Merge pull request #848 from nyx0/main

chg: [mitre] bump to v13.
This commit is contained in:
Alexandre Dulaunoy 2023-05-09 18:29:11 +02:00 committed by GitHub
commit 20e06dd067
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 5902 additions and 5987 deletions

File diff suppressed because it is too large Load diff

File diff suppressed because it is too large Load diff

File diff suppressed because it is too large Load diff

File diff suppressed because it is too large Load diff

View file

@ -37,6 +37,262 @@
"uuid": "242f3da3-4425-4d11-8f5c-b842886da966", "uuid": "242f3da3-4425-4d11-8f5c-b842886da966",
"value": "Windows Credential Editor - S0005" "value": "Windows Credential Editor - S0005"
}, },
{
"description": "[Brute Ratel C4](https://attack.mitre.org/software/S1063) is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. [Brute Ratel C4](https://attack.mitre.org/software/S1063) was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities, and deploys agents called badgers to enable arbitrary command execution for lateral movement, privilege escalation, and persistence. In September 2022, a cracked version of [Brute Ratel C4](https://attack.mitre.org/software/S1063) was leaked in the cybercriminal underground, leading to its use by threat actors.(Citation: Dark Vortex Brute Ratel C4)(Citation: Palo Alto Brute Ratel July 2022)(Citation: MDSec Brute Ratel August 2022)(Citation: SANS Brute Ratel October 2022)(Citation: Trend Micro Black Basta October 2022)",
"meta": {
"external_id": "S1063",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S1063",
"https://bruteratel.com/",
"https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/",
"https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/",
"https://www.sans.org/blog/cracked-brute-ratel-c4-framework-proliferates-across-the-cybercriminal-underground/",
"https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html"
],
"synonyms": [
"Brute Ratel C4",
"BRc4"
]
},
"related": [
{
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "208884f1-7b83-4473-ac22-4e1cf6c41471",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "74d2a63f-3c7b-4852-92da-02d8fbab16da",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ea4c2f9c-9df1-477c-8c42-6da1118f2ac4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "75d8b521-6b6a-42ff-8af3-d97e20ce12a5",
"value": "Brute Ratel C4 - S1063"
},
{ {
"description": "[Pass-The-Hash Toolkit](https://attack.mitre.org/software/S0122) is a toolkit that allows an adversary to \"pass\" a password hash (without knowing the original password) to log in to systems. (Citation: Mandiant APT1)", "description": "[Pass-The-Hash Toolkit](https://attack.mitre.org/software/S0122) is a toolkit that allows an adversary to \"pass\" a password hash (without knowing the original password) to log in to systems. (Citation: Mandiant APT1)",
"meta": { "meta": {
@ -1117,6 +1373,13 @@
], ],
"type": "uses" "type": "uses"
}, },
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{ {
"dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0",
"tags": [ "tags": [
@ -1211,6 +1474,13 @@
] ]
}, },
"related": [ "related": [
{
"dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{ {
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [ "tags": [
@ -2292,6 +2562,64 @@
"uuid": "102c3898-85e0-43ee-ae28-62a0a3ed9507", "uuid": "102c3898-85e0-43ee-ae28-62a0a3ed9507",
"value": "UACMe - S0116" "value": "UACMe - S0116"
}, },
{
"description": "[Rubeus](https://attack.mitre.org/software/S1071) is a C# toolset designed for raw Kerberos interaction that has been used since at least 2020, including in ransomware operations.(Citation: GitHub Rubeus March 2023)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)",
"meta": {
"external_id": "S1071",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S1071",
"https://github.com/GhostPack/Rubeus",
"https://thedfirreport.com/2020/10/08/ryuks-return/",
"https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/",
"https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html"
],
"synonyms": [
"Rubeus"
]
},
"related": [
{
"dest-uuid": "3986e7fd-a8e9-4ecb-bfc6-55920855912b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "768dce68-8d0d-477a-b01d-0eea98b963a1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d273434a-448e-4598-8e14-607f4a0d5e27",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "e33267fe-099f-4af2-8730-63d49f8813b2",
"value": "Rubeus - S1071"
},
{ {
"description": "[Cachedump](https://attack.mitre.org/software/S0119) is a publicly-available tool that program extracts cached password hashes from a systems registry. (Citation: Mandiant APT1)", "description": "[Cachedump](https://attack.mitre.org/software/S0119) is a publicly-available tool that program extracts cached password hashes from a systems registry. (Citation: Mandiant APT1)",
"meta": { "meta": {
@ -3003,6 +3331,9 @@
"refs": [ "refs": [
"https://attack.mitre.org/software/S0174", "https://attack.mitre.org/software/S0174",
"https://github.com/SpiderLabs/Responder" "https://github.com/SpiderLabs/Responder"
],
"synonyms": [
"Responder"
] ]
}, },
"related": [ "related": [
@ -3189,13 +3520,6 @@
], ],
"type": "uses" "type": "uses"
}, },
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{ {
"dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b", "dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b",
"tags": [ "tags": [
@ -3211,14 +3535,14 @@
"type": "uses" "type": "uses"
}, },
{ {
"dest-uuid": "c4ad009b-6e13-4419-8d21-918a1652de02", "dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447",
"tags": [ "tags": [
"estimative-language:likelihood-probability=\"almost-certain\"" "estimative-language:likelihood-probability=\"almost-certain\""
], ],
"type": "uses" "type": "uses"
}, },
{ {
"dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447", "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
"tags": [ "tags": [
"estimative-language:likelihood-probability=\"almost-certain\"" "estimative-language:likelihood-probability=\"almost-certain\""
], ],
@ -3728,8 +4052,8 @@
"refs": [ "refs": [
"https://attack.mitre.org/software/S0332", "https://attack.mitre.org/software/S0332",
"https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html", "https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html",
"https://www.fortinet.com/blog/threat-research/remcos-a-new-rat-in-the-wild-2.html", "https://web.archive.org/web/20180124082756/https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/",
"https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/" "https://www.fortinet.com/blog/threat-research/remcos-a-new-rat-in-the-wild-2.html"
], ],
"synonyms": [ "synonyms": [
"Remcos" "Remcos"
@ -5009,13 +5333,6 @@
], ],
"type": "uses" "type": "uses"
}, },
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{ {
"dest-uuid": "b7dc639b-24cd-482d-a7f1-8897eda21023", "dest-uuid": "b7dc639b-24cd-482d-a7f1-8897eda21023",
"tags": [ "tags": [
@ -5079,6 +5396,13 @@
], ],
"type": "uses" "type": "uses"
}, },
{
"dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{ {
"dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48",
"tags": [ "tags": [
@ -6393,6 +6717,13 @@
], ],
"type": "uses" "type": "uses"
}, },
{
"dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{ {
"dest-uuid": "b4409cd8-0da9-46e1-a401-a241afd4d1cc", "dest-uuid": "b4409cd8-0da9-46e1-a401-a241afd4d1cc",
"tags": [ "tags": [
@ -6407,6 +6738,13 @@
], ],
"type": "uses" "type": "uses"
}, },
{
"dest-uuid": "d94b3ae9-8059-4989-8e9f-ea0f601f80a7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{ {
"dest-uuid": "e24fcba8-2557-4442-a139-1ee2f2e784db", "dest-uuid": "e24fcba8-2557-4442-a139-1ee2f2e784db",
"tags": [ "tags": [
@ -6542,5 +6880,5 @@
"value": "Mythic - S0699" "value": "Mythic - S0699"
} }
], ],
"version": 27 "version": 28
} }