09 08:16:03 +00:00
]
2017-10-26 08:28:53 +00:00
} ,
2018-12-09 08:16:03 +00:00
"related" : [
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "0259baeb-9f63-4c69-bf10-eb038c390688" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "045d0922-2310-4e60-b5e4-3302302cb3c5" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "09a60ea3-a8d1-4ae5-976e-5783248b72a4" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
2022-11-28 11:48:29 +00:00
} ,
2018-12-09 08:16:03 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "391d824f-0ef1-47a0-b0ee-c59a75e27670" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
2019-10-25 08:12:22 +00:00
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "3ccef7ae-cb5e-48f6-8302-897105fbf55c" ,
2019-10-25 08:12:22 +00:00
"type" : "uses"
2020-10-18 18:00:48 +00:00
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
2022-11-28 11:48:29 +00:00
} ,
2018-12-09 08:16:03 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "57340c81-c025-4189-8fa0-fc7ede51bae4" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "6faf650d-bf31-4eb4-802d-1000cf38efaf" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "707399d6-ab3e-4963-9315-d9d3818cd6a0" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "92d7da27-2d91-488e-a00c-059dc162766d" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "b4b7458f-81f2-4d38-84be-1c5ba0167a52" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "c32f7008-9fea-41f7-8366-5eb9b74bd896" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "d1fcf083-a721-4223-aedf-bf8960798d62" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "d63a3fb8-9452-4e9d-a60a-54be68d5998c" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "df8b2a25-8bdf-4856-953c-a04372b1c161" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
2022-11-28 11:48:29 +00:00
}
] ,
"uuid" : "3a53b207-aba2-4a2b-9cdb-273d633669e7" ,
"value" : "PcShare - S1050"
} ,
{
"description" : "[dsquery](https://attack.mitre.org/software/S0105) is a command-line utility that can be used to query Active Directory for information from a system within a domain. (Citation: TechNet Dsquery) It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle." ,
"meta" : {
"external_id" : "S0105" ,
"mitre_platforms" : [
"Windows"
] ,
"refs" : [
"https://attack.mitre.org/software/S0105" ,
"https://technet.microsoft.com/en-us/library/cc732952.aspx"
] ,
"synonyms" : [
"dsquery" ,
"dsquery.exe"
]
} ,
"related" : [
2018-12-09 08:16:03 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "21875073-b0ee-49e3-9077-1e2a885359af" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
2020-10-18 18:00:48 +00:00
} ,
2018-12-09 08:16:03 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "2aed01ad-3df3-4410-a8cb-11ea4ded587c" ,
2022-04-25 16:29:57 +00:00
"type" : "uses"
2018-12-09 08:16:03 +00:00
} ,
2023-05-08 14:04:50 +00:00
{
"dest-uuid" : "354a7f88-63fb-41b5-a801-ce3b377b36f1" ,
"type" : "uses"
} ,
2018-12-09 08:16:03 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "767dbf9e-df3f-45cb-8998-4903ab5f80c0" ,
"type" : "uses"
2024-02-15 10:59:17 +00:00
} ,
{
"dest-uuid" : "15dbf668-795c-41e6-8219-f0447c0e64ce" ,
"tags" : [
"estimative-language:likelihood-probability=\"almost-certain\""
] ,
"type" : "uses"
2022-11-28 11:48:29 +00:00
}
] ,
"uuid" : "38952eac-cb1b-4a71-bad2-ee8223a1c8fe" ,
"value" : "dsquery - S0105"
} ,
{
"description" : "[cmd](https://attack.mitre.org/software/S0106) is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities. (Citation: TechNet Cmd)\n\nCmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., <code>dir</code> (Citation: TechNet Dir)), deleting files (e.g., <code>del</code> (Citation: TechNet Del)), and copying files (e.g., <code>copy</code> (Citation: TechNet Copy))." ,
"meta" : {
"external_id" : "S0106" ,
"mitre_platforms" : [
"Windows"
] ,
"refs" : [
"https://attack.mitre.org/software/S0106" ,
"https://technet.microsoft.com/en-us/library/bb490880.aspx" ,
"https://technet.microsoft.com/en-us/library/bb490886.aspx" ,
"https://technet.microsoft.com/en-us/library/cc755121.aspx" ,
"https://technet.microsoft.com/en-us/library/cc771049.aspx"
] ,
"synonyms" : [
"cmd" ,
"cmd.exe"
]
} ,
"related" : [
{
"dest-uuid" : "354a7f88-63fb-41b5-a801-ce3b377b36f1" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "7bc57495-ea59-4380-be31-a64af124ef18" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "bf90d72c-c00b-45e3-b3aa-68560560d4c5" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
2021-10-22 12:34:25 +00:00
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "d1fcf083-a721-4223-aedf-bf8960798d62" ,
2021-10-22 12:34:25 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "d63a3fb8-9452-4e9d-a60a-54be68d5998c" ,
2021-10-22 12:34:25 +00:00
"type" : "uses"
2022-04-25 16:29:57 +00:00
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "e6919abc-99f9-4c6c-95a5-14761e7b2add" ,
2022-04-25 16:29:57 +00:00
"type" : "uses"
2024-02-15 10:59:17 +00:00
} ,
{
"dest-uuid" : "56fca983-1cf1-4fd1-bda0-5e170a37ab59" ,
"tags" : [
"estimative-language:likelihood-probability=\"almost-certain\""
] ,
"type" : "uses"
2022-04-25 16:29:57 +00:00
}
] ,
2022-11-28 11:48:29 +00:00
"uuid" : "bba595da-b73a-4354-aa6c-224d4de7cb4e" ,
"value" : "cmd - S0106"
2022-04-25 16:29:57 +00:00
} ,
{
2022-11-28 11:48:29 +00:00
"description" : "[certutil](https://attack.mitre.org/software/S0160) is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. (Citation: TechNet Certutil)" ,
2022-04-25 16:29:57 +00:00
"meta" : {
2022-11-28 11:48:29 +00:00
"external_id" : "S0160" ,
2022-04-25 16:29:57 +00:00
"mitre_platforms" : [
"Windows"
] ,
"refs" : [
2022-11-28 11:48:29 +00:00
"https://attack.mitre.org/software/S0160" ,
"https://technet.microsoft.com/library/cc732443.aspx"
2022-04-25 16:29:57 +00:00
] ,
"synonyms" : [
2022-11-28 11:48:29 +00:00
"certutil" ,
"certutil.exe"
2022-04-25 16:29:57 +00:00
]
} ,
"related" : [
2023-05-08 14:04:50 +00:00
{
"dest-uuid" : "00f90846-cbd1-4fc5-9233-df5c2bf2a662" ,
"type" : "uses"
} ,
2022-04-25 16:29:57 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "3ccef7ae-cb5e-48f6-8302-897105fbf55c" ,
2022-05-25 19:00:57 +00:00
"type" : "uses"
2022-04-25 16:29:57 +00:00
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "c615231b-f253-4f58-9d47-d5b4cbdb6839" ,
2022-04-25 16:29:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "e6919abc-99f9-4c6c-95a5-14761e7b2add" ,
"type" : "uses"
2024-02-15 10:59:17 +00:00
} ,
{
"dest-uuid" : "3e205e84-9f90-4b4b-8896-c82189936a15" ,
"tags" : [
"estimative-language:likelihood-probability=\"likely\""
] ,
"type" : "similar"
} ,
{
"dest-uuid" : "e6919abc-99f9-4c6c-95a5-14761e7b2add" ,
"tags" : [
"estimative-language:likelihood-probability=\"almost-certain\""
] ,
"type" : "uses"
2022-11-28 11:48:29 +00:00
}
] ,
"uuid" : "0a68f1f1-da74-4d28-8d9a-696c082706cc" ,
"value" : "certutil - S0160"
} ,
{
"description" : "[netsh](https://attack.mitre.org/software/S0108) is a scripting utility used to interact with networking components on local or remote systems. (Citation: TechNet Netsh)" ,
"meta" : {
"external_id" : "S0108" ,
"mitre_platforms" : [
"Windows"
] ,
"refs" : [
"https://attack.mitre.org/software/S0108" ,
"https://technet.microsoft.com/library/bb490939.aspx"
] ,
"synonyms" : [
"netsh" ,
"netsh.exe"
]
} ,
"related" : [
{
"dest-uuid" : "5372c5fe-f424-4def-bcd5-d3a8e770f07b" ,
"type" : "uses"
2022-04-25 16:29:57 +00:00
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "731f4f55-b6d0-41d1-a7a9-072a66389aea" ,
2022-04-25 16:29:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "cba37adb-d6fb-4610-b069-dd04c0643384" ,
2022-04-25 16:29:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed" ,
2022-04-25 16:29:57 +00:00
"type" : "uses"
2024-02-15 10:59:17 +00:00
} ,
{
"dest-uuid" : "241814ae-de3f-4656-b49e-f9a80764d4b7" ,
"tags" : [
"estimative-language:likelihood-probability=\"almost-certain\""
] ,
"type" : "uses"
2022-04-25 16:29:57 +00:00
}
] ,
2022-11-28 11:48:29 +00:00
"uuid" : "5a63f900-5e7e-4928-a746-dd4558e1df71" ,
"value" : "netsh - S0108"
2018-12-09 08:16:03 +00:00
} ,
{
2022-11-28 11:48:29 +00:00
"description" : "[BITSAdmin](https://attack.mitre.org/software/S0190) is a command line tool used to create and manage [BITS Jobs](https://attack.mitre.org/techniques/T1197). (Citation: Microsoft BITSAdmin)" ,
2018-12-09 08:16:03 +00:00
"meta" : {
2022-11-28 11:48:29 +00:00
"external_id" : "S0190" ,
2018-12-09 08:16:03 +00:00
"mitre_platforms" : [
"Windows"
] ,
"refs" : [
2022-11-28 11:48:29 +00:00
"https://attack.mitre.org/software/S0190" ,
"https://msdn.microsoft.com/library/aa362813.aspx"
2018-12-09 08:16:03 +00:00
] ,
"synonyms" : [
2022-11-28 11:48:29 +00:00
"BITSAdmin"
2018-12-09 08:16:03 +00:00
]
} ,
"related" : [
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "bf90d72c-c00b-45e3-b3aa-68560560d4c5" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "c8e87b83-edbb-48d4-9295-4974897525b7" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "e6919abc-99f9-4c6c-95a5-14761e7b2add" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "fb8d023d-45be-47e9-bc51-f56bcae6435b" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
2024-02-15 10:59:17 +00:00
} ,
{
"dest-uuid" : "e6919abc-99f9-4c6c-95a5-14761e7b2add" ,
"tags" : [
"estimative-language:likelihood-probability=\"almost-certain\""
] ,
"type" : "uses"
2022-11-28 11:48:29 +00:00
}
] ,
"uuid" : "64764dc6-a032-495f-8250-1e4c06bdc163" ,
"value" : "BITSAdmin - S0190"
} ,
{
"description" : "[Koadic](https://attack.mitre.org/software/S0250) is a Windows post-exploitation framework and penetration testing tool that is publicly available on GitHub. [Koadic](https://attack.mitre.org/software/S0250) has several options for staging payloads and creating implants, and performs most of its operations using Windows Script Host.(Citation: Github Koadic)(Citation: Palo Alto Sofacy 06-2018)(Citation: MalwareBytes LazyScripter Feb 2021)" ,
"meta" : {
"external_id" : "S0250" ,
"mitre_platforms" : [
"Windows"
] ,
"refs" : [
"https://attack.mitre.org/software/S0250" ,
"https://github.com/zerosum0x0/koadic" ,
"https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" ,
"https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf"
] ,
"synonyms" : [
"Koadic"
]
} ,
"related" : [
2018-12-09 08:16:03 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "005a06c6-14bf-4118-afa0-ebcd8aebb0c9" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "01a5a209-b94c-450b-b7f9-946497d91055" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "03d7999c-1f4c-42cc-8373-e7690d318104" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "045d0922-2310-4e60-b5e4-3302302cb3c5" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "120d5519-3098-4e1c-9191-2aa61232f073" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
2019-10-27 20:06:26 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "1644e709-12d2-41e5-a60f-3470991f5011" ,
2019-10-27 20:06:26 +00:00
"type" : "uses"
} ,
2018-12-09 08:16:03 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "30973a08-aed9-4edf-8604-9084ce1b5c4f" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "3489cfc5-640f-4bb3-a103-9137b97de79f" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
2020-10-18 18:00:48 +00:00
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "354a7f88-63fb-41b5-a801-ce3b377b36f1" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "707399d6-ab3e-4963-9315-d9d3818cd6a0" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
2022-11-28 11:48:29 +00:00
} ,
2019-10-25 08:12:22 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "7bc57495-ea59-4380-be31-a64af124ef18" ,
2019-10-25 08:12:22 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "840a987a-99bd-4a80-a5c9-0cb2baa6cade" ,
2019-10-25 08:12:22 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "970a3432-3237-47ad-bcca-7d8cbb217736" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "9efb1ea7-c37b-4595-9640-b7680cd84279" ,
2019-10-25 08:12:22 +00:00
"type" : "uses"
2021-10-22 12:34:25 +00:00
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "b97f1d35-4249-4486-a6b5-ee60ccf24fab" ,
2021-10-22 12:34:25 +00:00
"type" : "uses"
2022-11-28 11:48:29 +00:00
} ,
2019-10-25 08:12:22 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "bf176076-b789-408e-8cba-7275e81c0ada" ,
2019-10-25 08:12:22 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "cbb66055-0325-4111-aca0-40547b6ad5b0" ,
2019-10-25 08:12:22 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "d1fcf083-a721-4223-aedf-bf8960798d62" ,
2019-10-25 08:12:22 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "df8b2a25-8bdf-4856-953c-a04372b1c161" ,
2019-10-25 08:12:22 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67" ,
2019-10-25 08:12:22 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "e3a12395-188d-4051-9a16-ea8e14d07b88" ,
2019-10-25 08:12:22 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "e6919abc-99f9-4c6c-95a5-14761e7b2add" ,
2019-10-25 08:12:22 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "eb062747-2193-45de-8fa2-e62549c37ddf" ,
2019-10-25 08:12:22 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "edf91964-b26e-4b4a-9600-ccacd7d7df24" ,
2019-10-25 08:12:22 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "f1951e8a-500e-4a26-8803-76d95c4554b4" ,
2019-10-25 08:12:22 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "f4599aa0-4f85-4a32-80ea-fc39dc965945" ,
2019-10-25 08:12:22 +00:00
"type" : "uses"
2022-11-28 11:48:29 +00:00
}
] ,
"uuid" : "c8655260-9f4b-44e3-85e1-6538a5f6e4f4" ,
"value" : "Koadic - S0250"
} ,
{
"description" : "[PsExec](https://attack.mitre.org/software/S0029) is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.(Citation: Russinovich Sysinternals)(Citation: SANS PsExec)" ,
"meta" : {
"external_id" : "S0029" ,
"mitre_platforms" : [
"Windows"
] ,
"refs" : [
"https://attack.mitre.org/software/S0029" ,
"https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx" ,
"https://www.sans.org/blog/protecting-privileged-domain-accounts-psexec-deep-dive/"
] ,
"synonyms" : [
"PsExec"
]
} ,
"related" : [
2019-10-25 08:12:22 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "2959d63f-73fd-46a1-abd2-109d7dcede32" ,
2019-10-25 08:12:22 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "4f9ca633-15c5-463c-9724-bdcd54fde541" ,
2019-10-25 08:12:22 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "6dd05630-9bd8-11e8-a8b9-47ce338a4367" ,
2019-10-25 08:12:22 +00:00
"tags" : [
2022-11-28 11:48:29 +00:00
"estimative-language:likelihood-probability=\"likely\""
2019-10-25 08:12:22 +00:00
] ,
2022-11-28 11:48:29 +00:00
"type" : "similar"
2019-10-25 08:12:22 +00:00
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "7610cada-1499-41a4-b3dd-46467b68d177" ,
2019-10-25 08:12:22 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "bf90d72c-c00b-45e3-b3aa-68560560d4c5" ,
2019-10-25 08:12:22 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "f1951e8a-500e-4a26-8803-76d95c4554b4" ,
2019-10-25 08:12:22 +00:00
"type" : "uses"
2024-02-15 10:59:17 +00:00
} ,
{
"dest-uuid" : "6dd05630-9bd8-11e8-a8b9-47ce338a4367" ,
"tags" : [
"estimative-language:likelihood-probability=\"likely\""
] ,
"type" : "similar"
} ,
{
"dest-uuid" : "ffe742ed-9100-4686-9e00-c331da544787" ,
"tags" : [
"estimative-language:likelihood-probability=\"almost-certain\""
] ,
"type" : "uses"
2019-10-25 08:12:22 +00:00
}
] ,
2022-11-28 11:48:29 +00:00
"uuid" : "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" ,
"value" : "PsExec - S0029"
2019-10-25 08:12:22 +00:00
} ,
2018-12-09 08:16:03 +00:00
{
2022-11-28 11:48:29 +00:00
"description" : "The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft Net Utility)\n\n[Net](https://attack.mitre.org/software/S0039) has a great deal of functionality, (Citation: Savill 1999) much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) using <code>net use</code> commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as <code>net1 user</code>." ,
2018-12-09 08:16:03 +00:00
"meta" : {
2022-11-28 11:48:29 +00:00
"external_id" : "S0039" ,
2018-12-09 08:16:03 +00:00
"mitre_platforms" : [
"Windows"
] ,
"refs" : [
2022-11-28 11:48:29 +00:00
"http://windowsitpro.com/windows/netexe-reference" ,
"https://attack.mitre.org/software/S0039" ,
"https://msdn.microsoft.com/en-us/library/aa939914"
2018-12-09 08:16:03 +00:00
] ,
"synonyms" : [
2022-11-28 11:48:29 +00:00
"Net" ,
"net.exe"
2018-12-09 08:16:03 +00:00
]
} ,
"related" : [
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "21875073-b0ee-49e3-9077-1e2a885359af" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "25659dd6-ea12-45c4-97e6-381e3e4b593e" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "2aed01ad-3df3-4410-a8cb-11ea4ded587c" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
2022-11-28 11:48:29 +00:00
} ,
2018-12-09 08:16:03 +00:00
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "322bad5a-1c49-4d23-ab79-76d641794afa" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "3489cfc5-640f-4bb3-a103-9137b97de79f" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "4f9ca633-15c5-463c-9724-bdcd54fde541" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
2022-11-28 11:48:29 +00:00
} ,
2021-04-29 16:12:36 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "635cbe30-392d-4e27-978e-66774357c762" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "7610cada-1499-41a4-b3dd-46467b68d177" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "7e150503-88e7-4861-866b-ff1ac82c4475" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "a01bf75f-00b2-4568-a58f-565ff9bf202b" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "a750a9f6-0bde-4bb3-9aae-1e2786e9780c" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
2022-11-28 11:48:29 +00:00
} ,
2022-04-25 16:29:57 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "b6075259-dba3-44e9-87c7-e954f37ec0d5" ,
2022-04-25 16:29:57 +00:00
"type" : "uses"
} ,
2018-12-09 08:16:03 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "e358d692-23c0-4a31-9eb6-ecc13a8d7735" ,
"type" : "uses"
} ,
{
"dest-uuid" : "f1951e8a-500e-4a26-8803-76d95c4554b4" ,
"type" : "uses"
} ,
{
"dest-uuid" : "f3c544dc-673c-4ef3-accb-53229f1ae077" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
2024-02-15 10:59:17 +00:00
} ,
{
"dest-uuid" : "b6075259-dba3-44e9-87c7-e954f37ec0d5" ,
"tags" : [
"estimative-language:likelihood-probability=\"almost-certain\""
] ,
"type" : "uses"
2018-12-09 08:16:03 +00:00
}
] ,
2022-11-28 11:48:29 +00:00
"uuid" : "03342581-f790-4f03-ba41-e82e67392e23" ,
"value" : "Net - S0039"
2018-12-09 08:16:03 +00:00
} ,
{
2022-11-28 11:48:29 +00:00
"description" : "[esentutl](https://attack.mitre.org/software/S0404) is a command-line tool that provides database utilities for the Windows Extensible Storage Engine.(Citation: Microsoft Esentutl)" ,
2018-12-09 08:16:03 +00:00
"meta" : {
2022-11-28 11:48:29 +00:00
"external_id" : "S0404" ,
2022-11-01 21:39:33 +00:00
"mitre_platforms" : [
"Windows"
] ,
2018-12-09 08:16:03 +00:00
"refs" : [
2022-11-28 11:48:29 +00:00
"https://attack.mitre.org/software/S0404" ,
"https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh875546(v=ws.11)"
2022-11-01 21:39:33 +00:00
] ,
"synonyms" : [
2022-11-28 11:48:29 +00:00
"esentutl" ,
"esentutl.exe"
2022-05-25 19:03:14 +00:00
]
2018-12-09 08:16:03 +00:00
} ,
"related" : [
2023-10-31 17:04:23 +00:00
{
"dest-uuid" : "0c8ab3eb-df48-4b9c-ace7-beacaac81cc5" ,
"type" : "uses"
} ,
2018-12-09 08:16:03 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" ,
"type" : "uses"
} ,
{
"dest-uuid" : "bf90d72c-c00b-45e3-b3aa-68560560d4c5" ,
"type" : "uses"
} ,
{
"dest-uuid" : "e6919abc-99f9-4c6c-95a5-14761e7b2add" ,
"type" : "uses"
} ,
{
"dest-uuid" : "edf91964-b26e-4b4a-9600-ccacd7d7df24" ,
"type" : "uses"
} ,
{
"dest-uuid" : "f2857333-11d4-45bf-b064-2c28d8525be5" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
}
] ,
2022-11-28 11:48:29 +00:00
"uuid" : "c256da91-6dd5-40b2-beeb-ee3b22ab3d27" ,
"value" : "esentutl - S0404"
2018-12-09 08:16:03 +00:00
} ,
{
2022-11-28 11:48:29 +00:00
"description" : "[FlexiSpy](https://attack.mitre.org/software/S0408) is sophisticated surveillanceware for iOS and Android. Publicly-available, comprehensive analysis has only been found for the Android version.(Citation: FortiGuard-FlexiSpy)(Citation: CyberMerchants-FlexiSpy)\n\n[FlexiSpy](https://attack.mitre.org/software/S0408) markets itself as a parental control and employee monitoring application.(Citation: FlexiSpy-Website)" ,
2018-12-09 08:16:03 +00:00
"meta" : {
2022-11-28 11:48:29 +00:00
"external_id" : "S0408" ,
2022-11-01 21:39:33 +00:00
"mitre_platforms" : [
2022-11-28 11:48:29 +00:00
"Android"
2022-11-01 21:39:33 +00:00
] ,
2018-12-09 08:16:03 +00:00
"refs" : [
2022-11-28 11:48:29 +00:00
"http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html" ,
"https://attack.mitre.org/software/S0408" ,
"https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf" ,
"https://www.flexispy.com/"
2022-11-01 21:39:33 +00:00
] ,
"synonyms" : [
2022-11-28 11:48:29 +00:00
"FlexiSpy"
2022-05-25 19:03:14 +00:00
]
2018-12-09 08:16:03 +00:00
} ,
"related" : [
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "198ce408-1470-45ee-b47f-7056050d4fc2" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
2022-11-28 11:48:29 +00:00
} ,
{
"dest-uuid" : "3775a580-a1d1-46c4-8147-c614a715f2e9" ,
"type" : "uses"
} ,
{
"dest-uuid" : "6683aa0c-d98a-4f5b-ac57-ca7e9934a760" ,
"type" : "uses"
} ,
{
"dest-uuid" : "702055ac-4e54-4ae9-9527-e23a38e0b160" ,
"type" : "uses"
} ,
{
"dest-uuid" : "73c26732-6422-4081-8b63-6d0ae93d449e" ,
"type" : "uses"
} ,
{
"dest-uuid" : "948a447c-d783-4ba0-8516-a64140fcacd5" ,
"type" : "uses"
} ,
{
"dest-uuid" : "99e6295e-741b-4857-b6e5-64989eb039b4" ,
"type" : "uses"
} ,
{
"dest-uuid" : "a9fa0d30-a8ff-45bf-922e-7720da0b7922" ,
"type" : "uses"
} ,
{
"dest-uuid" : "ab7400b7-3476-4776-9545-ef3fa373de63" ,
"type" : "uses"
} ,
{
"dest-uuid" : "b1c95426-2550-4621-8028-ceebf28b3a47" ,
"type" : "uses"
} ,
{
"dest-uuid" : "c6421411-ae61-42bb-9098-73fddb315002" ,
"type" : "uses"
} ,
{
"dest-uuid" : "c6e17ca2-08b5-4379-9786-89bd05241831" ,
"type" : "uses"
} ,
{
"dest-uuid" : "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a" ,
"type" : "uses"
} ,
{
"dest-uuid" : "d8940e76-f9c1-4912-bea6-e21c251370b6" ,
"type" : "uses"
} ,
{
"dest-uuid" : "dd818ea5-adf5-41c7-93b5-f3b839a219fb" ,
"type" : "uses"
} ,
{
"dest-uuid" : "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86" ,
"type" : "uses"
} ,
{
"dest-uuid" : "e1c912a9-e305-434b-9172-8a6ce3ec9c4a" ,
"type" : "uses"
} ,
{
"dest-uuid" : "f05fc151-aa62-47e3-ae57-2d1b23d64bf6" ,
"type" : "uses"
}
] ,
"uuid" : "1622fd3d-fcfc-4d02-ac49-f2d786f79b81" ,
"value" : "FlexiSpy - S0408"
} ,
{
"description" : "[Reg](https://attack.mitre.org/software/S0075) is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information. (Citation: Microsoft Reg)\n\nUtilities such as [Reg](https://attack.mitre.org/software/S0075) are known to be used by persistent threats. (Citation: Windows Commands JPCERT)" ,
"meta" : {
"external_id" : "S0075" ,
"mitre_platforms" : [
"Windows"
] ,
"refs" : [
"https://attack.mitre.org/software/S0075" ,
"https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html" ,
"https://technet.microsoft.com/en-us/library/cc732643.aspx"
] ,
"synonyms" : [
"Reg" ,
"reg.exe"
]
} ,
"related" : [
{
"dest-uuid" : "341e222a-a6e3-4f6f-b69c-831d792b1580" ,
"type" : "uses"
} ,
{
"dest-uuid" : "57340c81-c025-4189-8fa0-fc7ede51bae4" ,
"type" : "uses"
} ,
{
"dest-uuid" : "c32f7008-9fea-41f7-8366-5eb9b74bd896" ,
"type" : "uses"
2024-02-15 10:59:17 +00:00
} ,
{
"dest-uuid" : "2edd9d6a-5674-4326-a600-ba56de467286" ,
"tags" : [
"estimative-language:likelihood-probability=\"almost-certain\""
] ,
"type" : "uses"
2022-11-28 11:48:29 +00:00
}
] ,
"uuid" : "cde2d700-9ed1-46cf-9bce-07364fe8b24f" ,
"value" : "Reg - S0075"
} ,
{
"description" : "The [Tasklist](https://attack.mitre.org/software/S0057) utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface. (Citation: Microsoft Tasklist)" ,
"meta" : {
"external_id" : "S0057" ,
"refs" : [
"https://attack.mitre.org/software/S0057" ,
"https://technet.microsoft.com/en-us/library/bb491010.aspx"
] ,
"synonyms" : [
"Tasklist"
]
} ,
"related" : [
{
"dest-uuid" : "322bad5a-1c49-4d23-ab79-76d641794afa" ,
"type" : "uses"
} ,
{
"dest-uuid" : "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ,
"type" : "uses"
} ,
{
"dest-uuid" : "cba37adb-d6fb-4610-b069-dd04c0643384" ,
"type" : "uses"
2024-02-15 10:59:17 +00:00
} ,
{
"dest-uuid" : "322bad5a-1c49-4d23-ab79-76d641794afa" ,
"tags" : [
"estimative-language:likelihood-probability=\"almost-certain\""
] ,
"type" : "uses"
2022-11-28 11:48:29 +00:00
}
] ,
"uuid" : "2e45723a-31da-4a7e-aaa6-e01998a6788f" ,
"value" : "Tasklist - S0057"
} ,
2023-10-31 17:04:23 +00:00
{
"description" : "[ngrok](https://attack.mitre.org/software/S0508) is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. [ngrok](https://attack.mitre.org/software/S0508) has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.(Citation: Zdnet Ngrok September 2018)(Citation: FireEye Maze May 2020)(Citation: Cyware Ngrok May 2019)(Citation: MalwareBytes LazyScripter Feb 2021)" ,
"meta" : {
"external_id" : "S0508" ,
"mitre_platforms" : [
"Windows"
] ,
"refs" : [
"https://attack.mitre.org/software/S0508" ,
"https://cyware.com/news/cyber-attackers-leverage-tunneling-service-to-drop-lokibot-onto-victims-systems-6f610e44" ,
"https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html" ,
"https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf" ,
"https://www.zdnet.com/article/sly-malware-author-hides-cryptomining-botnet-behind-ever-shifting-proxy-service/"
] ,
"synonyms" : [
"ngrok"
]
} ,
"related" : [
{
"dest-uuid" : "118f61a5-eb3e-4fb6-931f-2096647f4ecd" ,
"type" : "uses"
} ,
{
"dest-uuid" : "40597f16-0963-4249-bf4c-ac93b7fb9807" ,
"type" : "uses"
} ,
{
"dest-uuid" : "4fe28b27-b13c-453e-a386-c2ef362a573b" ,
"type" : "uses"
} ,
{
"dest-uuid" : "731f4f55-b6d0-41d1-a7a9-072a66389aea" ,
"type" : "uses"
} ,
{
"dest-uuid" : "830c9528-df21-472c-8c14-a036bf17d665" ,
"type" : "uses"
}
] ,
"uuid" : "2f7f03bb-f367-4a5a-ad9b-310a12a48906" ,
"value" : "ngrok - S0508"
} ,
2022-11-28 11:48:29 +00:00
{
"description" : "[NBTscan](https://attack.mitre.org/software/S0590) is an open source tool that has been used by state groups to conduct internal reconnaissance within a compromised network.(Citation: Debian nbtscan Nov 2019)(Citation: SecTools nbtscan June 2003)(Citation: Symantec Waterbug Jun 2019)(Citation: FireEye APT39 Jan 2019)" ,
"meta" : {
"external_id" : "S0590" ,
"mitre_platforms" : [
"Windows" ,
"Linux" ,
"macOS"
] ,
"refs" : [
"https://attack.mitre.org/software/S0590" ,
"https://manpages.debian.org/testing/nbtscan/nbtscan.1.en.html" ,
"https://sectools.org/tool/nbtscan/" ,
"https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html" ,
"https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments"
] ,
"synonyms" : [
"NBTscan"
]
} ,
"related" : [
{
"dest-uuid" : "03d7999c-1f4c-42cc-8373-e7690d318104" ,
"type" : "uses"
} ,
{
"dest-uuid" : "3257eb21-f9a7-4430-8de1-d8b6e288f529" ,
"type" : "uses"
} ,
{
"dest-uuid" : "707399d6-ab3e-4963-9315-d9d3818cd6a0" ,
"type" : "uses"
} ,
{
"dest-uuid" : "e358d692-23c0-4a31-9eb6-ecc13a8d7735" ,
"type" : "uses"
} ,
{
"dest-uuid" : "e3a12395-188d-4051-9a16-ea8e14d07b88" ,
"type" : "uses"
}
] ,
"uuid" : "b63970b7-ddfb-4aee-97b1-80d335e033a8" ,
"value" : "NBTscan - S0590"
} ,
{
"description" : "[ftp](https://attack.mitre.org/software/S0095) is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a system or to exfiltrate data.(Citation: Microsoft FTP)(Citation: Linux FTP)" ,
"meta" : {
"external_id" : "S0095" ,
"mitre_platforms" : [
"Linux" ,
"Windows" ,
"macOS"
] ,
"refs" : [
"https://attack.mitre.org/software/S0095" ,
"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ftp" ,
"https://linux.die.net/man/1/ftp"
] ,
"synonyms" : [
"ftp" ,
"ftp.exe"
]
} ,
"related" : [
{
"dest-uuid" : "bf90d72c-c00b-45e3-b3aa-68560560d4c5" ,
"type" : "uses"
} ,
{
"dest-uuid" : "e6919abc-99f9-4c6c-95a5-14761e7b2add" ,
"type" : "uses"
} ,
{
"dest-uuid" : "fb8d023d-45be-47e9-bc51-f56bcae6435b" ,
"type" : "uses"
2024-02-15 10:59:17 +00:00
} ,
{
"dest-uuid" : "f879d51c-5476-431c-aedf-f14d207e4d1e" ,
"tags" : [
"estimative-language:likelihood-probability=\"almost-certain\""
] ,
"type" : "uses"
2022-11-28 11:48:29 +00:00
}
] ,
"uuid" : "cf23bf4a-e003-4116-bbae-1ea6c558d565" ,
"value" : "ftp - S0095"
} ,
{
"description" : "[Systeminfo](https://attack.mitre.org/software/S0096) is a Windows utility that can be used to gather detailed information about a computer. (Citation: TechNet Systeminfo)" ,
"meta" : {
"external_id" : "S0096" ,
"refs" : [
"https://attack.mitre.org/software/S0096" ,
"https://technet.microsoft.com/en-us/library/bb491007.aspx"
] ,
"synonyms" : [
"Systeminfo"
]
} ,
"related" : [
{
"dest-uuid" : "354a7f88-63fb-41b5-a801-ce3b377b36f1" ,
"type" : "uses"
2024-02-15 10:59:17 +00:00
} ,
{
"dest-uuid" : "354a7f88-63fb-41b5-a801-ce3b377b36f1" ,
"tags" : [
"estimative-language:likelihood-probability=\"almost-certain\""
] ,
"type" : "uses"
2022-11-28 11:48:29 +00:00
}
] ,
"uuid" : "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1" ,
"value" : "Systeminfo - S0096"
} ,
{
"description" : "[Ping](https://attack.mitre.org/software/S0097) is an operating system utility commonly used to troubleshoot and verify network connections. (Citation: TechNet Ping)" ,
"meta" : {
"external_id" : "S0097" ,
"refs" : [
"https://attack.mitre.org/software/S0097" ,
"https://technet.microsoft.com/en-us/library/bb490968.aspx"
] ,
"synonyms" : [
"Ping"
]
} ,
"related" : [
{
"dest-uuid" : "e358d692-23c0-4a31-9eb6-ecc13a8d7735" ,
"type" : "uses"
2024-02-15 10:59:17 +00:00
} ,
{
"dest-uuid" : "e358d692-23c0-4a31-9eb6-ecc13a8d7735" ,
"tags" : [
"estimative-language:likelihood-probability=\"almost-certain\""
] ,
"type" : "uses"
2022-11-28 11:48:29 +00:00
}
] ,
"uuid" : "b77b563c-34bb-4fb8-86a3-3694338f7b47" ,
"value" : "Ping - S0097"
} ,
{
"description" : "[Arp](https://attack.mitre.org/software/S0099) displays and modifies information about a system's Address Resolution Protocol (ARP) cache. (Citation: TechNet Arp)" ,
"meta" : {
"external_id" : "S0099" ,
"mitre_platforms" : [
"Linux" ,
"Windows" ,
"macOS"
] ,
"refs" : [
"https://attack.mitre.org/software/S0099" ,
"https://technet.microsoft.com/en-us/library/bb490864.aspx"
] ,
"synonyms" : [
"Arp" ,
"arp.exe"
]
} ,
"related" : [
{
"dest-uuid" : "707399d6-ab3e-4963-9315-d9d3818cd6a0" ,
"type" : "uses"
} ,
{
"dest-uuid" : "e358d692-23c0-4a31-9eb6-ecc13a8d7735" ,
"type" : "uses"
2024-02-15 10:59:17 +00:00
} ,
{
"dest-uuid" : "707399d6-ab3e-4963-9315-d9d3818cd6a0" ,
"tags" : [
"estimative-language:likelihood-probability=\"almost-certain\""
] ,
"type" : "uses"
2022-11-28 11:48:29 +00:00
}
] ,
"uuid" : "30489451-5886-4c46-90c9-0dff9adc5252" ,
"value" : "Arp - S0099"
} ,
{
"description" : "[schtasks](https://attack.mitre.org/software/S0111) is used to schedule execution of programs or scripts on a Windows system to run at a specific date and time. (Citation: TechNet Schtasks)" ,
"meta" : {
"external_id" : "S0111" ,
"mitre_platforms" : [
"Windows"
] ,
"refs" : [
"https://attack.mitre.org/software/S0111" ,
"https://technet.microsoft.com/en-us/library/bb490996.aspx"
] ,
"synonyms" : [
"schtasks" ,
"schtasks.exe"
]
} ,
"related" : [
{
"dest-uuid" : "005a06c6-14bf-4118-afa0-ebcd8aebb0c9" ,
"type" : "uses"
2024-02-15 10:59:17 +00:00
} ,
{
"dest-uuid" : "35dd844a-b219-4e2b-a6bb-efa9a75995a9" ,
"tags" : [
"estimative-language:likelihood-probability=\"almost-certain\""
] ,
"type" : "uses"
2022-11-28 11:48:29 +00:00
}
] ,
"uuid" : "c9703cd3-141c-43a0-a926-380082be5d04" ,
"value" : "schtasks - S0111"
} ,
{
"description" : "[Lslsass](https://attack.mitre.org/software/S0121) is a publicly-available tool that can dump active logon session password hashes from the lsass process. (Citation: Mandiant APT1)" ,
"meta" : {
"external_id" : "S0121" ,
"mitre_platforms" : [
"Windows"
] ,
"refs" : [
"https://attack.mitre.org/software/S0121" ,
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
] ,
"synonyms" : [
"Lslsass"
]
} ,
"related" : [
{
"dest-uuid" : "65f2d882-3f41-4d48-8a06-29af77ec9f90" ,
"type" : "uses"
2024-02-15 10:59:17 +00:00
} ,
{
"dest-uuid" : "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" ,
"tags" : [
"estimative-language:likelihood-probability=\"almost-certain\""
] ,
"type" : "uses"
2022-11-28 11:48:29 +00:00
}
] ,
"uuid" : "2fab555f-7664-4623-b4e0-1675ae38190b" ,
"value" : "Lslsass - S0121"
} ,
{
"description" : "[UACMe](https://attack.mitre.org/software/S0116) is an open source assessment tool that contains many methods for bypassing Windows User Account Control on multiple versions of the operating system. (Citation: Github UACMe)" ,
"meta" : {
"external_id" : "S0116" ,
"refs" : [
"https://attack.mitre.org/software/S0116" ,
"https://github.com/hfiref0x/UACME"
]
} ,
"related" : [
{
"dest-uuid" : "120d5519-3098-4e1c-9191-2aa61232f073" ,
"type" : "uses"
} ,
{
"dest-uuid" : "ccde5b0d-fe13-48e6-a6f4-4e434ce29371" ,
"tags" : [
"estimative-language:likelihood-probability=\"likely\""
] ,
"type" : "similar"
2024-02-15 10:59:17 +00:00
} ,
{
"dest-uuid" : "ccde5b0d-fe13-48e6-a6f4-4e434ce29371" ,
"tags" : [
"estimative-language:likelihood-probability=\"likely\""
] ,
"type" : "similar"
} ,
{
"dest-uuid" : "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be" ,
"tags" : [
"estimative-language:likelihood-probability=\"almost-certain\""
] ,
"type" : "uses"
2022-11-28 11:48:29 +00:00
}
] ,
"uuid" : "102c3898-85e0-43ee-ae28-62a0a3ed9507" ,
"value" : "UACMe - S0116"
} ,
2023-05-08 14:04:50 +00:00
{
"description" : "[Rubeus](https://attack.mitre.org/software/S1071) is a C# toolset designed for raw Kerberos interaction that has been used since at least 2020, including in ransomware operations.(Citation: GitHub Rubeus March 2023)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)" ,
"meta" : {
"external_id" : "S1071" ,
"mitre_platforms" : [
"Windows"
] ,
"refs" : [
"https://attack.mitre.org/software/S1071" ,
"https://github.com/GhostPack/Rubeus" ,
"https://thedfirreport.com/2020/10/08/ryuks-return/" ,
"https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/" ,
"https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html"
] ,
"synonyms" : [
"Rubeus"
]
} ,
"related" : [
{
"dest-uuid" : "3986e7fd-a8e9-4ecb-bfc6-55920855912b" ,
"type" : "uses"
} ,
{
"dest-uuid" : "767dbf9e-df3f-45cb-8998-4903ab5f80c0" ,
"type" : "uses"
} ,
{
"dest-uuid" : "768dce68-8d0d-477a-b01d-0eea98b963a1" ,
"type" : "uses"
} ,
{
"dest-uuid" : "d273434a-448e-4598-8e14-607f4a0d5e27" ,
"type" : "uses"
} ,
{
"dest-uuid" : "f2877f7f-9a4c-4251-879f-1224e3006bee" ,
"type" : "uses"
}
] ,
"uuid" : "e33267fe-099f-4af2-8730-63d49f8813b2" ,
"value" : "Rubeus - S1071"
} ,
2022-11-28 11:48:29 +00:00
{
2024-02-15 10:59:17 +00:00
"description" : "[Cachedump](https://attack.mitre.org/software/S0119) is a publicly-available tool that program extracts cached password hashes from a system\u2019s registry. (Citation: Mandiant APT1)" ,
2022-11-28 11:48:29 +00:00
"meta" : {
"external_id" : "S0119" ,
"mitre_platforms" : [
"Windows"
] ,
"refs" : [
"https://attack.mitre.org/software/S0119" ,
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
] ,
"synonyms" : [
"Cachedump"
]
} ,
"related" : [
{
"dest-uuid" : "6add2ab5-2711-4e9d-87c8-7a0be8531530" ,
"type" : "uses"
2024-02-15 10:59:17 +00:00
} ,
{
"dest-uuid" : "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" ,
"tags" : [
"estimative-language:likelihood-probability=\"almost-certain\""
] ,
"type" : "uses"
2022-11-28 11:48:29 +00:00
}
] ,
"uuid" : "c9cd7ec9-40b7-49db-80be-1399eddd9c52" ,
"value" : "Cachedump - S0119"
} ,
2023-10-31 17:04:23 +00:00
{
"description" : "Pacu is an open-source AWS exploitation framework. The tool is written in Python and publicly available on GitHub.(Citation: GitHub Pacu)" ,
"meta" : {
"external_id" : "S1091" ,
"mitre_platforms" : [
"IaaS"
] ,
"refs" : [
"https://attack.mitre.org/software/S1091" ,
"https://github.com/RhinoSecurityLabs/pacu"
] ,
"synonyms" : [
"Pacu"
]
} ,
"related" : [
{
"dest-uuid" : "16e94db9-b5b1-4cd0-b851-f38fbd0a70f2" ,
"type" : "uses"
} ,
{
"dest-uuid" : "30208d3e-0d6b-43c8-883e-44462a514619" ,
"type" : "uses"
} ,
{
"dest-uuid" : "3298ce88-1628-43b1-87d9-0b5336b193d7" ,
"type" : "uses"
} ,
{
"dest-uuid" : "435dfb86-2697-4867-85b5-2fef496c0517" ,
"type" : "uses"
} ,
{
"dest-uuid" : "55bb4471-ff1f-43b4-88c1-c9384ec47abf" ,
"type" : "uses"
} ,
{
"dest-uuid" : "57a3d31a-d04f-4663-b2da-7df8ec3f8c9d" ,
"type" : "uses"
} ,
{
"dest-uuid" : "77532a55-c283-4cd2-bc5d-2d0b65e9d88c" ,
"type" : "uses"
} ,
{
"dest-uuid" : "7e150503-88e7-4861-866b-ff1ac82c4475" ,
"type" : "uses"
} ,
{
"dest-uuid" : "8565825b-21c8-4518-b75e-cbc4c717a156" ,
"type" : "uses"
} ,
{
"dest-uuid" : "866d0d6d-02c6-42bd-aa2f-02907fdc0969" ,
"type" : "uses"
} ,
{
"dest-uuid" : "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd" ,
"type" : "uses"
} ,
{
"dest-uuid" : "8f104855-e5b7-4077-b1f5-bc3103b41abe" ,
"type" : "uses"
} ,
{
"dest-uuid" : "b6301b64-ef57-4cce-bb0b-77026f14a8db" ,
"type" : "uses"
} ,
{
"dest-uuid" : "cacc40da-4c9e-462c-80d5-fd70a178b12d" ,
"type" : "uses"
} ,
{
"dest-uuid" : "cba37adb-d6fb-4610-b069-dd04c0643384" ,
"type" : "uses"
} ,
{
"dest-uuid" : "cfb525cc-5494-401d-a82b-2539ca46a561" ,
"type" : "uses"
} ,
{
"dest-uuid" : "d94b3ae9-8059-4989-8e9f-ea0f601f80a7" ,
"type" : "uses"
} ,
{
"dest-uuid" : "e24fcba8-2557-4442-a139-1ee2f2e784db" ,
"type" : "uses"
} ,
{
"dest-uuid" : "e848506b-8484-4410-8017-3d235a52f5b3" ,
"type" : "uses"
} ,
{
"dest-uuid" : "ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1" ,
"type" : "uses"
} ,
{
"dest-uuid" : "f232fa7a-025c-4d43-abc7-318e81a73d65" ,
"type" : "uses"
}
] ,
"uuid" : "1b3b8f96-43b1-4460-8e02-1f53d7802fb9" ,
"value" : "Pacu - S1091"
} ,
2022-11-28 11:48:29 +00:00
{
2024-02-15 10:59:17 +00:00
"description" : "[Winexe](https://attack.mitre.org/software/S0191) is a lightweight, open source tool similar to [PsExec](https://attack.mitre.org/software/S0029) designed to allow system administrators to execute commands on remote servers. (Citation: Winexe Github Sept 2013) [Winexe](https://attack.mitre.org/software/S0191) is unique in that it is a GNU/Linux based client. (Citation: \u00dcberwachung APT28 Forfiles June 2015)" ,
2022-11-28 11:48:29 +00:00
"meta" : {
"external_id" : "S0191" ,
"refs" : [
"https://attack.mitre.org/software/S0191" ,
"https://github.com/skalkoto/winexe/" ,
"https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/"
]
} ,
"related" : [
{
"dest-uuid" : "811bdec0-e236-48ae-b27c-1a8fe0bfc3a9" ,
"tags" : [
"estimative-language:likelihood-probability=\"likely\""
] ,
"type" : "similar"
} ,
{
"dest-uuid" : "f1951e8a-500e-4a26-8803-76d95c4554b4" ,
"type" : "uses"
2024-02-15 10:59:17 +00:00
} ,
{
"dest-uuid" : "811bdec0-e236-48ae-b27c-1a8fe0bfc3a9" ,
"tags" : [
"estimative-language:likelihood-probability=\"likely\""
] ,
"type" : "similar"
} ,
{
"dest-uuid" : "f44731de-ea9f-406d-9b83-30ecbb9b4392" ,
"tags" : [
"estimative-language:likelihood-probability=\"almost-certain\""
] ,
"type" : "uses"
2022-11-28 11:48:29 +00:00
}
] ,
"uuid" : "96fd6cc4-a693-4118-83ec-619e5352d07d" ,
"value" : "Winexe - S0191"
} ,
{
"description" : "[xCmd](https://attack.mitre.org/software/S0123) is an open source tool that is similar to [PsExec](https://attack.mitre.org/software/S0029) and allows the user to execute applications on remote systems. (Citation: xCmd)" ,
"meta" : {
"external_id" : "S0123" ,
"refs" : [
"https://ashwinrayaprolu.wordpress.com/2011/04/12/xcmd-an-alternative-to-psexec/" ,
"https://attack.mitre.org/software/S0123"
]
} ,
"related" : [
{
"dest-uuid" : "f1951e8a-500e-4a26-8803-76d95c4554b4" ,
"type" : "uses"
2024-02-15 10:59:17 +00:00
} ,
{
"dest-uuid" : "f44731de-ea9f-406d-9b83-30ecbb9b4392" ,
"tags" : [
"estimative-language:likelihood-probability=\"almost-certain\""
] ,
"type" : "uses"
2022-11-28 11:48:29 +00:00
}
] ,
"uuid" : "4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b" ,
"value" : "xCmd - S0123"
} ,
{
"description" : "[BloodHound](https://attack.mitre.org/software/S0521) is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.(Citation: GitHub Bloodhound)(Citation: CrowdStrike BloodHound April 2018)(Citation: FoxIT Wocao December 2019)" ,
"meta" : {
"external_id" : "S0521" ,
"mitre_platforms" : [
"Windows"
] ,
"refs" : [
"https://attack.mitre.org/software/S0521" ,
"https://github.com/BloodHoundAD/BloodHound" ,
"https://www.crowdstrike.com/blog/hidden-administrative-accounts-bloodhound-to-the-rescue/" ,
"https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf"
] ,
"synonyms" : [
"BloodHound"
]
} ,
"related" : [
{
"dest-uuid" : "03d7999c-1f4c-42cc-8373-e7690d318104" ,
"type" : "uses"
} ,
{
"dest-uuid" : "1b20efbf-8063-4fc3-a07d-b575318a301b" ,
"type" : "uses"
} ,
{
"dest-uuid" : "21875073-b0ee-49e3-9077-1e2a885359af" ,
"type" : "uses"
} ,
{
"dest-uuid" : "25659dd6-ea12-45c4-97e6-381e3e4b593e" ,
"type" : "uses"
} ,
{
"dest-uuid" : "2aed01ad-3df3-4410-a8cb-11ea4ded587c" ,
"type" : "uses"
} ,
{
"dest-uuid" : "391d824f-0ef1-47a0-b0ee-c59a75e27670" ,
"type" : "uses"
} ,
{
"dest-uuid" : "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a" ,
"type" : "uses"
} ,
{
"dest-uuid" : "767dbf9e-df3f-45cb-8998-4903ab5f80c0" ,
"type" : "uses"
} ,
{
"dest-uuid" : "970a3432-3237-47ad-bcca-7d8cbb217736" ,
"type" : "uses"
} ,
{
"dest-uuid" : "a01bf75f-00b2-4568-a58f-565ff9bf202b" ,
"type" : "uses"
} ,
{
"dest-uuid" : "b6075259-dba3-44e9-87c7-e954f37ec0d5" ,
"type" : "uses"
} ,
{
"dest-uuid" : "e358d692-23c0-4a31-9eb6-ecc13a8d7735" ,
"type" : "uses"
}
] ,
"uuid" : "066b057c-944e-4cfc-b654-e3dfba04b926" ,
"value" : "BloodHound - S0521"
} ,
{
"description" : "[Pupy](https://attack.mitre.org/software/S0192) is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. (Citation: GitHub Pupy) It is written in Python and can be generated as a payload in several different ways (Windows exe, Python file, PowerShell oneliner/file, Linux elf, APK, Rubber Ducky, etc.). (Citation: GitHub Pupy) [Pupy](https://attack.mitre.org/software/S0192) is publicly available on GitHub. (Citation: GitHub Pupy)" ,
"meta" : {
"external_id" : "S0192" ,
"mitre_platforms" : [
"Linux" ,
"Windows" ,
"macOS" ,
"Android"
] ,
"refs" : [
"https://attack.mitre.org/software/S0192" ,
"https://github.com/n1nj4sec/pupy"
] ,
"synonyms" : [
"Pupy"
]
} ,
"related" : [
{
"dest-uuid" : "00f90846-cbd1-4fc5-9233-df5c2bf2a662" ,
"type" : "uses"
} ,
{
"dest-uuid" : "0259baeb-9f63-4c69-bf10-eb038c390688" ,
"type" : "uses"
} ,
{
"dest-uuid" : "03d7999c-1f4c-42cc-8373-e7690d318104" ,
"type" : "uses"
} ,
{
"dest-uuid" : "09a60ea3-a8d1-4ae5-976e-5783248b72a4" ,
"type" : "uses"
} ,
{
"dest-uuid" : "1035cdf2-3e5f-446f-a7a7-e8f6d7925967" ,
"type" : "uses"
} ,
{
"dest-uuid" : "120d5519-3098-4e1c-9191-2aa61232f073" ,
"type" : "uses"
} ,
{
"dest-uuid" : "1e9eb839-294b-48cc-b0d3-c45555a2a004" ,
"type" : "uses"
} ,
{
"dest-uuid" : "1ecfdab8-7d59-4c98-95d4-dc41970f57fc" ,
"type" : "uses"
} ,
{
"dest-uuid" : "25659dd6-ea12-45c4-97e6-381e3e4b593e" ,
"type" : "uses"
} ,
{
"dest-uuid" : "29be378d-262d-4e99-b00d-852d573628e6" ,
"type" : "uses"
} ,
{
"dest-uuid" : "3489cfc5-640f-4bb3-a103-9137b97de79f" ,
"type" : "uses"
} ,
{
"dest-uuid" : "354a7f88-63fb-41b5-a801-ce3b377b36f1" ,
"type" : "uses"
} ,
{
"dest-uuid" : "3fc9b85a-2862-4363-a64d-d692e3ffbee0" ,
"type" : "uses"
} ,
{
"dest-uuid" : "58a3e6aa-4453-4cc8-a51f-4befe80b31a8" ,
"type" : "uses"
} ,
{
"dest-uuid" : "635cbe30-392d-4e27-978e-66774357c762" ,
"type" : "uses"
} ,
{
"dest-uuid" : "6495ae23-3ab4-43c5-a94f-5638a2c31fd2" ,
"type" : "uses"
} ,
{
"dest-uuid" : "650c784b-7504-4df7-ab2c-4ea882384d1e" ,
"type" : "uses"
} ,
{
"dest-uuid" : "65f2d882-3f41-4d48-8a06-29af77ec9f90" ,
"type" : "uses"
} ,
{
"dest-uuid" : "6add2ab5-2711-4e9d-87c8-7a0be8531530" ,
"type" : "uses"
} ,
{
"dest-uuid" : "6faf650d-bf31-4eb4-802d-1000cf38efaf" ,
"type" : "uses"
} ,
{
"dest-uuid" : "707399d6-ab3e-4963-9315-d9d3818cd6a0" ,
"type" : "uses"
} ,
{
"dest-uuid" : "7610cada-1499-41a4-b3dd-46467b68d177" ,
"type" : "uses"
} ,
{
"dest-uuid" : "7b211ac6-c815-4189-93a9-ab415deca926" ,
"type" : "uses"
} ,
{
"dest-uuid" : "7bc57495-ea59-4380-be31-a64af124ef18" ,
"type" : "uses"
} ,
{
"dest-uuid" : "7e150503-88e7-4861-866b-ff1ac82c4475" ,
"type" : "uses"
} ,
{
"dest-uuid" : "837f9164-50af-4ac0-8219-379d8a74cefc" ,
"type" : "uses"
} ,
{
"dest-uuid" : "86850eff-2729-40c3-b85e-c4af26da4a2d" ,
"type" : "uses"
} ,
{
"dest-uuid" : "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ,
"type" : "uses"
} ,
{
"dest-uuid" : "92d7da27-2d91-488e-a00c-059dc162766d" ,
"type" : "uses"
} ,
{
"dest-uuid" : "970a3432-3237-47ad-bcca-7d8cbb217736" ,
"type" : "uses"
} ,
{
"dest-uuid" : "9efb1ea7-c37b-4595-9640-b7680cd84279" ,
"type" : "uses"
} ,
{
"dest-uuid" : "bdb420be-5882-41c8-b439-02bbef69d83f" ,
"tags" : [
"estimative-language:likelihood-probability=\"likely\""
] ,
"type" : "similar"
} ,
{
"dest-uuid" : "bf176076-b789-408e-8cba-7275e81c0ada" ,
"type" : "uses"
} ,
{
"dest-uuid" : "cc3502b5-30cc-4473-ad48-42d51a6ef6d1" ,
"type" : "uses"
} ,
{
"dest-uuid" : "df8b2a25-8bdf-4856-953c-a04372b1c161" ,
"type" : "uses"
} ,
{
"dest-uuid" : "dfefe2ed-4389-4318-8762-f0272b350a1b" ,
"type" : "uses"
} ,
2023-10-31 17:04:23 +00:00
{
"dest-uuid" : "e0232cb0-ded5-4c2e-9dc7-2893142a5c11" ,
"type" : "uses"
} ,
2022-11-28 11:48:29 +00:00
{
"dest-uuid" : "e3a12395-188d-4051-9a16-ea8e14d07b88" ,
"type" : "uses"
} ,
{
"dest-uuid" : "e6919abc-99f9-4c6c-95a5-14761e7b2add" ,
"type" : "uses"
} ,
{
"dest-uuid" : "eb062747-2193-45de-8fa2-e62549c37ddf" ,
"type" : "uses"
} ,
{
"dest-uuid" : "f1951e8a-500e-4a26-8803-76d95c4554b4" ,
"type" : "uses"
} ,
{
"dest-uuid" : "f4599aa0-4f85-4a32-80ea-fc39dc965945" ,
"type" : "uses"
2024-02-15 10:59:17 +00:00
} ,
{
"dest-uuid" : "bdb420be-5882-41c8-b439-02bbef69d83f" ,
"tags" : [
"estimative-language:likelihood-probability=\"likely\""
] ,
"type" : "similar"
} ,
{
"dest-uuid" : "7fd87010-3a00-4da3-b905-410525e8ec44" ,
"tags" : [
"estimative-language:likelihood-probability=\"almost-certain\""
] ,
"type" : "uses"
2022-11-28 11:48:29 +00:00
}
] ,
"uuid" : "cb69b20d-56d0-41ab-8440-4a4b251614d4" ,
"value" : "Pupy - S0192"
} ,
{
"description" : "MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used by a non-administrative user to search their own email, or by an Exchange administrator to search the mailboxes of every user in a domain.(Citation: GitHub MailSniper)" ,
"meta" : {
"external_id" : "S0413" ,
"mitre_platforms" : [
"Office 365" ,
"Windows" ,
"Azure AD"
] ,
"refs" : [
"https://attack.mitre.org/software/S0413" ,
"https://github.com/dafthack/MailSniper"
] ,
"synonyms" : [
"MailSniper"
]
} ,
"related" : [
{
"dest-uuid" : "4bc31b94-045b-4752-8920-aebaebdb6470" ,
"type" : "uses"
} ,
{
"dest-uuid" : "692074ae-bb62-4a5e-a735-02cb6bde458c" ,
"type" : "uses"
} ,
{
"dest-uuid" : "b4694861-542c-48ea-9eb1-10d356e7140a" ,
"type" : "uses"
}
] ,
"uuid" : "999c4e6e-b8dc-4b4f-8d6e-1b829f29997e" ,
"value" : "MailSniper - S0413"
} ,
{
"description" : "[Expand](https://attack.mitre.org/software/S0361) is a Windows utility used to expand one or more compressed CAB files.(Citation: Microsoft Expand Utility) It has been used by [BBSRAT](https://attack.mitre.org/software/S0127) to decompress a CAB file into executable content.(Citation: Palo Alto Networks BBSRAT)" ,
"meta" : {
"external_id" : "S0361" ,
"mitre_platforms" : [
"Windows"
] ,
"refs" : [
"http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/" ,
"https://attack.mitre.org/software/S0361" ,
"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/expand"
] ,
"synonyms" : [
"Expand"
]
} ,
"related" : [
{
"dest-uuid" : "3ccef7ae-cb5e-48f6-8302-897105fbf55c" ,
"type" : "uses"
} ,
{
"dest-uuid" : "bf90d72c-c00b-45e3-b3aa-68560560d4c5" ,
"type" : "uses"
} ,
{
"dest-uuid" : "f2857333-11d4-45bf-b064-2c28d8525be5" ,
"type" : "uses"
}
] ,
"uuid" : "ca656c25-44f1-471b-9d9f-e2a3bbb84973" ,
"value" : "Expand - S0361"
} ,
{
"description" : "[Tor](https://attack.mitre.org/software/S0183) is a software suite and network that provides increased anonymity on the Internet. It creates a multi-hop proxy network and utilizes multilayer encryption to protect both the message and routing information. [Tor](https://attack.mitre.org/software/S0183) utilizes \"Onion Routing,\" in which messages are encrypted with multiple layers of encryption; at each step in the proxy network, the topmost layer is decrypted and the contents forwarded on to the next node until it reaches its destination. (Citation: Dingledine Tor The Second-Generation Onion Router)" ,
"meta" : {
"external_id" : "S0183" ,
"mitre_platforms" : [
"Linux" ,
"Windows" ,
"macOS"
] ,
"refs" : [
"http://www.dtic.mil/dtic/tr/fulltext/u2/a465464.pdf" ,
"https://attack.mitre.org/software/S0183"
] ,
"synonyms" : [
"Tor"
]
} ,
"related" : [
{
"dest-uuid" : "a782ebe2-daba-42c7-bc82-e8e9d923162d" ,
"type" : "uses"
} ,
{
"dest-uuid" : "bf176076-b789-408e-8cba-7275e81c0ada" ,
"type" : "uses"
2024-02-15 10:59:17 +00:00
} ,
{
"dest-uuid" : "7d751199-05fa-4a72-920f-85df4506c76c" ,
"tags" : [
"estimative-language:likelihood-probability=\"almost-certain\""
] ,
"type" : "uses"
2022-11-28 11:48:29 +00:00
}
] ,
"uuid" : "ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68" ,
"value" : "Tor - S0183"
} ,
{
"description" : "[Forfiles](https://attack.mitre.org/software/S0193) is a Windows utility commonly used in batch jobs to execute commands on one or more selected files or directories (ex: list all directories in a drive, read the first line of all files created yesterday, etc.). Forfiles can be executed from either the command line, Run window, or batch files/scripts. (Citation: Microsoft Forfiles Aug 2016)" ,
"meta" : {
"external_id" : "S0193" ,
"refs" : [
"https://attack.mitre.org/software/S0193" ,
"https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc753551(v=ws.11)"
]
} ,
"related" : [
{
"dest-uuid" : "3b0e52ce-517a-4614-a523-1bd5deef6c5e" ,
"type" : "uses"
} ,
{
"dest-uuid" : "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" ,
"type" : "uses"
} ,
{
"dest-uuid" : "7bc57495-ea59-4380-be31-a64af124ef18" ,
"type" : "uses"
2024-02-15 10:59:17 +00:00
} ,
{
"dest-uuid" : "7bc57495-ea59-4380-be31-a64af124ef18" ,
"tags" : [
"estimative-language:likelihood-probability=\"almost-certain\""
] ,
"type" : "uses"
2022-11-28 11:48:29 +00:00
}
] ,
"uuid" : "90ec2b22-7061-4469-b539-0989ec4f96c2" ,
"value" : "Forfiles - S0193"
} ,
{
"description" : "[Out1](https://attack.mitre.org/software/S0594) is a remote access tool written in python and used by [MuddyWater](https://attack.mitre.org/groups/G0069) since at least 2021.(Citation: Trend Micro Muddy Water March 2021)" ,
"meta" : {
"external_id" : "S0594" ,
"mitre_platforms" : [
"Windows"
] ,
"refs" : [
"https://attack.mitre.org/software/S0594" ,
"https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html"
] ,
"synonyms" : [
"Out1"
]
} ,
"related" : [
{
"dest-uuid" : "1e9eb839-294b-48cc-b0d3-c45555a2a004" ,
"type" : "uses"
} ,
{
"dest-uuid" : "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" ,
"type" : "uses"
} ,
{
"dest-uuid" : "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ,
"type" : "uses"
} ,
{
"dest-uuid" : "d1fcf083-a721-4223-aedf-bf8960798d62" ,
"type" : "uses"
} ,
{
"dest-uuid" : "df8b2a25-8bdf-4856-953c-a04372b1c161" ,
"type" : "uses"
}
] ,
"uuid" : "80c815bb-b24a-4b9c-9d73-ff4c075a278d" ,
"value" : "Out1 - S0594"
} ,
{
"description" : "Responder is an open source tool used for LLMNR, NBT-NS and MDNS poisoning, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. (Citation: GitHub Responder)" ,
"meta" : {
"external_id" : "S0174" ,
"refs" : [
"https://attack.mitre.org/software/S0174" ,
"https://github.com/SpiderLabs/Responder"
2023-05-08 14:04:50 +00:00
] ,
"synonyms" : [
"Responder"
2022-11-28 11:48:29 +00:00
]
} ,
"related" : [
{
"dest-uuid" : "3257eb21-f9a7-4430-8de1-d8b6e288f529" ,
"type" : "uses"
} ,
{
"dest-uuid" : "650c784b-7504-4df7-ab2c-4ea882384d1e" ,
"type" : "uses"
2024-02-15 10:59:17 +00:00
} ,
{
"dest-uuid" : "3257eb21-f9a7-4430-8de1-d8b6e288f529" ,
"tags" : [
"estimative-language:likelihood-probability=\"almost-certain\""
] ,
"type" : "uses"
2022-11-28 11:48:29 +00:00
}
] ,
"uuid" : "a1dd2dbd-1550-44bf-abcc-1a4c52e97719" ,
"value" : "Responder - S0174"
} ,
{
"description" : "[PowerSploit](https://attack.mitre.org/software/S0194) is an open source, offensive security framework comprised of [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. (Citation: GitHub PowerSploit May 2012) (Citation: PowerShellMagazine PowerSploit July 2014) (Citation: PowerSploit Documentation)" ,
"meta" : {
"external_id" : "S0194" ,
"mitre_platforms" : [
"Windows"
] ,
"refs" : [
"http://powersploit.readthedocs.io" ,
"http://www.powershellmagazine.com/2014/07/08/powersploit/" ,
"https://attack.mitre.org/software/S0194" ,
"https://github.com/PowerShellMafia/PowerSploit"
] ,
"synonyms" : [
"PowerSploit"
]
} ,
"related" : [
{
"dest-uuid" : "005a06c6-14bf-4118-afa0-ebcd8aebb0c9" ,
"type" : "uses"
} ,
{
"dest-uuid" : "01a5a209-b94c-450b-b7f9-946497d91055" ,
"type" : "uses"
} ,
{
"dest-uuid" : "0259baeb-9f63-4c69-bf10-eb038c390688" ,
"type" : "uses"
} ,
{
"dest-uuid" : "09a60ea3-a8d1-4ae5-976e-5783248b72a4" ,
"type" : "uses"
} ,
{
"dest-uuid" : "0c2d00da-7742-49e7-9928-4514e5075d32" ,
"type" : "uses"
} ,
{
"dest-uuid" : "1035cdf2-3e5f-446f-a7a7-e8f6d7925967" ,
"type" : "uses"
} ,
{
"dest-uuid" : "25659dd6-ea12-45c4-97e6-381e3e4b593e" ,
"type" : "uses"
} ,
{
"dest-uuid" : "2959d63f-73fd-46a1-abd2-109d7dcede32" ,
"type" : "uses"
} ,
{
"dest-uuid" : "2fee9321-3e71-4cf4-af24-d4d40d355b34" ,
"type" : "uses"
} ,
{
"dest-uuid" : "341e222a-a6e3-4f6f-b69c-831d792b1580" ,
"type" : "uses"
} ,
{
"dest-uuid" : "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" ,
"type" : "uses"
} ,
{
"dest-uuid" : "4933e63b-9b77-476e-ab29-761bc5b7d15a" ,
"type" : "uses"
} ,
{
"dest-uuid" : "5095a853-299c-4876-abd7-ac0050fb5462" ,
"type" : "uses"
} ,
{
"dest-uuid" : "58af3705-8740-4c68-9329-ec015a7013c2" ,
"type" : "uses"
} ,
{
"dest-uuid" : "65f2d882-3f41-4d48-8a06-29af77ec9f90" ,
"type" : "uses"
} ,
{
"dest-uuid" : "767dbf9e-df3f-45cb-8998-4903ab5f80c0" ,
"type" : "uses"
} ,
{
"dest-uuid" : "8d7bd4f5-3a89-4453-9c82-2c8894d5655e" ,
"type" : "uses"
} ,
{
"dest-uuid" : "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ,
"type" : "uses"
} ,
{
"dest-uuid" : "970a3432-3237-47ad-bcca-7d8cbb217736" ,
"type" : "uses"
} ,
{
"dest-uuid" : "9efb1ea7-c37b-4595-9640-b7680cd84279" ,
"type" : "uses"
} ,
{
"dest-uuid" : "b0533c6e-8fea-4788-874f-b799cacc4b92" ,
"type" : "uses"
} ,
{
"dest-uuid" : "bf96a5a3-3bce-43b7-8597-88545984c07b" ,
"type" : "uses"
} ,
{
"dest-uuid" : "c32f7008-9fea-41f7-8366-5eb9b74bd896" ,
"type" : "uses"
} ,
{
2023-05-08 14:04:50 +00:00
"dest-uuid" : "d336b553-5da9-46ca-98a8-0b23f49fb447" ,
2022-11-28 11:48:29 +00:00
"type" : "uses"
} ,
{
2023-05-08 14:04:50 +00:00
"dest-uuid" : "d511a6f6-4a33-41d5-bc95-c343875d1377" ,
2022-11-28 11:48:29 +00:00
"type" : "uses"
} ,
{
"dest-uuid" : "dcaa092b-7de9-4a21-977f-7fcb77e89c48" ,
"type" : "uses"
} ,
{
"dest-uuid" : "f2877f7f-9a4c-4251-879f-1224e3006bee" ,
"type" : "uses"
} ,
{
"dest-uuid" : "f4599aa0-4f85-4a32-80ea-fc39dc965945" ,
"type" : "uses"
2024-02-15 10:59:17 +00:00
} ,
{
"dest-uuid" : "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ,
"tags" : [
"estimative-language:likelihood-probability=\"almost-certain\""
] ,
"type" : "uses"
2022-11-28 11:48:29 +00:00
}
] ,
"uuid" : "13cd9151-83b7-410d-9f98-25d0f0d1d80d" ,
"value" : "PowerSploit - S0194"
} ,
{
"description" : "[meek](https://attack.mitre.org/software/S0175) is an open-source Tor plugin that tunnels Tor traffic through HTTPS connections." ,
"meta" : {
"external_id" : "S0175" ,
"mitre_platforms" : [
"Linux" ,
2018-12-09 08:16:03 +00:00
"Windows" ,
"macOS"
] ,
"refs" : [
2022-11-28 11:48:29 +00:00
"https://attack.mitre.org/software/S0175"
2018-12-09 08:16:03 +00:00
] ,
"synonyms" : [
2022-11-28 11:48:29 +00:00
"meek"
2018-12-09 08:16:03 +00:00
]
} ,
"related" : [
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "ca9d3402-ada3-484d-876a-d717bd6e05f2" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
2024-02-15 10:59:17 +00:00
} ,
{
"dest-uuid" : "1ce03c65-5946-4ac9-9d4d-66db87e024bd" ,
"tags" : [
"estimative-language:likelihood-probability=\"almost-certain\""
] ,
"type" : "uses"
2018-12-09 08:16:03 +00:00
}
] ,
2022-11-28 11:48:29 +00:00
"uuid" : "65370d0b-3bd4-4653-8cf9-daf56f6be830" ,
"value" : "meek - S0175"
2018-12-09 08:16:03 +00:00
} ,
{
2022-11-28 11:48:29 +00:00
"description" : "[IronNetInjector](https://attack.mitre.org/software/S0581) is a [Turla](https://attack.mitre.org/groups/G0010) toolchain that utilizes scripts from the open-source IronPython implementation of Python with a .NET injector to drop one or more payloads including [ComRAT](https://attack.mitre.org/software/S0126).(Citation: Unit 42 IronNetInjector February 2021 )" ,
2018-12-09 08:16:03 +00:00
"meta" : {
2022-11-28 11:48:29 +00:00
"external_id" : "S0581" ,
2018-12-09 08:16:03 +00:00
"mitre_platforms" : [
"Windows"
] ,
"refs" : [
2022-11-28 11:48:29 +00:00
"https://attack.mitre.org/software/S0581" ,
"https://unit42.paloaltonetworks.com/ironnetinjector/"
2018-12-09 08:16:03 +00:00
] ,
"synonyms" : [
2022-11-28 11:48:29 +00:00
"IronNetInjector"
2018-12-09 08:16:03 +00:00
]
} ,
"related" : [
{
2020-10-18 18:00:48 +00:00
"dest-uuid" : "005a06c6-14bf-4118-afa0-ebcd8aebb0c9" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
2022-11-28 11:48:29 +00:00
} ,
{
"dest-uuid" : "3ccef7ae-cb5e-48f6-8302-897105fbf55c" ,
"type" : "uses"
} ,
{
"dest-uuid" : "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" ,
"type" : "uses"
} ,
{
"dest-uuid" : "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c" ,
"type" : "uses"
} ,
{
"dest-uuid" : "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ,
"type" : "uses"
} ,
{
"dest-uuid" : "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ,
"type" : "uses"
} ,
{
"dest-uuid" : "cc3502b5-30cc-4473-ad48-42d51a6ef6d1" ,
"type" : "uses"
} ,
{
"dest-uuid" : "f4599aa0-4f85-4a32-80ea-fc39dc965945" ,
"type" : "uses"
2018-12-09 08:16:03 +00:00
}
] ,
2022-11-28 11:48:29 +00:00
"uuid" : "b1595ddd-a783-482a-90e1-8afc8d48467e" ,
"value" : "IronNetInjector - S0581"
2018-12-09 08:16:03 +00:00
} ,
{
2022-11-28 11:48:29 +00:00
"description" : "[ConnectWise](https://attack.mitre.org/software/S0591) is a legitimate remote administration tool that has been used since at least 2016 by threat actors including [MuddyWater](https://attack.mitre.org/groups/G0069) and [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) to connect to and conduct lateral movement in target environments.(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)" ,
2018-12-09 08:16:03 +00:00
"meta" : {
2022-11-28 11:48:29 +00:00
"external_id" : "S0591" ,
2018-12-09 08:16:03 +00:00
"mitre_platforms" : [
"Windows"
] ,
"refs" : [
2022-11-28 11:48:29 +00:00
"https://attack.mitre.org/software/S0591" ,
"https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies" ,
"https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html"
2018-12-09 08:16:03 +00:00
] ,
"synonyms" : [
2022-11-28 11:48:29 +00:00
"ConnectWise" ,
"ScreenConnect"
2018-12-09 08:16:03 +00:00
]
} ,
"related" : [
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "0259baeb-9f63-4c69-bf10-eb038c390688" ,
"type" : "uses"
} ,
{
"dest-uuid" : "6faf650d-bf31-4eb4-802d-1000cf38efaf" ,
"type" : "uses"
} ,
{
"dest-uuid" : "970a3432-3237-47ad-bcca-7d8cbb217736" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
}
] ,
2022-11-28 11:48:29 +00:00
"uuid" : "842976c7-f9c8-41b2-8371-41dc64fbe261" ,
"value" : "ConnectWise - S0591"
2018-12-09 08:16:03 +00:00
} ,
{
2022-11-28 11:48:29 +00:00
"description" : "[SDelete](https://attack.mitre.org/software/S0195) is an application that securely deletes data in a way that makes it unrecoverable. It is part of the Microsoft Sysinternals suite of tools. (Citation: Microsoft SDelete July 2016)" ,
2018-12-09 08:16:03 +00:00
"meta" : {
2022-11-28 11:48:29 +00:00
"external_id" : "S0195" ,
2022-11-01 21:39:33 +00:00
"mitre_platforms" : [
"Windows"
] ,
2018-12-09 08:16:03 +00:00
"refs" : [
2022-11-28 11:48:29 +00:00
"https://attack.mitre.org/software/S0195" ,
"https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete"
2022-11-01 21:39:33 +00:00
] ,
"synonyms" : [
2022-11-28 11:48:29 +00:00
"SDelete"
2022-05-25 19:03:14 +00:00
]
2018-12-09 08:16:03 +00:00
} ,
"related" : [
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c" ,
2022-05-25 19:00:57 +00:00
"type" : "uses"
2018-12-09 08:16:03 +00:00
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "d63a3fb8-9452-4e9d-a60a-54be68d5998c" ,
"type" : "uses"
2024-02-15 10:59:17 +00:00
} ,
{
"dest-uuid" : "1b84d551-6de8-4b96-9930-d177677c3b1d" ,
"tags" : [
"estimative-language:likelihood-probability=\"almost-certain\""
] ,
"type" : "uses"
2018-12-09 08:16:03 +00:00
}
] ,
2022-11-28 11:48:29 +00:00
"uuid" : "d8d19e33-94fd-4aa3-b94a-08ee801a2153" ,
"value" : "SDelete - S0195"
2018-12-09 08:16:03 +00:00
} ,
2023-10-31 17:04:23 +00:00
{
"description" : "[AsyncRAT](https://attack.mitre.org/software/S1087) is an open-source remote access tool originally available through the NYANxCAT Github repository that has been used in malicious campaigns.(Citation: Morphisec Snip3 May 2021)(Citation: Cisco Operation Layover September 2021)(Citation: Telefonica Snip3 December 2021)" ,
"meta" : {
"external_id" : "S1087" ,
"mitre_platforms" : [
"Windows"
] ,
"refs" : [
"https://attack.mitre.org/software/S1087" ,
"https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader" ,
"https://blog.talosintelligence.com/operation-layover-how-we-tracked-attack/" ,
"https://telefonicatech.com/blog/snip3-investigacion-malware"
] ,
"synonyms" : [
"AsyncRAT"
]
} ,
"related" : [
{
"dest-uuid" : "005a06c6-14bf-4118-afa0-ebcd8aebb0c9" ,
"type" : "uses"
} ,
{
"dest-uuid" : "0259baeb-9f63-4c69-bf10-eb038c390688" ,
"type" : "uses"
} ,
{
"dest-uuid" : "03d7999c-1f4c-42cc-8373-e7690d318104" ,
"type" : "uses"
} ,
{
"dest-uuid" : "09a60ea3-a8d1-4ae5-976e-5783248b72a4" ,
"type" : "uses"
} ,
{
"dest-uuid" : "29be378d-262d-4e99-b00d-852d573628e6" ,
"type" : "uses"
} ,
{
"dest-uuid" : "354a7f88-63fb-41b5-a801-ce3b377b36f1" ,
"type" : "uses"
} ,
{
"dest-uuid" : "391d824f-0ef1-47a0-b0ee-c59a75e27670" ,
"type" : "uses"
} ,
{
"dest-uuid" : "6faf650d-bf31-4eb4-802d-1000cf38efaf" ,
"type" : "uses"
} ,
{
"dest-uuid" : "7bd9c723-2f78-4309-82c5-47cad406572b" ,
"type" : "uses"
} ,
{
"dest-uuid" : "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ,
"type" : "uses"
} ,
{
"dest-uuid" : "cbb66055-0325-4111-aca0-40547b6ad5b0" ,
"type" : "uses"
} ,
{
"dest-uuid" : "e4dc8c01-417f-458d-9ee0-bb0617c1b391" ,
"type" : "uses"
} ,
{
"dest-uuid" : "e6919abc-99f9-4c6c-95a5-14761e7b2add" ,
"type" : "uses"
}
] ,
"uuid" : "6a5947f3-1a36-4653-8734-526df3e1d28d" ,
"value" : "AsyncRAT - S1087"
} ,
2018-12-09 08:16:03 +00:00
{
2022-11-28 11:48:29 +00:00
"description" : "[MimiPenguin](https://attack.mitre.org/software/S0179) is a credential dumper, similar to [Mimikatz](https://attack.mitre.org/software/S0002), designed specifically for Linux platforms. (Citation: MimiPenguin GitHub May 2017)" ,
2018-12-09 08:16:03 +00:00
"meta" : {
2022-11-28 11:48:29 +00:00
"external_id" : "S0179" ,
2018-12-09 08:16:03 +00:00
"mitre_platforms" : [
2022-11-28 11:48:29 +00:00
"Linux"
2018-12-09 08:16:03 +00:00
] ,
"refs" : [
2022-11-28 11:48:29 +00:00
"https://attack.mitre.org/software/S0179" ,
"https://github.com/huntergregal/mimipenguin"
2018-12-09 08:16:03 +00:00
] ,
"synonyms" : [
2022-11-28 11:48:29 +00:00
"MimiPenguin"
2018-12-09 08:16:03 +00:00
]
} ,
"related" : [
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "3120b9fa-23b8-4500-ae73-09494f607b7d" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
2024-02-15 10:59:17 +00:00
} ,
{
"dest-uuid" : "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" ,
"tags" : [
"estimative-language:likelihood-probability=\"almost-certain\""
] ,
"type" : "uses"
2018-12-09 08:16:03 +00:00
}
] ,
2022-11-28 11:48:29 +00:00
"uuid" : "5a33468d-844d-4b1f-98c9-0e786c556b27" ,
"value" : "MimiPenguin - S0179"
2018-12-09 08:16:03 +00:00
} ,
{
2022-11-28 11:48:29 +00:00
"description" : "[Havij](https://attack.mitre.org/software/S0224) is an automatic SQL Injection tool distributed by the Iranian ITSecTeam security company. Havij has been used by penetration testers and adversaries. (Citation: Check Point Havij Analysis)" ,
2018-12-09 08:16:03 +00:00
"meta" : {
2022-11-28 11:48:29 +00:00
"external_id" : "S0224" ,
2018-12-09 08:16:03 +00:00
"refs" : [
2022-11-28 11:48:29 +00:00
"https://attack.mitre.org/software/S0224" ,
"https://blog.checkpoint.com/2015/05/14/analysis-havij-sql-injection-tool/"
2022-05-25 19:03:14 +00:00
]
2018-12-09 08:16:03 +00:00
} ,
"related" : [
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "3f886f2a-874f-4333-b794-aa6075009b1c" ,
"type" : "uses"
2024-02-15 10:59:17 +00:00
} ,
{
"dest-uuid" : "3f886f2a-874f-4333-b794-aa6075009b1c" ,
"tags" : [
"estimative-language:likelihood-probability=\"almost-certain\""
] ,
"type" : "uses"
2022-11-28 11:48:29 +00:00
}
] ,
"uuid" : "fbd727ea-c0dc-42a9-8448-9e12962d1ab5" ,
"value" : "Havij - S0224"
} ,
{
"description" : "[sqlmap](https://attack.mitre.org/software/S0225) is an open source penetration testing tool that can be used to automate the process of detecting and exploiting SQL injection flaws. (Citation: sqlmap Introduction)" ,
"meta" : {
"external_id" : "S0225" ,
"refs" : [
"http://sqlmap.org/" ,
"https://attack.mitre.org/software/S0225"
]
} ,
"related" : [
2018-12-09 08:16:03 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "3f886f2a-874f-4333-b794-aa6075009b1c" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
2024-02-15 10:59:17 +00:00
} ,
{
"dest-uuid" : "3f886f2a-874f-4333-b794-aa6075009b1c" ,
"tags" : [
"estimative-language:likelihood-probability=\"almost-certain\""
] ,
"type" : "uses"
2018-12-09 08:16:03 +00:00
}
] ,
2022-11-28 11:48:29 +00:00
"uuid" : "9a2640c2-9f43-46fe-b13f-bde881e55555" ,
"value" : "sqlmap - S0225"
2018-12-09 08:16:03 +00:00
} ,
{
2022-11-28 11:48:29 +00:00
"description" : "[QuasarRAT](https://attack.mitre.org/software/S0262) is an open-source, remote access tool that has been publicly available on GitHub since at least 2014. [QuasarRAT](https://attack.mitre.org/software/S0262) is developed in the C# language.(Citation: GitHub QuasarRAT)(Citation: Volexity Patchwork June 2018)" ,
2018-12-09 08:16:03 +00:00
"meta" : {
2022-11-28 11:48:29 +00:00
"external_id" : "S0262" ,
2022-11-01 21:39:33 +00:00
"mitre_platforms" : [
"Windows"
] ,
2018-12-09 08:16:03 +00:00
"refs" : [
2022-11-28 11:48:29 +00:00
"https://attack.mitre.org/software/S0262" ,
"https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf" ,
"https://github.com/quasar/QuasarRAT" ,
"https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/" ,
"https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/"
2022-11-01 21:39:33 +00:00
] ,
"synonyms" : [
2022-11-28 11:48:29 +00:00
"QuasarRAT" ,
"xRAT"
2022-05-25 19:03:14 +00:00
]
2018-12-09 08:16:03 +00:00
} ,
"related" : [
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "005a06c6-14bf-4118-afa0-ebcd8aebb0c9" ,
"type" : "uses"
} ,
{
"dest-uuid" : "03d7999c-1f4c-42cc-8373-e7690d318104" ,
"type" : "uses"
} ,
{
"dest-uuid" : "09a60ea3-a8d1-4ae5-976e-5783248b72a4" ,
"type" : "uses"
} ,
{
"dest-uuid" : "120d5519-3098-4e1c-9191-2aa61232f073" ,
"type" : "uses"
} ,
{
"dest-uuid" : "24bfaeba-cb0d-4525-b3dc-507c77ecec41" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
2022-11-28 11:48:29 +00:00
} ,
2021-04-29 16:12:36 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "32901740-b42c-4fdd-bc02-345b5dc57082" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "354a7f88-63fb-41b5-a801-ce3b377b36f1" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "3fc9b85a-2862-4363-a64d-d692e3ffbee0" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "57340c81-c025-4189-8fa0-fc7ede51bae4" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "58a3e6aa-4453-4cc8-a51f-4befe80b31a8" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "6faf650d-bf31-4eb4-802d-1000cf38efaf" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "707399d6-ab3e-4963-9315-d9d3818cd6a0" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "731f4f55-b6d0-41d1-a7a9-072a66389aea" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "837f9164-50af-4ac0-8219-379d8a74cefc" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "9efb1ea7-c37b-4595-9640-b7680cd84279" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
2021-10-22 12:34:25 +00:00
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "b18eae87-b469-4e14-b454-b171b416bc18" ,
2021-10-22 12:34:25 +00:00
"type" : "uses"
2022-11-28 11:48:29 +00:00
} ,
2018-12-09 08:16:03 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "c21d5a77-d422-4a69-acd7-2c53c1faa34b" ,
2022-05-25 19:00:57 +00:00
"type" : "uses"
2018-12-09 08:16:03 +00:00
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "c877e33f-1df6-40d6-b1e7-ce70f16f4979" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "cbb66055-0325-4111-aca0-40547b6ad5b0" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "d1fcf083-a721-4223-aedf-bf8960798d62" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "e6919abc-99f9-4c6c-95a5-14761e7b2add" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "eb062747-2193-45de-8fa2-e62549c37ddf" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "ec8fc7e2-b356-455c-8db5-2e37be158e7d" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
2022-11-28 11:48:29 +00:00
}
] ,
"uuid" : "da04ac30-27da-4959-a67d-450ce47d9470" ,
"value" : "QuasarRAT - S0262"
} ,
{
"description" : "[spwebmember](https://attack.mitre.org/software/S0227) is a Microsoft SharePoint enumeration and data dumping tool written in .NET. (Citation: NCC Group APT15 Alive and Strong)" ,
"meta" : {
"external_id" : "S0227" ,
"mitre_platforms" : [
"Windows"
] ,
"refs" : [
"https://attack.mitre.org/software/S0227" ,
"https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
] ,
"synonyms" : [
"spwebmember"
]
} ,
"related" : [
2018-12-09 08:16:03 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "0c4b4fda-9062-47da-98b9-ceae2dcf052a" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
2024-02-15 10:59:17 +00:00
} ,
{
"dest-uuid" : "d28ef391-8ed4-45dc-bc4a-2f43abf54416" ,
"tags" : [
"estimative-language:likelihood-probability=\"almost-certain\""
] ,
"type" : "uses"
2022-11-28 11:48:29 +00:00
}
] ,
"uuid" : "33b9e38f-103c-412d-bdcf-904a91fff1e4" ,
"value" : "spwebmember - S0227"
} ,
{
"description" : "[Remcos](https://attack.mitre.org/software/S0332) is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security. [Remcos](https://attack.mitre.org/software/S0332) has been observed being used in malware campaigns.(Citation: Riskiq Remcos Jan 2018)(Citation: Talos Remcos Aug 2018)" ,
"meta" : {
"external_id" : "S0332" ,
"mitre_platforms" : [
"Windows"
] ,
"refs" : [
"https://attack.mitre.org/software/S0332" ,
"https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html" ,
2023-05-08 14:04:50 +00:00
"https://web.archive.org/web/20180124082756/https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/" ,
"https://www.fortinet.com/blog/threat-research/remcos-a-new-rat-in-the-wild-2.html"
2022-11-28 11:48:29 +00:00
] ,
"synonyms" : [
"Remcos"
]
} ,
"related" : [
2018-12-09 08:16:03 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "0259baeb-9f63-4c69-bf10-eb038c390688" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "09a60ea3-a8d1-4ae5-976e-5783248b72a4" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "1035cdf2-3e5f-446f-a7a7-e8f6d7925967" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "120d5519-3098-4e1c-9191-2aa61232f073" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "29be378d-262d-4e99-b00d-852d573628e6" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "30973a08-aed9-4edf-8604-9084ce1b5c4f" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "57340c81-c025-4189-8fa0-fc7ede51bae4" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "6faf650d-bf31-4eb4-802d-1000cf38efaf" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "731f4f55-b6d0-41d1-a7a9-072a66389aea" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "7bc57495-ea59-4380-be31-a64af124ef18" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "9efb1ea7-c37b-4595-9640-b7680cd84279" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "cc3502b5-30cc-4473-ad48-42d51a6ef6d1" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "d1fcf083-a721-4223-aedf-bf8960798d62" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "e6919abc-99f9-4c6c-95a5-14761e7b2add" ,
"type" : "uses"
}
] ,
"uuid" : "7cd0bc75-055b-4098-a00e-83dc8beaff14" ,
"value" : "Remcos - S0332"
} ,
{
"description" : "[PoshC2](https://attack.mitre.org/software/S0378) is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written in [PowerShell](https://attack.mitre.org/techniques/T1059/001). Although [PoshC2](https://attack.mitre.org/software/S0378) is primarily focused on Windows implantation, it does contain a basic Python dropper for Linux/macOS.(Citation: GitHub PoshC2)" ,
"meta" : {
"external_id" : "S0378" ,
"mitre_platforms" : [
"Windows" ,
"Linux" ,
"macOS"
] ,
"refs" : [
"https://attack.mitre.org/software/S0378" ,
"https://github.com/nettitude/PoshC2_Python"
] ,
"synonyms" : [
"PoshC2"
]
} ,
"related" : [
{
"dest-uuid" : "00f90846-cbd1-4fc5-9233-df5c2bf2a662" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "01a5a209-b94c-450b-b7f9-946497d91055" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "09a60ea3-a8d1-4ae5-976e-5783248b72a4" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "120d5519-3098-4e1c-9191-2aa61232f073" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
2019-10-27 20:06:26 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "21875073-b0ee-49e3-9077-1e2a885359af" ,
2019-10-27 20:06:26 +00:00
"type" : "uses"
} ,
2018-12-09 08:16:03 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "25659dd6-ea12-45c4-97e6-381e3e4b593e" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "30208d3e-0d6b-43c8-883e-44462a514619" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "322bad5a-1c49-4d23-ab79-76d641794afa" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "3257eb21-f9a7-4430-8de1-d8b6e288f529" ,
"type" : "uses"
2018-12-09 08:16:03 +00:00
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "354a7f88-63fb-41b5-a801-ce3b377b36f1" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "3fc9b85a-2862-4363-a64d-d692e3ffbee0" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "650c784b-7504-4df7-ab2c-4ea882384d1e" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "65f2d882-3f41-4d48-8a06-29af77ec9f90" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "677569f9-a8b0-459e-ab24-7f18091fa7bf" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "707399d6-ab3e-4963-9315-d9d3818cd6a0" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "731f4f55-b6d0-41d1-a7a9-072a66389aea" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "767dbf9e-df3f-45cb-8998-4903ab5f80c0" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
2022-11-28 11:48:29 +00:00
} ,
2019-10-25 08:12:22 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "7bc57495-ea59-4380-be31-a64af124ef18" ,
2019-10-25 08:12:22 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "7e150503-88e7-4861-866b-ff1ac82c4475" ,
2019-10-25 08:12:22 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "837f9164-50af-4ac0-8219-379d8a74cefc" ,
2019-10-25 08:12:22 +00:00
"type" : "uses"
2022-11-28 11:48:29 +00:00
} ,
2019-04-30 17:07:57 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "910906dd-8c0a-475a-9cc1-5e029e2fad58" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "9db0cf3a-a3c9-4012-8268-123b9db6fd82" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "a01bf75f-00b2-4568-a58f-565ff9bf202b" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
2022-11-28 11:48:29 +00:00
} ,
2018-12-09 08:16:03 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "a93494bb-4b80-4ea1-8695-3236a49916fd" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "b21c3b2d-02e6-45b1-980b-e69051040839" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
2022-11-28 11:48:29 +00:00
} ,
2018-12-09 08:16:03 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "b6075259-dba3-44e9-87c7-e954f37ec0d5" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "dcaa092b-7de9-4a21-977f-7fcb77e89c48" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "df8b2a25-8bdf-4856-953c-a04372b1c161" ,
"type" : "uses"
} ,
{
"dest-uuid" : "e3a12395-188d-4051-9a16-ea8e14d07b88" ,
"type" : "uses"
} ,
{
"dest-uuid" : "e624264c-033a-424d-9fd7-fc9c3bbdb03e" ,
"type" : "uses"
} ,
{
"dest-uuid" : "f1951e8a-500e-4a26-8803-76d95c4554b4" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
}
] ,
2022-11-28 11:48:29 +00:00
"uuid" : "4b57c098-f043-4da2-83ef-7588a6d426bc" ,
"value" : "PoshC2 - S0378"
2018-12-09 08:16:03 +00:00
} ,
2021-04-29 16:12:36 +00:00
{
2022-11-28 11:48:29 +00:00
"description" : "[AdFind](https://attack.mitre.org/software/S0552) is a free command-line query tool that can be used for gathering information from Active Directory.(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: FireEye FIN6 Apr 2019)(Citation: FireEye Ryuk and Trickbot January 2019)" ,
2021-04-29 16:12:36 +00:00
"meta" : {
2022-11-28 11:48:29 +00:00
"external_id" : "S0552" ,
2021-04-29 16:12:36 +00:00
"mitre_platforms" : [
"Windows"
] ,
"refs" : [
2022-11-28 11:48:29 +00:00
"https://attack.mitre.org/software/S0552" ,
"https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/" ,
"https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html" ,
"https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html"
2021-04-29 16:12:36 +00:00
] ,
"synonyms" : [
2022-11-28 11:48:29 +00:00
"AdFind"
2021-04-29 16:12:36 +00:00
]
} ,
"related" : [
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "21875073-b0ee-49e3-9077-1e2a885359af" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "2aed01ad-3df3-4410-a8cb-11ea4ded587c" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "707399d6-ab3e-4963-9315-d9d3818cd6a0" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "767dbf9e-df3f-45cb-8998-4903ab5f80c0" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "e358d692-23c0-4a31-9eb6-ecc13a8d7735" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
}
] ,
2022-11-28 11:48:29 +00:00
"uuid" : "f59508a6-3615-47c3-b493-6676e1a39a87" ,
"value" : "AdFind - S0552"
2021-04-29 16:12:36 +00:00
} ,
2018-12-09 08:16:03 +00:00
{
2022-11-28 11:48:29 +00:00
"description" : "[RemoteUtilities](https://attack.mitre.org/software/S0592) is a legitimate remote administration tool that has been used by [MuddyWater](https://attack.mitre.org/groups/G0069) since at least 2021 for execution on target machines.(Citation: Trend Micro Muddy Water March 2021)" ,
2018-12-09 08:16:03 +00:00
"meta" : {
2022-11-28 11:48:29 +00:00
"external_id" : "S0592" ,
2022-11-01 21:39:33 +00:00
"mitre_platforms" : [
"Windows"
] ,
2018-12-09 08:16:03 +00:00
"refs" : [
2022-11-28 11:48:29 +00:00
"https://attack.mitre.org/software/S0592" ,
"https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html"
2022-11-01 21:39:33 +00:00
] ,
"synonyms" : [
2022-11-28 11:48:29 +00:00
"RemoteUtilities"
2022-05-25 19:03:14 +00:00
]
2018-12-09 08:16:03 +00:00
} ,
"related" : [
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "0259baeb-9f63-4c69-bf10-eb038c390688" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "365be77f-fc0e-42ee-bac8-4faf806d9336" ,
"type" : "uses"
} ,
{
"dest-uuid" : "7bc57495-ea59-4380-be31-a64af124ef18" ,
"type" : "uses"
} ,
{
"dest-uuid" : "e6919abc-99f9-4c6c-95a5-14761e7b2add" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
}
] ,
2022-11-28 11:48:29 +00:00
"uuid" : "03c6e0ea-96d3-4b23-9afb-05055663cf4b" ,
"value" : "RemoteUtilities - S0592"
2018-12-09 08:16:03 +00:00
} ,
{
2022-11-28 11:48:29 +00:00
"description" : "[SILENTTRINITY](https://attack.mitre.org/software/S0692) is an open source remote administration and post-exploitation framework primarily written in Python that includes stagers written in Powershell, C, and Boo. [SILENTTRINITY](https://attack.mitre.org/software/S0692) was used in a 2019 campaign against Croatian government agencies by unidentified cyber actors.(Citation: GitHub SILENTTRINITY March 2022)(Citation: Security Affairs SILENTTRINITY July 2019)" ,
2018-12-09 08:16:03 +00:00
"meta" : {
2022-11-28 11:48:29 +00:00
"external_id" : "S0692" ,
2018-12-09 08:16:03 +00:00
"mitre_platforms" : [
"Windows"
] ,
"refs" : [
2022-11-28 11:48:29 +00:00
"https://attack.mitre.org/software/S0692" ,
"https://github.com/byt3bl33d3r/SILENTTRINITY" ,
"https://securityaffairs.co/wordpress/88021/apt/croatia-government-silenttrinity-malware.html"
2018-12-09 08:16:03 +00:00
] ,
"synonyms" : [
2022-11-28 11:48:29 +00:00
"SILENTTRINITY"
2018-12-09 08:16:03 +00:00
]
} ,
"related" : [
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "01a5a209-b94c-450b-b7f9-946497d91055" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "0259baeb-9f63-4c69-bf10-eb038c390688" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "03d7999c-1f4c-42cc-8373-e7690d318104" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "09a60ea3-a8d1-4ae5-976e-5783248b72a4" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "120d5519-3098-4e1c-9191-2aa61232f073" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "21875073-b0ee-49e3-9077-1e2a885359af" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "2959d63f-73fd-46a1-abd2-109d7dcede32" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "2aed01ad-3df3-4410-a8cb-11ea4ded587c" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "322bad5a-1c49-4d23-ab79-76d641794afa" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "3489cfc5-640f-4bb3-a103-9137b97de79f" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "354a7f88-63fb-41b5-a801-ce3b377b36f1" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "391d824f-0ef1-47a0-b0ee-c59a75e27670" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "4ae4f953-fe58-4cc8-a327-33257e30a830" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "57340c81-c025-4189-8fa0-fc7ede51bae4" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "58a3e6aa-4453-4cc8-a51f-4befe80b31a8" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "65f2d882-3f41-4d48-8a06-29af77ec9f90" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "68a0c5ed-bee2-4513-830d-5b0d650139bd" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "799ace7f-e227-4411-baa0-8868704f2a69" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "7bc57495-ea59-4380-be31-a64af124ef18" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "86850eff-2729-40c3-b85e-c4af26da4a2d" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
2020-10-18 18:00:48 +00:00
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "8d7bd4f5-3a89-4453-9c82-2c8894d5655e" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "8f504411-cb96-4dac-a537-8d2bb7679c59" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "910906dd-8c0a-475a-9cc1-5e029e2fad58" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "92d7da27-2d91-488e-a00c-059dc162766d" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "970a3432-3237-47ad-bcca-7d8cbb217736" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
2022-11-28 11:48:29 +00:00
} ,
2018-12-09 08:16:03 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "98034fef-d9fb-4667-8dc4-2eab6231724c" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
2022-11-28 11:48:29 +00:00
} ,
2021-04-29 16:12:36 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "9efb1ea7-c37b-4595-9640-b7680cd84279" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "a01bf75f-00b2-4568-a58f-565ff9bf202b" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "a2029942-0a85-4947-b23c-ca434698171d" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "ac08589e-ee59-4935-8667-d845e38fe579" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "c32f7008-9fea-41f7-8366-5eb9b74bd896" ,
"type" : "uses"
} ,
{
"dest-uuid" : "cba37adb-d6fb-4610-b069-dd04c0643384" ,
"type" : "uses"
} ,
{
"dest-uuid" : "cbb66055-0325-4111-aca0-40547b6ad5b0" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "cc3502b5-30cc-4473-ad48-42d51a6ef6d1" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "d1fcf083-a721-4223-aedf-bf8960798d62" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
2022-11-28 11:48:29 +00:00
} ,
2021-04-29 16:12:36 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "d336b553-5da9-46ca-98a8-0b23f49fb447" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "d63a3fb8-9452-4e9d-a60a-54be68d5998c" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "e358d692-23c0-4a31-9eb6-ecc13a8d7735" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
2022-11-28 11:48:29 +00:00
} ,
2018-12-09 08:16:03 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "e3a12395-188d-4051-9a16-ea8e14d07b88" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
2019-04-30 17:07:57 +00:00
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "e6919abc-99f9-4c6c-95a5-14761e7b2add" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
2022-11-28 11:48:29 +00:00
} ,
2018-12-09 08:16:03 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "f2877f7f-9a4c-4251-879f-1224e3006bee" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
2022-11-28 11:48:29 +00:00
} ,
2018-12-09 08:16:03 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "f3c544dc-673c-4ef3-accb-53229f1ae077" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
2022-11-28 11:48:29 +00:00
} ,
2018-12-09 08:16:03 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "f4c1826f-a322-41cd-9557-562100848c84" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
}
] ,
2022-11-28 11:48:29 +00:00
"uuid" : "1244e058-fa10-48cb-b484-0bcf671107ae" ,
"value" : "SILENTTRINITY - S0692"
2018-12-09 08:16:03 +00:00
} ,
{
2022-11-28 11:48:29 +00:00
"description" : "[Xbot](https://attack.mitre.org/software/S0298) is an Android malware family that was observed in 2016 primarily targeting Android users in Russia and Australia. (Citation: PaloAlto-Xbot)" ,
2018-12-09 08:16:03 +00:00
"meta" : {
2022-11-28 11:48:29 +00:00
"external_id" : "S0298" ,
2018-12-09 08:16:03 +00:00
"refs" : [
2022-11-28 11:48:29 +00:00
"http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/" ,
"https://attack.mitre.org/software/S0298"
2018-12-09 08:16:03 +00:00
]
} ,
"related" : [
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "4c58b7c6-a839-4789-bda9-9de33e4d4512" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "4cfa42a3-71d9-43e2-bf23-daa79f326387" ,
2018-12-09 08:16:03 +00:00
"tags" : [
2022-11-28 11:48:29 +00:00
"estimative-language:likelihood-probability=\"likely\""
2018-12-09 08:16:03 +00:00
] ,
2022-11-28 11:48:29 +00:00
"type" : "similar"
2018-12-09 08:16:03 +00:00
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "5a78ec38-8b93-4dde-a99e-0c9b77674838" ,
"tags" : [
"estimative-language:likelihood-probability=\"likely\""
] ,
"type" : "similar"
} ,
{
"dest-uuid" : "c6421411-ae61-42bb-9098-73fddb315002" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "d9e88203-2b5d-405f-a406-2933b1e3d7e4" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "e683cd91-40b4-4e1c-be25-34a27610a22e" ,
"tags" : [
"estimative-language:likelihood-probability=\"likely\""
] ,
"type" : "similar"
} ,
{
"dest-uuid" : "eb6cf439-1bcb-4d10-bc68-1eed844ed7b3" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
2024-02-15 10:59:17 +00:00
} ,
{
"dest-uuid" : "e683cd91-40b4-4e1c-be25-34a27610a22e" ,
"tags" : [
"estimative-language:likelihood-probability=\"likely\""
] ,
"type" : "similar"
} ,
{
"dest-uuid" : "4cfa42a3-71d9-43e2-bf23-daa79f326387" ,
"tags" : [
"estimative-language:likelihood-probability=\"likely\""
] ,
"type" : "similar"
} ,
{
"dest-uuid" : "5a78ec38-8b93-4dde-a99e-0c9b77674838" ,
"tags" : [
"estimative-language:likelihood-probability=\"likely\""
] ,
"type" : "similar"
} ,
{
"dest-uuid" : "e8b4e1ec-8e3b-484c-9038-4459b1ed8060" ,
"tags" : [
"estimative-language:likelihood-probability=\"almost-certain\""
] ,
"type" : "uses"
2022-11-28 11:48:29 +00:00
}
] ,
"uuid" : "da21929e-40c0-443d-bdf4-6b60d15448b4" ,
"value" : "Xbot - S0298"
} ,
{
"description" : "[Empire](https://attack.mitre.org/software/S0363) is an open source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure [PowerShell](https://attack.mitre.org/techniques/T1059/001) for Windows and Python for Linux/macOS. [Empire](https://attack.mitre.org/software/S0363) was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.(Citation: NCSC Joint Report Public Tools)(Citation: Github PowerShell Empire)(Citation: GitHub ATTACK Empire)" ,
"meta" : {
"external_id" : "S0363" ,
"mitre_platforms" : [
"Linux" ,
"macOS" ,
"Windows"
] ,
"refs" : [
"https://attack.mitre.org/software/S0363" ,
"https://github.com/PowerShellEmpire/Empire" ,
"https://github.com/dstepanic/attck_empire" ,
"https://www.ncsc.gov.uk/report/joint-report-on-publicly-available-hacking-tools"
] ,
"synonyms" : [
"Empire" ,
"EmPyre" ,
"PowerShell Empire"
]
} ,
"related" : [
2018-12-09 08:16:03 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "005a06c6-14bf-4118-afa0-ebcd8aebb0c9" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "01a5a209-b94c-450b-b7f9-946497d91055" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "0259baeb-9f63-4c69-bf10-eb038c390688" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "03d7999c-1f4c-42cc-8373-e7690d318104" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "09a60ea3-a8d1-4ae5-976e-5783248b72a4" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "0c2d00da-7742-49e7-9928-4514e5075d32" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "120d5519-3098-4e1c-9191-2aa61232f073" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "1b20efbf-8063-4fc3-a07d-b575318a301b" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
2019-10-25 08:12:22 +00:00
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "1e9eb839-294b-48cc-b0d3-c45555a2a004" ,
2019-10-25 08:12:22 +00:00
"type" : "uses"
2022-11-28 11:48:29 +00:00
} ,
2018-12-09 08:16:03 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "21875073-b0ee-49e3-9077-1e2a885359af" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
2022-11-28 11:48:29 +00:00
} ,
2018-12-09 08:16:03 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "25659dd6-ea12-45c4-97e6-381e3e4b593e" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
2018-12-09 08:16:03 +00:00
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "2959d63f-73fd-46a1-abd2-109d7dcede32" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
2018-12-09 08:16:03 +00:00
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "2db31dcd-54da-405d-acef-b9129b816ed6" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
2018-12-09 08:16:03 +00:00
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "2fee9321-3e71-4cf4-af24-d4d40d355b34" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "30208d3e-0d6b-43c8-883e-44462a514619" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "30973a08-aed9-4edf-8604-9084ce1b5c4f" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "3257eb21-f9a7-4430-8de1-d8b6e288f529" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "3489cfc5-640f-4bb3-a103-9137b97de79f" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "354a7f88-63fb-41b5-a801-ce3b377b36f1" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "391d824f-0ef1-47a0-b0ee-c59a75e27670" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "47f2d673-ca62-47e9-929b-1b0be9657611" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "5095a853-299c-4876-abd7-ac0050fb5462" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "58a3e6aa-4453-4cc8-a51f-4befe80b31a8" ,
2018-12-09 08:16:03 +00:00
"type" : "uses"
2022-11-28 11:48:29 +00:00
} ,
2019-04-30 17:07:57 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "58af3705-8740-4c68-9329-ec015a7013c2" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "5d2be8b9-d24c-4e98-83bf-2f5f79477163" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "5e4a2073-9643-44cb-a0b5-e7f4048446c7" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "60b508a1-6a5e-46b1-821a-9f7b78752abf" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "635cbe30-392d-4e27-978e-66774357c762" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "650c784b-7504-4df7-ab2c-4ea882384d1e" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "65f2d882-3f41-4d48-8a06-29af77ec9f90" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "677569f9-a8b0-459e-ab24-7f18091fa7bf" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "68a0c5ed-bee2-4513-830d-5b0d650139bd" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "6faf650d-bf31-4eb4-802d-1000cf38efaf" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "707399d6-ab3e-4963-9315-d9d3818cd6a0" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "70e52b04-2a0c-4cea-9d18-7149f1df9dc5" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "7385dfaf-6886-4229-9ecd-6fd678040830" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "7610cada-1499-41a4-b3dd-46467b68d177" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "767dbf9e-df3f-45cb-8998-4903ab5f80c0" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "768dce68-8d0d-477a-b01d-0eea98b963a1" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "774a3188-6ba9-4dc4-879d-d54ee48a5ce9" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "7bc57495-ea59-4380-be31-a64af124ef18" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "7e150503-88e7-4861-866b-ff1ac82c4475" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-05-25 19:00:57 +00:00
"dest-uuid" : "837f9164-50af-4ac0-8219-379d8a74cefc" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "86a96bf6-cf8b-411c-aaeb-8959944d64f7" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "92d7da27-2d91-488e-a00c-059dc162766d" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "970a3432-3237-47ad-bcca-7d8cbb217736" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "9db0cf3a-a3c9-4012-8268-123b9db6fd82" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "9efb1ea7-c37b-4595-9640-b7680cd84279" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "b21c3b2d-02e6-45b1-980b-e69051040839" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "b7dc639b-24cd-482d-a7f1-8897eda21023" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "bf176076-b789-408e-8cba-7275e81c0ada" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "bf1b6176-597c-4600-bfcd-ac989670f96b" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "bf96a5a3-3bce-43b7-8597-88545984c07b" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "c92e3d68-2349-49e4-a341-7edca2deff96" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "cba37adb-d6fb-4610-b069-dd04c0643384" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
2022-11-28 11:48:29 +00:00
} ,
2021-04-29 16:12:36 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "d1fcf083-a721-4223-aedf-bf8960798d62" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "d273434a-448e-4598-8e14-607f4a0d5e27" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
} ,
2023-05-08 14:04:50 +00:00
{
"dest-uuid" : "d511a6f6-4a33-41d5-bc95-c343875d1377" ,
"type" : "uses"
} ,
2021-04-29 16:12:36 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "dcaa092b-7de9-4a21-977f-7fcb77e89c48" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "df8b2a25-8bdf-4856-953c-a04372b1c161" ,
2021-04-29 16:12:36 +00:00
"type" : "uses"
2022-11-28 11:48:29 +00:00
} ,
2019-04-30 17:07:57 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "e3a12395-188d-4051-9a16-ea8e14d07b88" ,
2022-04-25 16:29:57 +00:00
"type" : "uses"
2019-04-30 17:07:57 +00:00
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "e624264c-033a-424d-9fd7-fc9c3bbdb03e" ,
"type" : "uses"
2019-04-30 17:07:57 +00:00
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "e6919abc-99f9-4c6c-95a5-14761e7b2add" ,
"type" : "uses"
2019-04-30 17:07:57 +00:00
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "f1951e8a-500e-4a26-8803-76d95c4554b4" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "f2877f7f-9a4c-4251-879f-1224e3006bee" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "f5946b5e-9408-485f-a7f7-b5efc88909b6" ,
"type" : "uses"
2022-04-25 16:29:57 +00:00
} ,
2019-04-30 17:07:57 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "fc742192-19e3-466c-9eb5-964a97b29490" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
2022-11-01 21:39:33 +00:00
}
] ,
2022-11-28 11:48:29 +00:00
"uuid" : "3433a9e8-1c47-4320-b9bf-ed449061d1c3" ,
"value" : "Empire - S0363"
2022-11-01 21:39:33 +00:00
} ,
{
2022-11-28 11:48:29 +00:00
"description" : "[Sliver](https://attack.mitre.org/software/S0633) is an open source, cross-platform, red team command and control framework written in Golang.(Citation: Bishop Fox Sliver Framework August 2019)" ,
2022-11-01 21:39:33 +00:00
"meta" : {
2022-11-28 11:48:29 +00:00
"external_id" : "S0633" ,
2022-11-01 21:39:33 +00:00
"mitre_platforms" : [
2022-11-28 11:48:29 +00:00
"Windows" ,
2022-11-01 21:39:33 +00:00
"Linux" ,
2022-11-28 11:48:29 +00:00
"macOS"
2022-11-01 21:39:33 +00:00
] ,
"refs" : [
2022-11-28 11:48:29 +00:00
"https://attack.mitre.org/software/S0633" ,
"https://labs.bishopfox.com/tech-blog/sliver"
2022-11-01 21:39:33 +00:00
] ,
"synonyms" : [
2022-11-28 11:48:29 +00:00
"Sliver"
2022-11-01 21:39:33 +00:00
]
} ,
"related" : [
2019-04-30 17:07:57 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "0259baeb-9f63-4c69-bf10-eb038c390688" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "04fd5427-79c7-44ea-ae13-11b24778ff1c" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "1996eef1-ced3-4d7f-bf94-33298cabbf72" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "24bfaeba-cb0d-4525-b3dc-507c77ecec41" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "707399d6-ab3e-4963-9315-d9d3818cd6a0" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "7bc57495-ea59-4380-be31-a64af124ef18" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "7e150503-88e7-4861-866b-ff1ac82c4475" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "92d7da27-2d91-488e-a00c-059dc162766d" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "bf176076-b789-408e-8cba-7275e81c0ada" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "dcaa092b-7de9-4a21-977f-7fcb77e89c48" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "df8b2a25-8bdf-4856-953c-a04372b1c161" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "e6919abc-99f9-4c6c-95a5-14761e7b2add" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "eec23884-3fa1-4d8a-ac50-6f104d51e235" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
2022-11-28 11:48:29 +00:00
}
] ,
"uuid" : "11f8d7eb-1927-4806-9267-3a11d4d4d6be" ,
"value" : "Sliver - S0633"
} ,
{
"description" : "[RawDisk](https://attack.mitre.org/software/S0364) is a legitimate commercial driver from the EldoS Corporation that is used for interacting with files, disks, and partitions. The driver allows for direct modification of data on a local computer's hard drive. In some cases, the tool can enact these raw disk modifications from user-mode processes, circumventing Windows operating system security features.(Citation: EldoS RawDisk ITpro)(Citation: Novetta Blockbuster Destructive Malware)" ,
"meta" : {
"external_id" : "S0364" ,
"mitre_platforms" : [
"Windows"
] ,
"refs" : [
"https://attack.mitre.org/software/S0364" ,
"https://web.archive.org/web/20160303200515/https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf" ,
"https://www.itprotoday.com/windows-78/eldos-provides-raw-disk-access-vista-and-xp"
] ,
"synonyms" : [
"RawDisk"
]
} ,
"related" : [
2019-04-30 17:07:57 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "0af0ca99-357d-4ba1-805f-674fdfb7bef9" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "fb640c43-aa6b-431e-a961-a279010424ac" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
2022-11-28 11:48:29 +00:00
}
] ,
"uuid" : "3ffbdc1f-d2bf-41ab-91a2-c7b857e98079" ,
"value" : "RawDisk - S0364"
} ,
{
"description" : "[LaZagne](https://attack.mitre.org/software/S0349) is a post-exploitation, open-source tool used to recover stored passwords on a system. It has modules for Windows, Linux, and OSX, but is mainly focused on Windows systems. [LaZagne](https://attack.mitre.org/software/S0349) is publicly available on GitHub.(Citation: GitHub LaZagne Dec 2018)" ,
"meta" : {
"external_id" : "S0349" ,
"mitre_platforms" : [
"Linux" ,
"macOS" ,
"Windows"
] ,
"refs" : [
"https://attack.mitre.org/software/S0349" ,
"https://github.com/AlessandroZ/LaZagne"
] ,
"synonyms" : [
"LaZagne"
]
} ,
"related" : [
2019-04-30 17:07:57 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "1eaebf46-e361-4437-bc23-d5d65a3b92e3" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "1ecfdab8-7d59-4c98-95d4-dc41970f57fc" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "3120b9fa-23b8-4500-ae73-09494f607b7d" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "3fc9b85a-2862-4363-a64d-d692e3ffbee0" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "58a3e6aa-4453-4cc8-a51f-4befe80b31a8" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "65f2d882-3f41-4d48-8a06-29af77ec9f90" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "6add2ab5-2711-4e9d-87c8-7a0be8531530" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "837f9164-50af-4ac0-8219-379d8a74cefc" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "d336b553-5da9-46ca-98a8-0b23f49fb447" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
2022-11-28 11:48:29 +00:00
}
] ,
"uuid" : "b76b2d94-60e4-4107-a903-4a3a7622fb3b" ,
"value" : "LaZagne - S0349"
} ,
{
"description" : "[Impacket](https://attack.mitre.org/software/S0357) is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. [Impacket](https://attack.mitre.org/software/S0357) contains several tools for remote service execution, Kerberos manipulation, Windows credential dumping, packet sniffing, and relay attacks.(Citation: Impacket Tools)" ,
"meta" : {
"external_id" : "S0357" ,
"mitre_platforms" : [
"Linux" ,
"macOS" ,
"Windows"
] ,
"refs" : [
"https://attack.mitre.org/software/S0357" ,
"https://www.secureauth.com/labs/open-source-tools/impacket"
] ,
"synonyms" : [
"Impacket"
]
} ,
"related" : [
2019-04-30 17:07:57 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "01a5a209-b94c-450b-b7f9-946497d91055" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "1644e709-12d2-41e5-a60f-3470991f5011" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "1ecfdab8-7d59-4c98-95d4-dc41970f57fc" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "3257eb21-f9a7-4430-8de1-d8b6e288f529" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "650c784b-7504-4df7-ab2c-4ea882384d1e" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "65f2d882-3f41-4d48-8a06-29af77ec9f90" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "edf91964-b26e-4b4a-9600-ccacd7d7df24" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "f1951e8a-500e-4a26-8803-76d95c4554b4" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "f2877f7f-9a4c-4251-879f-1224e3006bee" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
2022-11-28 11:48:29 +00:00
}
] ,
"uuid" : "26c87906-d750-42c5-946c-d4162c73fc7b" ,
"value" : "Impacket - S0357"
} ,
{
"description" : "[Ruler](https://attack.mitre.org/software/S0358) is a tool to abuse Microsoft Exchange services. It is publicly available on GitHub and the tool is executed via the command line. The creators of [Ruler](https://attack.mitre.org/software/S0358) have also released a defensive tool, NotRuler, to detect its usage.(Citation: SensePost Ruler GitHub)(Citation: SensePost NotRuler)" ,
"meta" : {
"external_id" : "S0358" ,
"mitre_platforms" : [
"Windows" ,
"Office 365"
] ,
"refs" : [
"https://attack.mitre.org/software/S0358" ,
"https://github.com/sensepost/notruler" ,
"https://github.com/sensepost/ruler"
] ,
"synonyms" : [
"Ruler"
]
} ,
"related" : [
2019-04-30 17:07:57 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "3d1b9d7e-3921-4d25-845a-7d9f15c0da44" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "4bc31b94-045b-4752-8920-aebaebdb6470" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "a9e2cea0-c805-4bf8-9e31-f5f0513a3634" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
2022-11-01 21:39:33 +00:00
} ,
2022-04-25 16:29:57 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "bf147104-abf9-4221-95d1-e81585859441" ,
"type" : "uses"
}
] ,
"uuid" : "90ac9266-68ce-46f2-b24f-5eb3b2a8ea38" ,
"value" : "Ruler - S0358"
} ,
{
"description" : "[Nltest](https://attack.mitre.org/software/S0359) is a Windows command-line utility used to list domain controllers and enumerate domain trusts.(Citation: Nltest Manual)" ,
"meta" : {
"external_id" : "S0359" ,
"mitre_platforms" : [
"Windows"
] ,
"refs" : [
"https://attack.mitre.org/software/S0359" ,
"https://ss64.com/nt/nltest.html"
] ,
"synonyms" : [
"Nltest"
]
} ,
"related" : [
{
"dest-uuid" : "707399d6-ab3e-4963-9315-d9d3818cd6a0" ,
2022-05-25 19:00:57 +00:00
"type" : "uses"
2019-04-30 17:07:57 +00:00
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "767dbf9e-df3f-45cb-8998-4903ab5f80c0" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "e358d692-23c0-4a31-9eb6-ecc13a8d7735" ,
"type" : "uses"
}
] ,
"uuid" : "981acc4c-2ede-4b56-be6e-fa1a75f37acf" ,
"value" : "Nltest - S0359"
} ,
{
"description" : "[Peirates](https://attack.mitre.org/software/S0683) is a post-exploitation Kubernetes exploitation framework with a focus on gathering service account tokens for lateral movement and privilege escalation. The tool is written in GoLang and publicly available on GitHub.(Citation: Peirates GitHub)" ,
"meta" : {
"external_id" : "S0683" ,
"mitre_platforms" : [
"Containers"
] ,
"refs" : [
"https://attack.mitre.org/software/S0683" ,
"https://github.com/inguardians/peirates"
] ,
"synonyms" : [
"Peirates"
]
} ,
"related" : [
{
"dest-uuid" : "0470e792-32f8-46b0-a351-652bc35e9336" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "19bf235b-8620-4997-b5b4-94e0659ed7c3" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
2022-11-01 21:39:33 +00:00
} ,
2019-04-30 17:07:57 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "3298ce88-1628-43b1-87d9-0b5336b193d7" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "4a5b7ade-8bb5-4853-84ed-23f262002665" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "56e0d8b8-3e25-49dd-9050-3aa252f5aa92" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "7b50a1d3-4ca7-45d1-989d-a6503f04bfe1" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "8565825b-21c8-4518-b75e-cbc4c717a156" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "890c9858-598c-401d-a4d5-c67ebcdd703a" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "e3a12395-188d-4051-9a16-ea8e14d07b88" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "f005e783-57d4-4837-88ad-dbe7faee1c51" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "f232fa7a-025c-4d43-abc7-318e81a73d65" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "f8ef3a62-3f44-40a4-abca-761ab235c436" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
2022-11-28 11:48:29 +00:00
}
] ,
"uuid" : "79dd477a-8226-4b3d-ad15-28623675f221" ,
"value" : "Peirates - S0683"
} ,
{
"description" : "[ShimRatReporter](https://attack.mitre.org/software/S0445) is a tool used by suspected Chinese adversary [Mofang](https://attack.mitre.org/groups/G0103) to automatically conduct initial discovery. The details from this discovery are used to customize follow-on payloads (such as [ShimRat](https://attack.mitre.org/software/S0444)) as well as set up faux infrastructure which mimics the adversary's targets. [ShimRatReporter](https://attack.mitre.org/software/S0445) has been used in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development.(Citation: FOX-IT May 2016 Mofang)" ,
"meta" : {
"external_id" : "S0445" ,
"mitre_platforms" : [
"Windows"
] ,
"refs" : [
"https://attack.mitre.org/software/S0445" ,
"https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf"
] ,
"synonyms" : [
"ShimRatReporter"
]
} ,
"related" : [
2019-04-30 17:07:57 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "15dbf668-795c-41e6-8219-f0447c0e64ce" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
2019-10-25 08:12:22 +00:00
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "30208d3e-0d6b-43c8-883e-44462a514619" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "354a7f88-63fb-41b5-a801-ce3b377b36f1" ,
2022-04-25 16:29:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "391d824f-0ef1-47a0-b0ee-c59a75e27670" ,
2022-04-25 16:29:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "707399d6-ab3e-4963-9315-d9d3818cd6a0" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "72b74d71-8169-42aa-92e0-e7b04b9f5a08" ,
2022-04-25 16:29:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "774a3188-6ba9-4dc4-879d-d54ee48a5ce9" ,
2022-04-25 16:29:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "7e150503-88e7-4861-866b-ff1ac82c4475" ,
2022-04-25 16:29:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ,
2022-04-25 16:29:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "92d7da27-2d91-488e-a00c-059dc162766d" ,
2022-04-25 16:29:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ,
2022-04-25 16:29:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "df8b2a25-8bdf-4856-953c-a04372b1c161" ,
2022-04-25 16:29:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "e3b6daca-e963-4a69-aee6-ed4fd653ad58" ,
2022-04-25 16:29:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "e6919abc-99f9-4c6c-95a5-14761e7b2add" ,
2022-04-25 16:29:57 +00:00
"type" : "uses"
2022-11-01 21:39:33 +00:00
}
] ,
2022-11-28 11:48:29 +00:00
"uuid" : "115f88dd-0618-4389-83cb-98d33ae81848" ,
"value" : "ShimRatReporter - S0445"
2022-11-01 21:39:33 +00:00
} ,
{
2022-11-28 11:48:29 +00:00
"description" : "[CARROTBALL](https://attack.mitre.org/software/S0465) is an FTP downloader utility that has been in use since at least 2019. [CARROTBALL](https://attack.mitre.org/software/S0465) has been used as a downloader to install [SYSCON](https://attack.mitre.org/software/S0464).(Citation: Unit 42 CARROTBAT January 2020)" ,
2022-11-01 21:39:33 +00:00
"meta" : {
2022-11-28 11:48:29 +00:00
"external_id" : "S0465" ,
2022-11-01 21:39:33 +00:00
"mitre_platforms" : [
2022-11-28 11:48:29 +00:00
"Windows"
2022-11-01 21:39:33 +00:00
] ,
"refs" : [
2022-11-28 11:48:29 +00:00
"https://attack.mitre.org/software/S0465" ,
"https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/"
2022-11-01 21:39:33 +00:00
] ,
"synonyms" : [
2022-11-28 11:48:29 +00:00
"CARROTBALL"
2022-11-01 21:39:33 +00:00
]
} ,
"related" : [
2022-04-25 16:29:57 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "232b7f21-adf9-4b42-b936-b9d6f7df856e" ,
2022-04-25 16:29:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "9a60a291-8960-4387-8a4a-2ab5c18bb50b" ,
2022-04-25 16:29:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ,
2022-04-25 16:29:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "e6919abc-99f9-4c6c-95a5-14761e7b2add" ,
2022-04-25 16:29:57 +00:00
"type" : "uses"
2022-11-28 11:48:29 +00:00
}
] ,
"uuid" : "5fc81b43-62b5-41b1-9113-c79ae5f030c4" ,
"value" : "CARROTBALL - S0465"
} ,
{
"description" : "[Wevtutil](https://attack.mitre.org/software/S0645) is a Windows command-line utility that enables administrators to retrieve information about event logs and publishers.(Citation: Wevtutil Microsoft Documentation)" ,
"meta" : {
"external_id" : "S0645" ,
"mitre_platforms" : [
"Windows"
] ,
"refs" : [
"https://attack.mitre.org/software/S0645" ,
"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil"
] ,
"synonyms" : [
"Wevtutil"
]
} ,
"related" : [
2022-04-25 16:29:57 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" ,
2022-04-25 16:29:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "4eb28bed-d11a-4641-9863-c2ac017d910a" ,
2022-04-25 16:29:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "6495ae23-3ab4-43c5-a94f-5638a2c31fd2" ,
2022-04-25 16:29:57 +00:00
"type" : "uses"
2022-11-28 11:48:29 +00:00
}
] ,
"uuid" : "f91162cc-1686-4ff8-8115-bf3f61a4cc7a" ,
"value" : "Wevtutil - S0645"
} ,
{
"description" : "[ROADTools](https://attack.mitre.org/software/S0684) is a framework for enumerating Azure Active Directory environments. The tool is written in Python and publicly available on GitHub.(Citation: ROADtools Github)" ,
"meta" : {
"external_id" : "S0684" ,
"refs" : [
"https://attack.mitre.org/software/S0684" ,
"https://github.com/dirkjanm/ROADtools"
] ,
"synonyms" : [
"ROADTools"
]
} ,
"related" : [
2022-04-25 16:29:57 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "16e94db9-b5b1-4cd0-b851-f38fbd0a70f2" ,
2022-04-25 16:29:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "30208d3e-0d6b-43c8-883e-44462a514619" ,
2022-04-25 16:29:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "8f104855-e5b7-4077-b1f5-bc3103b41abe" ,
2022-04-25 16:29:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "e24fcba8-2557-4442-a139-1ee2f2e784db" ,
2022-04-25 16:29:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "e358d692-23c0-4a31-9eb6-ecc13a8d7735" ,
2022-04-25 16:29:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "f232fa7a-025c-4d43-abc7-318e81a73d65" ,
2022-04-25 16:29:57 +00:00
"type" : "uses"
2022-11-01 21:39:33 +00:00
}
] ,
2022-11-28 11:48:29 +00:00
"uuid" : "6dbdc657-d8e0-4f2f-909b-7251b3e72c6d" ,
"value" : "ROADTools - S0684"
2022-11-01 21:39:33 +00:00
} ,
{
2022-11-28 11:48:29 +00:00
"description" : "[CrackMapExec](https://attack.mitre.org/software/S0488), or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. [CrackMapExec](https://attack.mitre.org/software/S0488) collects Active Directory information to conduct lateral movement through targeted networks.(Citation: CME Github September 2018)" ,
2022-11-01 21:39:33 +00:00
"meta" : {
2022-11-28 11:48:29 +00:00
"external_id" : "S0488" ,
2022-11-01 21:39:33 +00:00
"mitre_platforms" : [
"Windows"
] ,
"refs" : [
2022-11-28 11:48:29 +00:00
"https://attack.mitre.org/software/S0488" ,
"https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference"
2022-11-01 21:39:33 +00:00
] ,
"synonyms" : [
2022-11-28 11:48:29 +00:00
"CrackMapExec"
2022-11-01 21:39:33 +00:00
]
} ,
"related" : [
2022-04-25 16:29:57 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "01a5a209-b94c-450b-b7f9-946497d91055" ,
2022-04-25 16:29:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119" ,
2022-04-25 16:29:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "1644e709-12d2-41e5-a60f-3470991f5011" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-01 21:39:33 +00:00
"dest-uuid" : "1ecfdab8-7d59-4c98-95d4-dc41970f57fc" ,
2022-04-25 16:29:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "21875073-b0ee-49e3-9077-1e2a885359af" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "2aed01ad-3df3-4410-a8cb-11ea4ded587c" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "3489cfc5-640f-4bb3-a103-9137b97de79f" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "354a7f88-63fb-41b5-a801-ce3b377b36f1" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "57340c81-c025-4189-8fa0-fc7ede51bae4" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "692074ae-bb62-4a5e-a735-02cb6bde458c" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
2019-10-25 08:12:22 +00:00
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "707399d6-ab3e-4963-9315-d9d3818cd6a0" ,
2019-10-25 08:12:22 +00:00
"type" : "uses"
2021-04-29 16:12:36 +00:00
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "7bc57495-ea59-4380-be31-a64af124ef18" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "7e150503-88e7-4861-866b-ff1ac82c4475" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "970a3432-3237-47ad-bcca-7d8cbb217736" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "a93494bb-4b80-4ea1-8695-3236a49916fd" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "b6075259-dba3-44e9-87c7-e954f37ec0d5" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "e358d692-23c0-4a31-9eb6-ecc13a8d7735" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "e624264c-033a-424d-9fd7-fc9c3bbdb03e" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "edf91964-b26e-4b4a-9600-ccacd7d7df24" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "f3d95a1f-bba2-44ce-9af7-37866cd63fd0" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
2022-11-01 21:39:33 +00:00
}
] ,
2022-11-28 11:48:29 +00:00
"uuid" : "c4810609-7da6-48ec-8057-1b70a7814db0" ,
"value" : "CrackMapExec - S0488"
2022-11-01 21:39:33 +00:00
} ,
{
2022-11-28 11:48:29 +00:00
"description" : "[Donut](https://attack.mitre.org/software/S0695) is an open source framework used to generate position-independent shellcode.(Citation: Donut Github)(Citation: Introducing Donut) [Donut](https://attack.mitre.org/software/S0695) generated code has been used by multiple threat actors to inject and load malicious payloads into memory.(Citation: NCC Group WastedLocker June 2020)" ,
2022-11-01 21:39:33 +00:00
"meta" : {
2022-11-28 11:48:29 +00:00
"external_id" : "S0695" ,
2022-11-01 21:39:33 +00:00
"mitre_platforms" : [
2022-11-28 11:48:29 +00:00
"Windows"
2022-11-01 21:39:33 +00:00
] ,
"refs" : [
2022-11-28 11:48:29 +00:00
"https://attack.mitre.org/software/S0695" ,
"https://github.com/TheWover/donut" ,
"https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/" ,
"https://thewover.github.io/Introducing-Donut/"
2022-11-01 21:39:33 +00:00
] ,
"synonyms" : [
2022-11-28 11:48:29 +00:00
"Donut"
2022-11-01 21:39:33 +00:00
]
} ,
"related" : [
2019-04-30 17:07:57 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "391d824f-0ef1-47a0-b0ee-c59a75e27670" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "4933e63b-9b77-476e-ab29-761bc5b7d15a" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "7385dfaf-6886-4229-9ecd-6fd678040830" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "799ace7f-e227-4411-baa0-8868704f2a69" ,
2019-04-30 17:07:57 +00:00
"type" : "uses"
2022-11-28 11:48:29 +00:00
} ,
2020-10-18 18:00:48 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "970a3432-3237-47ad-bcca-7d8cbb217736" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "ac08589e-ee59-4935-8667-d845e38fe579" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "cc3502b5-30cc-4473-ad48-42d51a6ef6d1" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "deb98323-e13f-4b0c-8d94-175379069062" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "df8b2a25-8bdf-4856-953c-a04372b1c161" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "e6919abc-99f9-4c6c-95a5-14761e7b2add" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
2022-11-28 11:48:29 +00:00
}
] ,
"uuid" : "a7b5df47-73bb-4d47-b701-869f185633a6" ,
"value" : "Donut - S0695"
} ,
{
"description" : "[AADInternals](https://attack.mitre.org/software/S0677) is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.(Citation: AADInternals Github)(Citation: AADInternals Documentation)" ,
"meta" : {
"external_id" : "S0677" ,
"mitre_platforms" : [
"Windows" ,
"Azure AD" ,
"Office 365"
] ,
"refs" : [
"https://attack.mitre.org/software/S0677" ,
"https://github.com/Gerenios/AADInternals" ,
"https://o365blog.com/aadinternals" ,
"https://o365blog.com/aadinternals/"
] ,
"synonyms" : [
"AADInternals"
]
} ,
"related" : [
2020-10-18 18:00:48 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "16e94db9-b5b1-4cd0-b851-f38fbd0a70f2" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "1ecfdab8-7d59-4c98-95d4-dc41970f57fc" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "1f9c2bae-b441-4f66-a8af-b65946ee72f2" ,
2022-11-01 21:39:33 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "24769ab5-14bd-4f4e-a752-cfb185da53ee" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "2b742742-28c3-4e1b-bab7-8350d6300fa7" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "2d3f5b3c-54ca-4f4d-bb1f-849346d31230" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
} ,
2023-10-31 17:04:23 +00:00
{
"dest-uuid" : "3298ce88-1628-43b1-87d9-0b5336b193d7" ,
"type" : "uses"
} ,
2020-10-18 18:00:48 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "54ca26f3-c172-4231-93e5-ccebcac2161f" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
2022-11-28 11:48:29 +00:00
} ,
2020-10-18 18:00:48 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "57340c81-c025-4189-8fa0-fc7ede51bae4" ,
2020-10-18 18:00:48 +00:00
"type" : "uses"
2022-04-25 16:29:57 +00:00
} ,
2021-10-22 12:34:25 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "60b508a1-6a5e-46b1-821a-9f7b78752abf" ,
2021-10-22 12:34:25 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "69f897fd-12a9-4c89-ad6a-46d2f3c38262" ,
2021-10-22 12:34:25 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "7de1f7ac-5d0c-4c9c-8873-627202205331" ,
2021-10-22 12:34:25 +00:00
"type" : "uses"
2022-11-28 11:48:29 +00:00
} ,
2020-11-25 06:45:48 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "7decb26c-715c-40cf-b7e0-026f7d7cc215" ,
2020-11-25 06:45:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "837f9164-50af-4ac0-8219-379d8a74cefc" ,
2020-11-25 06:45:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "890c9858-598c-401d-a4d5-c67ebcdd703a" ,
2020-11-25 06:45:48 +00:00
"type" : "uses"
2022-11-28 11:48:29 +00:00
} ,
2020-11-25 06:45:48 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "8f104855-e5b7-4077-b1f5-bc3103b41abe" ,
2020-11-25 06:45:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "970a3432-3237-47ad-bcca-7d8cbb217736" ,
2020-11-25 06:45:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "a009cb25-4801-4116-9105-80a91cf15c1b" ,
2020-11-25 06:45:48 +00:00
"type" : "uses"
} ,
2023-05-08 14:04:50 +00:00
{
"dest-uuid" : "a19e86f8-1c0a-4fea-8407-23b73d615776" ,
"type" : "uses"
} ,
2020-11-25 06:45:48 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "b4409cd8-0da9-46e1-a401-a241afd4d1cc" ,
2020-11-25 06:45:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "d273434a-448e-4598-8e14-607f4a0d5e27" ,
2020-11-25 06:45:48 +00:00
"type" : "uses"
} ,
2023-05-08 14:04:50 +00:00
{
"dest-uuid" : "d94b3ae9-8059-4989-8e9f-ea0f601f80a7" ,
"type" : "uses"
} ,
2020-11-25 06:45:48 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "e24fcba8-2557-4442-a139-1ee2f2e784db" ,
2020-11-25 06:45:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "e3b168bd-fcd7-439e-9382-2e6c2f63514d" ,
2020-11-25 06:45:48 +00:00
"type" : "uses"
2022-11-28 11:48:29 +00:00
}
] ,
"uuid" : "2c5281dd-b5fd-4531-8aea-c1bf8a0f8756" ,
"value" : "AADInternals - S0677"
} ,
{
"description" : "[Mythic](https://attack.mitre.org/software/S0699) is an open source, cross-platform post-exploitation/command and control platform. [Mythic](https://attack.mitre.org/software/S0699) is designed to \"plug-n-play\" with various agents and communication channels.(Citation: Mythic Github)(Citation: Mythic SpecterOps)(Citation: Mythc Documentation) Deployed [Mythic](https://attack.mitre.org/software/S0699) C2 servers have been observed as part of potentially malicious infrastructure.(Citation: RecordedFuture 2021 Ad Infra)" ,
"meta" : {
"external_id" : "S0699" ,
"mitre_platforms" : [
"Windows" ,
"Linux" ,
"macOS"
] ,
"refs" : [
"https://attack.mitre.org/software/S0699" ,
"https://docs.mythic-c2.net/" ,
"https://github.com/its-a-feature/Mythic" ,
"https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf" ,
"https://posts.specterops.io/a-change-of-mythic-proportions-21debeb03617"
] ,
"synonyms" : [
"Mythic"
]
} ,
"related" : [
2020-11-25 06:45:48 +00:00
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "1996eef1-ced3-4d7f-bf94-33298cabbf72" ,
2020-11-25 06:45:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "30208d3e-0d6b-43c8-883e-44462a514619" ,
2020-11-25 06:45:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "4fe28b27-b13c-453e-a386-c2ef362a573b" ,
2020-11-25 06:45:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "69b8fd78-40e8-4600-ae4d-662c9d7afdb3" ,
2020-11-25 06:45:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "9a60a291-8960-4387-8a4a-2ab5c18bb50b" ,
2020-11-25 06:45:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "bf176076-b789-408e-8cba-7275e81c0ada" ,
2020-11-25 06:45:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "c21d5a77-d422-4a69-acd7-2c53c1faa34b" ,
2020-11-25 06:45:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "c3888c54-775d-4b2f-b759-75a2ececcbfd" ,
2020-11-25 06:45:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "ca9d3402-ada3-484d-876a-d717bd6e05f2" ,
2020-11-25 06:45:48 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" ,
2022-04-25 16:29:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "df8b2a25-8bdf-4856-953c-a04372b1c161" ,
2022-04-25 16:29:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "f24faf46-3b26-4dbb-98f2-63460498e433" ,
2022-04-25 16:29:57 +00:00
"type" : "uses"
} ,
{
2022-11-28 11:48:29 +00:00
"dest-uuid" : "f6dacc85-b37d-458e-b58d-74fc4bbf5755" ,
2020-11-25 06:45:48 +00:00
"type" : "uses"
}
] ,
2022-11-28 11:48:29 +00:00
"uuid" : "d505fc8b-2e64-46eb-96d6-9ef7ffca5b66" ,
"value" : "Mythic - S0699"
2017-10-26 08:28:53 +00:00
}
] ,
2024-01-12 16:08:06 +00:00
"version" : 31
2024-02-15 10:59:17 +00:00
}