Merge pull request #214 from Delta-Sierra/master

update mitre galaxies - add external id and killchain
This commit is contained in:
Deborah Servili 2018-05-19 13:21:18 +02:00 committed by GitHub
commit 22cb1618a5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
28 changed files with 5163 additions and 451 deletions

File diff suppressed because one or more lines are too long

File diff suppressed because it is too large Load diff

View file

@ -2,7 +2,7 @@
"name": "Enterprise Attack -intrusion Set",
"type": "mitre-enterprise-attack-intrusion-set",
"description": "Name of ATT&CK Group",
"version": 3,
"version": 4,
"source": "https://github.com/mitre/cti",
"uuid": "01f18402-1708-11e8-ac1c-1ffb3c4a7775",
"authors": [
@ -19,7 +19,8 @@
"refs": [
"https://attack.mitre.org/wiki/Group/G0033",
"https://securelist.com/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/73673/"
]
],
"external_id": "G0033"
},
"uuid": "7ecc3b4f-5cdb-457e-b55a-df376b359446"
},
@ -33,7 +34,8 @@
"refs": [
"https://attack.mitre.org/wiki/Group/G0043",
"https://citizenlab.org/2016/08/group5-syria/"
]
],
"external_id": "G0043"
},
"uuid": "7331c66a-5601-4d3f-acf6-ad9e3035eb40"
},
@ -48,7 +50,8 @@
"https://attack.mitre.org/wiki/Group/G0011",
"http://blog.cassidiancybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2",
"https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html"
]
],
"external_id": "G0011"
},
"uuid": "fe98767f-9df8-42b9-83c9-004b1dec8647"
},
@ -62,7 +65,8 @@
"refs": [
"https://attack.mitre.org/wiki/Group/G0018",
"https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html"
]
],
"external_id": "G0018"
},
"uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756"
},
@ -76,7 +80,8 @@
"refs": [
"https://attack.mitre.org/wiki/Group/G0048",
"https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf"
]
],
"external_id": "G0048"
},
"uuid": "c416b28c-103b-4df1-909e-78089a7e0e5f"
},
@ -90,12 +95,13 @@
"refs": [
"https://attack.mitre.org/wiki/Group/G0023",
"https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html"
]
],
"external_id": "G0023"
},
"uuid": "d6e88e18-81e8-4709-82d8-973095da1e70"
},
{
"description": "is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015. (Citation: Symantec Sowbug Nov 2017)\n\nContributors: Alan Neville, @abnev",
"description": "Sowbug is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015. (Citation: Symantec Sowbug Nov 2017)\n\nContributors: Alan Neville, @abnev",
"value": "Sowbug - G0054",
"meta": {
"synonyms": [
@ -104,7 +110,8 @@
"refs": [
"https://attack.mitre.org/wiki/Group/G0054",
"https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments"
]
],
"external_id": "G0054"
},
"uuid": "d1acfbb3-647b-4723-9154-800ec119006e"
},
@ -128,10 +135,25 @@
"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf",
"https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign"
]
],
"external_id": "G0007"
},
"uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c"
},
{
"description": "PLATINUM is an activity group that has targeted victims since at least 2009. The group has focused on targets associated with governments and related organizations in South and Southeast Asia. (Citation: Microsoft PLATINUM April 2016)\n\nContributors: Ryan Becwar",
"value": "PLATINUM - G0068",
"meta": {
"synonyms": [
"PLATINUM"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0068"
],
"external_id": "G0068"
},
"uuid": "f9c06633-dcff-48a1-8588-759e7cec5694"
},
{
"description": "Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting. Though both this group and Axiom use the malware Winnti, the two groups appear to be distinct based on differences in reporting on the groups' TTPs and targeting. (Citation: Kaspersky Winnti April 2013) (Citation: Kaspersky Winnti June 2015) (Citation: Novetta Winnti April 2015)",
"value": "Winnti Group - G0044",
@ -145,7 +167,8 @@
"https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/winnti-more-than-just-a-game-130410.pdf",
"https://securelist.com/games-are-over/70991/",
"http://www.novetta.com/wp-content/uploads/2015/04/novetta%20winntianalysis.pdf"
]
],
"external_id": "G0044"
},
"uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff"
},
@ -167,7 +190,8 @@
"https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/",
"https://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf",
"http://www.symantec.com/content/en/us/enterprise/media/security%20response/whitepapers/the-black-vine-cyberespionage-group.pdf"
]
],
"external_id": "G0009"
},
"uuid": "a653431d-6a5e-4600-8ad3-609b5af57064"
},
@ -182,7 +206,8 @@
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0021"
]
],
"external_id": "G0021"
},
"uuid": "df71bb3b-813c-45eb-a8bc-f2a419837411"
},
@ -198,7 +223,8 @@
"https://attack.mitre.org/wiki/Group/G0041",
"http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets",
"https://securelist.com/faq-the-projectsauron-apt/75533/"
]
],
"external_id": "G0041"
},
"uuid": "277d2f87-2ae5-4730-a3aa-50c1fdff9656"
},
@ -213,7 +239,8 @@
"refs": [
"https://attack.mitre.org/wiki/Group/G0034",
"https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html"
]
],
"external_id": "G0034"
},
"uuid": "381fcf73-60f6-4ab2-9991-6af3cbc35192"
},
@ -227,7 +254,8 @@
"refs": [
"https://attack.mitre.org/wiki/Group/G0037",
"https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf"
]
],
"external_id": "G0037"
},
"uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb"
},
@ -241,10 +269,46 @@
"refs": [
"https://attack.mitre.org/wiki/Group/G0031",
"https://www.cylance.com/content/dam/cylance/pdfs/reports/Op%20Dust%20Storm%20Report.pdf"
]
],
"external_id": "G0031"
},
"uuid": "ae41895a-243f-4a65-b99b-d85022326c31"
},
{
"description": "TA459 is a threat group believed to operate out of China that has targeted countries including Russia, Belarus, Mongolia, and others. (Citation: Proofpoint TA459 April 2017)\n\nContributors: Valerii Marchuk, Cybersecurity Help s.r.o.",
"value": "TA459 - G0062",
"meta": {
"synonyms": [
"TA459"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0062",
"https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts"
],
"external_id": "G0062"
},
"uuid": "62a64fd3-aaf7-4d09-a375-d6f8bb118481"
},
{
"description": "APT37 is a suspected North Korean cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. The group was believed to be responsible for a 2016 campaign known as Operation Daybreak as well as an earlier campaign known as Operation Erebus. (Citation: FireEye APT37 Feb 2018) (Citation: Securelist ScarCruft Jun 2016)\n\nContributors: Valerii Marchuk, Cybersecurity Help s.r.o.",
"value": "APT37 - G0067",
"meta": {
"synonyms": [
"APT37",
"ScarCruft",
"Reaper",
"Group123",
"TEMP.Reaper"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0067",
"https://www2.fireeye.com/rs/848-DID-242/images/rpt%20APT37.pdf",
"https://securelist.com/operation-daybreak/75100/"
],
"external_id": "G0067"
},
"uuid": "4a2ce82e-1a74-468a-a6fb-bbead541383c"
},
{
"description": "Cleaver is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. (Citation: Cylance Cleaver) Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889). (Citation: Dell Threat Group 2889)",
"value": "Cleaver - G0003",
@ -258,7 +322,8 @@
"https://attack.mitre.org/wiki/Group/G0003",
"https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance%20Operation%20Cleaver%20Report.pdf",
"http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/"
]
],
"external_id": "G0003"
},
"uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063"
},
@ -276,12 +341,13 @@
"refs": [
"https://attack.mitre.org/wiki/Group/G0005",
"http://www.crowdstrike.com/blog/whois-numbered-panda/"
]
],
"external_id": "G0005"
},
"uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb"
},
{
"description": "is an activity group that conducted a campaign in May 2016 and has heavily targeted Turkish victims. The group has demonstrated similarity to another activity group called due to overlapping victim and campaign characteristics. (Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol 21)",
"description": "NEODYMIUM is an activity group that conducted a campaign in May 2016 and has heavily targeted Turkish victims. The group has demonstrated similarity to another activity group called PROMETHIUM due to overlapping victim and campaign characteristics. (Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol 21) NEODYMIUM is reportedly associated closely with BlackOasis operations, but evidence that the group names are aliases has not been identified. (Citation: CyberScoop BlackOasis Oct 2017)",
"value": "NEODYMIUM - G0055",
"meta": {
"synonyms": [
@ -290,8 +356,10 @@
"refs": [
"https://attack.mitre.org/wiki/Group/G0055",
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/",
"http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft%20Security%20Intelligence%20Report%20Volume%2021%20English.pdf"
]
"http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft%20Security%20Intelligence%20Report%20Volume%2021%20English.pdf",
"https://www.cyberscoop.com/middle-eastern-hacking-group-using-finfisher-malware-conduct-international-espionage/"
],
"external_id": "G0055"
},
"uuid": "025bdaa9-897d-4bad-afa6-013ba5734653"
},
@ -305,7 +373,8 @@
"refs": [
"https://attack.mitre.org/wiki/Group/G0057",
"https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html"
]
],
"external_id": "G0057"
},
"uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6"
},
@ -319,7 +388,8 @@
"refs": [
"https://attack.mitre.org/wiki/Group/G0002",
"https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html"
]
],
"external_id": "G0002"
},
"uuid": "2e5d3a83-fe00-41a5-9b60-237efc84832f"
},
@ -337,7 +407,8 @@
"https://attack.mitre.org/wiki/Group/G0027",
"http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/",
"https://www.secureworks.com/research/bronze-union"
]
],
"external_id": "G0027"
},
"uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c"
},
@ -352,7 +423,8 @@
"https://attack.mitre.org/wiki/Group/G0017",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf",
"http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/"
]
],
"external_id": "G0017"
},
"uuid": "f3bdec95-3d62-42d9-a840-29630f6cdc1a"
},
@ -369,7 +441,8 @@
"refs": [
"https://attack.mitre.org/wiki/Group/G0006",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
]
],
"external_id": "G0006"
},
"uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662"
},
@ -383,7 +456,8 @@
"refs": [
"https://attack.mitre.org/wiki/Group/G0051",
"https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf"
]
],
"external_id": "G0051"
},
"uuid": "fbe9387f-34e6-4828-ac28-3080020c597b"
},
@ -402,12 +476,13 @@
"http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/",
"https://pan-unit42.github.io/playbook%20viewer/",
"https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html"
]
],
"external_id": "G0049"
},
"uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d"
},
{
"description": "is an Iranian cyber espionage group that has been active since approximately 2014. They appear to focus on targeting individuals of interest to Iran who work in academic research, human rights, and media, with most victims having been located in Iran, the US, Israel, and the UK. usually tries to access private email and Facebook accounts, and sometimes establishes a foothold on victim computers as a secondary objective. The group's TTPs overlap extensively with another group, Rocket Kitten, resulting in reporting that may not distinguish between the two groups' activities. (Citation: ClearSky Charming Kitten Dec 2017)",
"description": "Charming Kitten is an Iranian cyber espionage group that has been active since approximately 2014. They appear to focus on targeting individuals of interest to Iran who work in academic research, human rights, and media, with most victims having been located in Iran, the US, Israel, and the UK. Charming Kitten usually tries to access private email and Facebook accounts, and sometimes establishes a foothold on victim computers as a secondary objective. The group's TTPs overlap extensively with another group, Rocket Kitten, resulting in reporting that may not distinguish between the two groups' activities. (Citation: ClearSky Charming Kitten Dec 2017)",
"value": "Charming Kitten - G0058",
"meta": {
"synonyms": [
@ -416,7 +491,8 @@
"refs": [
"https://attack.mitre.org/wiki/Group/G0058",
"http://www.clearskysec.com/wp-content/uploads/2017/12/Charming%20Kitten%202017.pdf"
]
],
"external_id": "G0058"
},
"uuid": "7636484c-adc5-45d4-9bfe-c3e062fbc4a0"
},
@ -432,10 +508,28 @@
"https://www2.fireeye.com/WBNR-Are-you-ready-to-respond.html",
"https://www.youtube.com/watch?v=fevGZs0EQu8",
"https://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645?"
]
],
"external_id": "G0053"
},
"uuid": "85403903-15e0-4f9f-9be4-a259ecad4022"
},
{
"description": "BlackOasis is a Middle Eastern threat group that is believed to be a customer of Gamma Group. The group has shown interest in prominent figures in the United Nations, as well as opposition bloggers, activists, regional news correspondents, and think tanks. (Citation: Securelist BlackOasis Oct 2017) (Citation: Securelist APT Trends Q2 2017) A group known by Microsoft as NEODYMIUM is reportedly associated closely with BlackOasis operations, but evidence that the group names are aliases has not been identified. (Citation: CyberScoop BlackOasis Oct 2017)",
"value": "BlackOasis - G0063",
"meta": {
"synonyms": [
"BlackOasis"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0063",
"https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/",
"https://securelist.com/apt-trends-report-q2-2017/79332/",
"https://www.cyberscoop.com/middle-eastern-hacking-group-using-finfisher-malware-conduct-international-espionage/"
],
"external_id": "G0063"
},
"uuid": "da49b9f1-ca99-443f-9728-0a074db66850"
},
{
"description": "Taidoor is a threat group that has operated since at least 2009 and has primarily targeted the Taiwanese government. (Citation: TrendMicro Taidoor)",
"value": "Taidoor - G0015",
@ -446,21 +540,25 @@
"refs": [
"https://attack.mitre.org/wiki/Group/G0015",
"http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp%20the%20taidoor%20campaign.pdf"
]
],
"external_id": "G0015"
},
"uuid": "59140a2e-d117-4206-9b2c-2a8662bd9d46"
},
{
"description": "Night Dragon is a threat group that has conducted activity originating primarily in China. (Citation: McAfee Night Dragon)",
"description": "Night Dragon is a campaign name for activity involving threat group that has conducted activity originating primarily in China. (Citation: McAfee Night Dragon) The activity from this group is also known as Musical Chairs. (Citation: Arbor Musical Chairs Feb 2018)",
"value": "Night Dragon - G0014",
"meta": {
"synonyms": [
"Night Dragon"
"Night Dragon",
"Musical Chairs"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0014",
"http://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf"
]
"https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee%20NightDragon%20wp%20draft%20to%20customersv1-1.pdf",
"https://www.arbornetworks.com/blog/asert/musical-chairs-playing-tetris/"
],
"external_id": "G0014"
},
"uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8"
},
@ -476,7 +574,8 @@
"https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf",
"http://cdn2.hubspot.net/hubfs/454298/Project%20CAMERASHY%20ThreatConnect%20Copyright%202015.pdf",
"https://securelist.com/the-naikon-apt/69953/"
]
],
"external_id": "G0019"
},
"uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050"
},
@ -490,7 +589,8 @@
"refs": [
"https://attack.mitre.org/wiki/Group/G0004",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf"
]
],
"external_id": "G0004"
},
"uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c"
},
@ -506,10 +606,27 @@
"https://attack.mitre.org/wiki/Group/G0050",
"https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html",
"https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/"
]
],
"external_id": "G0050"
},
"uuid": "247cb30b-955f-42eb-97a5-a89fef69341e"
},
{
"description": "MuddyWater is an Iranian threat group that has primarily targeted Middle Eastern nations. Activity from this group was previously linked to FIN7, but is believed to be a distinct group motivated by espionage. (Citation: Unit 42 MuddyWater Nov 2017)",
"value": "MuddyWater - G0069",
"meta": {
"synonyms": [
"MuddyWater",
"TEMP.Zagros"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0069",
"https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/"
],
"external_id": "G0069"
},
"uuid": "269e8108-68c6-4f99-b911-14b2e765dec2"
},
{
"description": "Patchwork is a threat group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Much of the code used by this group was copied and pasted from online forums. (Citation: Cymmetria Patchwork) (Citation: Symantec Patchwork)",
"value": "Patchwork - G0040",
@ -517,13 +634,16 @@
"synonyms": [
"Patchwork",
"Dropping Elephant",
"Chinastrats"
"Chinastrats",
"MONSOON",
"Operation Hangover"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0040",
"https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling%20Patchwork.pdf",
"http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries"
]
],
"external_id": "G0040"
},
"uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0"
},
@ -538,23 +658,18 @@
"https://attack.mitre.org/wiki/Group/G0013",
"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf",
"https://securelist.com/the-naikon-apt/69953/"
]
],
"external_id": "G0013"
},
"uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd"
},
{
"description": "MONSOON is the name of an espionage campaign that apparently started in December 2015 and was ongoing as of July 2016. It is believed that the actors behind MONSOON are the same actors behind Operation Hangover. While attribution is unclear, the campaign has targeted victims with military and political interests in the Indian Subcontinent. (Citation: Forcepoint Monsoon) Operation Hangover has been reported as being Indian in origin, and can be traced back to 2010. (Citation: Operation Hangover May 2013)",
"value": "MONSOON - G0042",
"meta": {
"synonyms": [
"MONSOON",
"Operation Hangover"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0042",
"https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf",
"http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling%20an%20Indian%20Cyberattack%20Infrastructure.pdf"
]
"https://attack.mitre.org/wiki/Group/G0042"
],
"external_id": "G0042"
},
"uuid": "9559ecaf-2e75-48a7-aee8-9974020bc772"
},
@ -569,7 +684,8 @@
"refs": [
"https://attack.mitre.org/wiki/Group/G0025",
"https://www2.fireeye.com/rs/fireye/images/APT17%20Report.pdf"
]
],
"external_id": "G0025"
},
"uuid": "090242d7-73fc-4738-af68-20162f7a5aae"
},
@ -584,7 +700,8 @@
"https://attack.mitre.org/wiki/Group/G0046",
"https://www.fireeye.com/blog/threat-research/2017/03/fin7%20spear%20phishing.html",
"https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html"
]
],
"external_id": "G0046"
},
"uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc"
},
@ -608,7 +725,8 @@
"https://www.fireeye.com/blog/threat-research/2014/11/operation%20doubletap.html",
"http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong",
"https://attack.mitre.org/w/img%20auth.php/6/6c/APT3%20Adversary%20Emulation%20Plan.pdf"
]
],
"external_id": "G0022"
},
"uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9"
},
@ -622,7 +740,8 @@
"refs": [
"https://attack.mitre.org/wiki/Group/G0036",
"https://securelist.com/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/73638/"
]
],
"external_id": "G0036"
},
"uuid": "0ea72cd5-ca30-46ba-bc04-378f701c658f"
},
@ -641,7 +760,8 @@
"https://attack.mitre.org/wiki/Group/G0032",
"https://www.us-cert.gov/ncas/alerts/TA17-164A",
"https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf"
]
],
"external_id": "G0032"
},
"uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a"
},
@ -656,7 +776,8 @@
"refs": [
"https://attack.mitre.org/wiki/Group/G0030",
"https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html"
]
],
"external_id": "G0030"
},
"uuid": "88b7dbc2-32d3-4e31-af2f-3fc24e1582d7"
},
@ -670,7 +791,8 @@
"refs": [
"https://attack.mitre.org/wiki/Group/G0020",
"https://securelist.com/files/2015/02/Equation%20group%20questions%20and%20answers.pdf"
]
],
"external_id": "G0020"
},
"uuid": "96e239be-ad99-49eb-b127-3007b8c1bec9"
},
@ -684,7 +806,8 @@
"refs": [
"https://attack.mitre.org/wiki/Group/G0012",
"https://securelist.com/files/2014/11/darkhotel%20kl%2007.11.pdf"
]
],
"external_id": "G0012"
},
"uuid": "9e729a7e-0dd6-4097-95bf-db8d64911383"
},
@ -699,7 +822,8 @@
"refs": [
"https://attack.mitre.org/wiki/Group/G0035",
"http://www.symantec.com/content/en/us/enterprise/media/security%20response/whitepapers/Dragonfly%20Threat%20Against%20Western%20Energy%20Suppliers.pdf"
]
],
"external_id": "G0035"
},
"uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1"
},
@ -713,7 +837,8 @@
"refs": [
"https://attack.mitre.org/wiki/Group/G0039",
"http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates"
]
],
"external_id": "G0039"
},
"uuid": "5cbe0d3b-6fb1-471f-b591-4b192915116d"
},
@ -727,7 +852,8 @@
"refs": [
"https://attack.mitre.org/wiki/Group/G0038",
"https://citizenlab.org/2016/05/stealth-falcon/"
]
],
"external_id": "G0038"
},
"uuid": "894aab42-3371-47b1-8859-a4a074c804c8"
},
@ -744,7 +870,8 @@
"https://attack.mitre.org/wiki/Group/G0060",
"http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/",
"https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses"
]
],
"external_id": "G0060"
},
"uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90"
},
@ -758,7 +885,8 @@
"refs": [
"https://attack.mitre.org/wiki/Group/G0029",
"http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/"
]
],
"external_id": "G0029"
},
"uuid": "c5574ca0-d5a4-490a-b207-e4658e5fd1d7"
},
@ -773,7 +901,8 @@
"refs": [
"https://attack.mitre.org/wiki/Group/G0028",
"http://www.secureworks.com/resources/blog/living-off-the-land/"
]
],
"external_id": "G0028"
},
"uuid": "d519164e-f5fa-4b8c-a1fb-cf0172ad0983"
},
@ -790,10 +919,31 @@
"https://attack.mitre.org/wiki/Group/G0010",
"https://securelist.com/the-epic-turla-operation/65545/",
"https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf"
]
],
"external_id": "G0010"
},
"uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6"
},
{
"description": "Elderwood is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora. (Citation: Security Affairs Elderwood Sept 2012) The group has targeted defense organizations, supply chain manufacturers, human rights and nongovernmental organizations (NGOs), and IT service providers. (Citation: Symantec Elderwood Sept 2012) (Citation: CSM Elderwood Sept 2012)\n\nContributors: Valerii Marchuk, Cybersecurity Help s.r.o.",
"value": "Elderwood - G0066",
"meta": {
"synonyms": [
"Elderwood",
"Elderwood Gang",
"Beijing Group",
"Sneaky Panda"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0066",
"http://securityaffairs.co/wordpress/8528/hacking/elderwood-project-who-is-behind-op-aurora-and-ongoing-attacks.html",
"http://www.symantec.com/content/en/us/enterprise/media/security%20response/whitepapers/the-elderwood-project.pdf",
"https://www.csmonitor.com/USA/2012/0914/Stealing-US-business-secrets-Experts-ID-two-huge-cyber-gangs-in-China"
],
"external_id": "G0066"
},
"uuid": "03506554-5f37-4f8f-9ce4-0e9f01a1b484"
},
{
"description": "APT29 is threat group that has been attributed to the Russian government and has operated since at least 2008. (Citation: F-Secure The Dukes) (Citation: GRIZZLY STEPPE JAR) This group reportedly compromised the Democratic National Committee starting in the summer of 2015. (Citation: Crowdstrike DNC June 2016)",
"value": "APT29 - G0016",
@ -808,7 +958,8 @@
"https://attack.mitre.org/wiki/Group/G0016",
"https://www.f-secure.com/documents/996508/1030745/dukes%20whitepaper.pdf",
"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"
]
],
"external_id": "G0016"
},
"uuid": "899ce53f-13a0-479b-a0e4-67d46e241542"
},
@ -830,7 +981,8 @@
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf",
"https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf",
"https://www.fireeye.com/blog/threat-research/2017/04/apt10%20menupass%20grou.html"
]
],
"external_id": "G0045"
},
"uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f"
},
@ -846,7 +998,8 @@
"refs": [
"https://attack.mitre.org/wiki/Group/G0024",
"http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf"
]
],
"external_id": "G0024"
},
"uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45"
},
@ -864,7 +1017,8 @@
"https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/winnti-more-than-just-a-game-130410.pdf",
"https://securelist.com/games-are-over/70991/",
"http://www.novetta.com/wp-content/uploads/2015/04/novetta%20winntianalysis.pdf"
]
],
"external_id": "G0001"
},
"uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973"
},
@ -884,12 +1038,29 @@
"refs": [
"https://attack.mitre.org/wiki/Group/G0059",
"https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/"
]
],
"external_id": "G0059"
},
"uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13"
},
{
"description": "is an activity group that has been active since at least 2012. The group conducted a campaign in May 2016 and has heavily targeted Turkish victims. has demonstrated similarity to another activity group called NEODYMIUM due to overlapping victim and campaign characteristics. (Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol 21)",
"description": "FIN8 is a financially motivated threat group known to launch tailored spearphishing campaigns targeting the retail, restaurant, and hospitality industries. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Fin8 May 2016)",
"value": "FIN8 - G0061",
"meta": {
"synonyms": [
"FIN8"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0061",
"https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html",
"https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html"
],
"external_id": "G0061"
},
"uuid": "fd19bd82-1b14-49a1-a176-6cdc46b8a826"
},
{
"description": "PROMETHIUM is an activity group that has been active since at least 2012. The group conducted a campaign in May 2016 and has heavily targeted Turkish victims. PROMETHIUM has demonstrated similarity to another activity group called NEODYMIUM due to overlapping victim and campaign characteristics. (Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol 21)",
"value": "PROMETHIUM - G0056",
"meta": {
"synonyms": [
@ -899,7 +1070,8 @@
"https://attack.mitre.org/wiki/Group/G0056",
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/",
"http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft%20Security%20Intelligence%20Report%20Volume%2021%20English.pdf"
]
],
"external_id": "G0056"
},
"uuid": "efed95ba-d7e8-47ff-8c53-99c42426ee7c"
},
@ -916,10 +1088,27 @@
"https://attack.mitre.org/wiki/Group/G0008",
"https://securelist.com/files/2015/02/Carbanak%20APT%20eng.pdf",
"https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html"
]
],
"external_id": "G0008"
},
"uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c"
},
{
"description": "APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors. (Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)",
"value": "APT33 - G0064",
"meta": {
"synonyms": [
"APT33"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0064",
"https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html",
"https://www.brighttalk.com/webcast/10703/275683"
],
"external_id": "G0064"
},
"uuid": "fbd29c89-18ba-4c2d-b792-51c0adee049f"
},
{
"description": "APT18 is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical. (Citation: Dell Lateral Movement)",
"value": "APT18 - G0026",
@ -933,10 +1122,28 @@
"refs": [
"https://attack.mitre.org/wiki/Group/G0026",
"http://www.secureworks.com/resources/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems/"
]
],
"external_id": "G0026"
},
"uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648"
},
{
"description": "Leviathan is a cyber espionage group that has been active since at least 2013. The group generally targets defense and government organizations, but has also targeted a range of industries including engineering firms, shipping and transportation, manufacturing, defense, government offices, and research universities in the United States, Western Europe, and along the South China Sea. (Citation: Proofpoint Leviathan Oct 2017) (Citation: FireEye Periscope March 2018)\n\nContributors: Valerii Marchuk, Cybersecurity Help s.r.o.",
"value": "Leviathan - G0065",
"meta": {
"synonyms": [
"Leviathan",
"TEMP.Periscope"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0065",
"https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets",
"https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html"
],
"external_id": "G0065"
},
"uuid": "7113eaa5-ba79-4fb3-b68a-398ee9cd698e"
},
{
"description": "CopyKittens is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The group is responsible for the campaign known as Operation Wilted Tulip. (Citation: ClearSky CopyKittens March 2017) (Citation: ClearSky Wilted Tulip July 2017) (Citation: CopyKittens Nov 2015)",
"value": "CopyKittens - G0052",
@ -949,7 +1156,8 @@
"http://www.clearskysec.com/copykitten-jpost/",
"http://www.clearskysec.com/wp-content/uploads/2017/07/Operation%20Wilted%20Tulip.pdf",
"https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf"
]
],
"external_id": "G0052"
},
"uuid": "dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a"
},
@ -963,7 +1171,8 @@
"refs": [
"https://attack.mitre.org/wiki/Group/G0047",
"https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/"
]
],
"external_id": "G0047"
},
"uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf"
}

File diff suppressed because it is too large Load diff

View file

@ -2,13 +2,29 @@
"name": "Enterprise Attack - Tool",
"type": "mitre-enterprise-attack-tool",
"description": "Name of ATT&CK software",
"version": 3,
"version": 4,
"source": "https://github.com/mitre/cti",
"uuid": "fc1ea6e0-1707-11e8-ac05-2b70d00c354e",
"authors": [
"MITRE"
],
"values": [
{
"description": "is a lightweight, open source tool similar to PsExec designed to allow system administrators to execute commands on remote servers. (Citation: Winexe Github Sept 2013) is unique in that it is a GNU/Linux based client. (Citation: Überwachung APT28 Forfiles June 2015)\n\nAliases: Winexe",
"value": "Winexe - S0191",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0191",
"https://github.com/skalkoto/winexe/",
"https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/"
],
"external_id": "S0191",
"synonyms": [
"Winexe"
]
},
"uuid": "96fd6cc4-a693-4118-83ec-619e5352d07d"
},
{
"description": "at is used to schedule tasks on a system to run at a specified date or time. (Citation: TechNet At)\n\nAliases: at, at.exe",
"value": "at - S0110",
@ -17,6 +33,7 @@
"https://attack.mitre.org/wiki/Software/S0110",
"https://technet.microsoft.com/en-us/library/bb490866.aspx"
],
"external_id": "S0110",
"synonyms": [
"at",
"at.exe"
@ -32,6 +49,7 @@
"https://attack.mitre.org/wiki/Software/S0103",
"https://technet.microsoft.com/en-us/library/bb490991.aspx"
],
"external_id": "S0103",
"synonyms": [
"route",
"route.exe"
@ -47,6 +65,7 @@
"https://attack.mitre.org/wiki/Software/S0057",
"https://technet.microsoft.com/en-us/library/bb491010.aspx"
],
"external_id": "S0057",
"synonyms": [
"Tasklist"
]
@ -61,6 +80,7 @@
"https://attack.mitre.org/wiki/Software/S0005",
"http://www.ampliasecurity.com/research/wcefaq.html"
],
"external_id": "S0005",
"synonyms": [
"Windows Credential Editor",
"WCE"
@ -76,6 +96,7 @@
"https://attack.mitre.org/wiki/Software/S0174",
"https://github.com/SpiderLabs/Responder"
],
"external_id": "S0174",
"synonyms": [
"Responder"
]
@ -90,6 +111,7 @@
"https://attack.mitre.org/wiki/Software/S0111",
"https://technet.microsoft.com/en-us/library/bb490996.aspx"
],
"external_id": "S0111",
"synonyms": [
"schtasks",
"schtasks.exe"
@ -105,6 +127,7 @@
"https://attack.mitre.org/wiki/Software/S0116",
"https://github.com/hfiref0x/UACME"
],
"external_id": "S0116",
"synonyms": [
"UACMe"
]
@ -119,12 +142,28 @@
"https://attack.mitre.org/wiki/Software/S0101",
"https://en.wikipedia.org/wiki/Ifconfig"
],
"external_id": "S0101",
"synonyms": [
"ifconfig"
]
},
"uuid": "362dc67f-4e85-4562-9dac-1b6b7f3ec4b5"
},
{
"description": "is a command line tool used to create and manage BITS Jobs. (Citation: Microsoft BITSAdmin)\n\nAliases: BITSAdmin",
"value": "BITSAdmin - S0190",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0190",
"https://msdn.microsoft.com/library/aa362813.aspx"
],
"external_id": "S0190",
"synonyms": [
"BITSAdmin"
]
},
"uuid": "64764dc6-a032-495f-8250-1e4c06bdc163"
},
{
"description": "Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. (Citation: Deply Mimikatz) (Citation: Adsecurity Mimikatz Guide)\n\nAliases: Mimikatz\n\nContributors: Vincent Le Toux",
"value": "Mimikatz - S0002",
@ -134,6 +173,7 @@
"https://github.com/gentilkiwi/mimikatz",
"https://adsecurity.org/?page%20id=1821"
],
"external_id": "S0002",
"synonyms": [
"Mimikatz"
]
@ -148,6 +188,7 @@
"https://attack.mitre.org/wiki/Software/S0123",
"https://ashwinrayaprolu.wordpress.com/2011/04/12/xcmd-an-alternative-to-psexec/"
],
"external_id": "S0123",
"synonyms": [
"xCmd"
]
@ -155,19 +196,35 @@
"uuid": "4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b"
},
{
"description": "is a credential dumper, similar to Mimikatz, designed specifically for Linux platforms. (Citation: MimiPenguin GitHub May 2017)\n\nAliases: MimiPenguin\n\nContributors: Vincent Le Toux",
"description": "MimiPenguin is a credential dumper, similar to Mimikatz, designed specifically for Linux platforms. (Citation: MimiPenguin GitHub May 2017)\n\nAliases: MimiPenguin\n\nContributors: Vincent Le Toux",
"value": "MimiPenguin - S0179",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0179",
"https://github.com/huntergregal/mimipenguin"
],
"external_id": "S0179",
"synonyms": [
"MimiPenguin"
]
},
"uuid": "5a33468d-844d-4b1f-98c9-0e786c556b27"
},
{
"description": "is an application that securely deletes data in a way that makes it unrecoverable. It is part of the Microsoft Sysinternals suite of tools. (Citation: Microsoft SDelete July 2016)\n\nAliases: SDelete",
"value": "SDelete - S0195",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0195",
"https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete"
],
"external_id": "S0195",
"synonyms": [
"SDelete"
]
},
"uuid": "d8d19e33-94fd-4aa3-b94a-08ee801a2153"
},
{
"description": "Systeminfo is a Windows utility that can be used to gather detailed information about a computer. (Citation: TechNet Systeminfo)\n\nAliases: Systeminfo, systeminfo.exe",
"value": "Systeminfo - S0096",
@ -176,6 +233,7 @@
"https://attack.mitre.org/wiki/Software/S0096",
"https://technet.microsoft.com/en-us/library/bb491007.aspx"
],
"external_id": "S0096",
"synonyms": [
"Systeminfo",
"systeminfo.exe"
@ -191,6 +249,7 @@
"https://attack.mitre.org/wiki/Software/S0108",
"https://technet.microsoft.com/library/bb490939.aspx"
],
"external_id": "S0108",
"synonyms": [
"netsh",
"netsh.exe"
@ -206,6 +265,7 @@
"https://attack.mitre.org/wiki/Software/S0105",
"https://technet.microsoft.com/en-us/library/cc732952.aspx"
],
"external_id": "S0105",
"synonyms": [
"dsquery",
"dsquery.exe"
@ -221,6 +281,7 @@
"https://attack.mitre.org/wiki/Software/S0008",
"https://www.truesec.se/sakerhet/verktyg/saakerhet/gsecdump%20v2.0b5"
],
"external_id": "S0008",
"synonyms": [
"gsecdump"
]
@ -235,6 +296,7 @@
"https://attack.mitre.org/wiki/Software/S0097",
"https://technet.microsoft.com/en-us/library/bb490968.aspx"
],
"external_id": "S0097",
"synonyms": [
"Ping",
"ping.exe"
@ -250,6 +312,7 @@
"https://attack.mitre.org/wiki/Software/S0120",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"external_id": "S0120",
"synonyms": [
"Fgdump"
]
@ -264,6 +327,7 @@
"https://attack.mitre.org/wiki/Software/S0121",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"external_id": "S0121",
"synonyms": [
"Lslsass"
]
@ -278,6 +342,7 @@
"https://attack.mitre.org/wiki/Software/S0122",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"external_id": "S0122",
"synonyms": [
"Pass-The-Hash Toolkit"
]
@ -292,6 +357,7 @@
"https://attack.mitre.org/wiki/Software/S0095",
"https://en.wikipedia.org/wiki/File%20Transfer%20Protocol"
],
"external_id": "S0095",
"synonyms": [
"FTP",
"ftp.exe"
@ -307,6 +373,7 @@
"https://attack.mitre.org/wiki/Software/S0100",
"https://technet.microsoft.com/en-us/library/bb490921.aspx"
],
"external_id": "S0100",
"synonyms": [
"ipconfig",
"ipconfig.exe"
@ -322,6 +389,7 @@
"https://attack.mitre.org/wiki/Software/S0102",
"https://technet.microsoft.com/en-us/library/cc940106.aspx"
],
"external_id": "S0102",
"synonyms": [
"nbtstat",
"nbtstat.exe"
@ -337,6 +405,7 @@
"https://attack.mitre.org/wiki/Software/S0040",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf"
],
"external_id": "S0040",
"synonyms": [
"HTRAN",
"HUC Packet Transmit Tool"
@ -352,6 +421,7 @@
"https://attack.mitre.org/wiki/Software/S0183",
"http://www.dtic.mil/dtic/tr/fulltext/u2/a465464.pdf"
],
"external_id": "S0183",
"synonyms": [
"Tor"
]
@ -366,6 +436,7 @@
"https://attack.mitre.org/wiki/Software/S0104",
"https://technet.microsoft.com/en-us/library/bb490947.aspx"
],
"external_id": "S0104",
"synonyms": [
"netstat",
"netstat.exe"
@ -381,6 +452,7 @@
"https://attack.mitre.org/wiki/Software/S0006",
"https://en.wikipedia.org/wiki/Pwdump"
],
"external_id": "S0006",
"synonyms": [
"pwdump"
]
@ -395,12 +467,28 @@
"https://attack.mitre.org/wiki/Software/S0119",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"external_id": "S0119",
"synonyms": [
"Cachedump"
]
},
"uuid": "c9cd7ec9-40b7-49db-80be-1399eddd9c52"
},
{
"description": "Forfiles is a Windows utility commonly used in batch jobs to execute commands on one or more selected files or directories (ex: list all directories in a drive, read the first line of all files created yesterday, etc.). Forfiles can be executed from either the command line, Run window, or batch files/scripts. (Citation: Microsoft Forfiles Aug 2016)\n\nAliases: Forfiles\n\nContributors: Matthew Demaske, Adaptforward",
"value": "Forfiles - S0193",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0193",
"https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc753551(v=ws.11)"
],
"external_id": "S0193",
"synonyms": [
"Forfiles"
]
},
"uuid": "90ec2b22-7061-4469-b539-0989ec4f96c2"
},
{
"description": "The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft Net Utility)\n\nNet has a great deal of functionality, (Citation: Savill 1999) much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through Windows admin shares using <code>net use</code> commands, and interacting with services.\n\nAliases: Net, net.exe",
"value": "Net - S0039",
@ -410,6 +498,7 @@
"https://msdn.microsoft.com/en-us/library/aa939914",
"http://windowsitpro.com/windows/netexe-reference"
],
"external_id": "S0039",
"synonyms": [
"Net",
"net.exe"
@ -426,6 +515,7 @@
"https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx",
"https://digital-forensics.sans.org/blog/2012/12/17/protecting-privileged-domain-accounts-psexec-deep-dive"
],
"external_id": "S0029",
"synonyms": [
"PsExec"
]
@ -440,6 +530,7 @@
"https://attack.mitre.org/wiki/Software/S0160",
"https://technet.microsoft.com/library/cc732443.aspx"
],
"external_id": "S0160",
"synonyms": [
"certutil",
"certutil.exe"
@ -455,6 +546,7 @@
"https://attack.mitre.org/wiki/Software/S0099",
"https://technet.microsoft.com/en-us/library/bb490864.aspx"
],
"external_id": "S0099",
"synonyms": [
"Arp",
"arp.exe"
@ -473,6 +565,7 @@
"https://technet.microsoft.com/en-us/library/cc771049.aspx",
"https://technet.microsoft.com/en-us/library/bb490886.aspx"
],
"external_id": "S0106",
"synonyms": [
"cmd",
"cmd.exe"
@ -481,12 +574,45 @@
"uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e"
},
{
"description": "is an open-source Tor plugin that tunnels Tor traffic through HTTPS connections.\n\nAliases: meek",
"description": "Havij is an automatic SQL Injection tool distributed by the Iranian ITSecTeam security company. Havij has been used by penetration testers and adversaries. (Citation: Check Point Havij Analysis)\n\nAliases: Havij",
"value": "Havij - S0224",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0224",
"https://blog.checkpoint.com/2015/05/14/analysis-havij-sql-injection-tool/"
],
"external_id": "S0224",
"synonyms": [
"Havij"
]
},
"uuid": "fbd727ea-c0dc-42a9-8448-9e12962d1ab5"
},
{
"description": "PowerSploit is an open source, offensive security framework compromised of PowerShell modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. (Citation: GitHub PowerSploit May 2012) (Citation: PowerShellMagazine PowerSploit July 2014) (Citation: PowerSploit Documentation)\n\nAliases: PowerSploit",
"value": "PowerSploit - S0194",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0194",
"https://github.com/PowerShellMafia/PowerSploit",
"http://www.powershellmagazine.com/2014/07/08/powersploit/",
"http://powersploit.readthedocs.io"
],
"external_id": "S0194",
"synonyms": [
"PowerSploit"
]
},
"uuid": "13cd9151-83b7-410d-9f98-25d0f0d1d80d"
},
{
"description": "meek is an open-source Tor plugin that tunnels Tor traffic through HTTPS connections.\n\nAliases: meek",
"value": "meek - S0175",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0175"
],
"external_id": "S0175",
"synonyms": [
"meek"
]
@ -502,6 +628,7 @@
"https://technet.microsoft.com/en-us/library/cc732643.aspx",
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html"
],
"external_id": "S0075",
"synonyms": [
"Reg",
"reg.exe"
@ -510,18 +637,79 @@
"uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f"
},
{
"description": "Cobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strikes interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system. (Citation: cobaltstrike manual)\n\nIn addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz. (Citation: cobaltstrike manual)\n\nAliases: Cobalt Strike",
"description": "spwebmember is a Microsoft SharePoint enumeration and data dumping tool written in .NET. (Citation: NCC Group APT15 Alive and Strong)\n\nAliases: spwebmember",
"value": "spwebmember - S0227",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0227",
"https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
],
"external_id": "S0227",
"synonyms": [
"spwebmember"
]
},
"uuid": "33b9e38f-103c-412d-bdcf-904a91fff1e4"
},
{
"description": "Pupy is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. (Citation: GitHub Pupy) It is written in Python and can be generated as a payload in several different ways (Windows exe, Python file, PowerShell oneliner/file, Linux elf, APK, Rubber Ducky, etc.). (Citation: GitHub Pupy) Pupy is publicly available on GitHub. (Citation: GitHub Pupy)\n\nAliases: Pupy",
"value": "Pupy - S0192",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0192",
"https://github.com/n1nj4sec/pupy"
],
"external_id": "S0192",
"synonyms": [
"Pupy"
]
},
"uuid": "cb69b20d-56d0-41ab-8440-4a4b251614d4"
},
{
"description": "sqlmap is an open source penetration testing tool that can be used to automate the process of detecting and exploiting SQL injection flaws. (Citation: sqlmap Introduction)\n\nAliases: sqlmap",
"value": "sqlmap - S0225",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0225",
"http://sqlmap.org/"
],
"external_id": "S0225",
"synonyms": [
"sqlmap"
]
},
"uuid": "9a2640c2-9f43-46fe-b13f-bde881e55555"
},
{
"description": "Cobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strikes interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system. (Citation: cobaltstrike manual)\n\nIn addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz. (Citation: cobaltstrike manual)\n\nAliases: Cobalt Strike\n\nContributors: Josh Abraham",
"value": "Cobalt Strike - S0154",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0154",
"https://cobaltstrike.com/downloads/csmanual38.pdf"
],
"external_id": "S0154",
"synonyms": [
"Cobalt Strike"
]
},
"uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39"
},
{
"description": "Invoke-PSImage takes a PowerShell script and embeds the bytes of the script into the pixels of a PNG image. It generates a one liner for executing either from a file of from the web. Example of usage is embedding the PowerShell code from the Invoke-Mimikatz module and embed it into an image file. By calling the image file from a macro for example, the macro will download the picture and execute the PowerShell code, which in this case will dump the passwords. (Citation: GitHub Invoke-PSImage)\n\nAliases: Invoke-PSImage\n\nContributors: Christiaan Beek, @ChristiaanBeek",
"value": "Invoke-PSImage - S0231",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0231",
"https://github.com/peewpw/Invoke-PSImage"
],
"external_id": "S0231",
"synonyms": [
"Invoke-PSImage"
]
},
"uuid": "b52d6583-14a2-4ddc-8527-87fd2142558f"
}
]
}

View file

@ -2,7 +2,7 @@
"name": "Mobile Attack - Attack Pattern",
"type": "mitre-mobile-attack-attack-pattern",
"description": "ATT&CK tactic",
"version": 2,
"version": 3,
"source": "https://github.com/mitre/cti",
"uuid": "1e606d06-1708-11e8-8a43-df11c8cf9ae2",
"authors": [
@ -18,6 +18,10 @@
"http://www.forbes.com/2009/07/28/hackers-iphone-apple-technology-security-hackers.html",
"https://srlabs.de/bites/rooting-sim-cards/"
],
"external_id": "MOB-T1057",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:exploit-via-cellular-network"
],
"mitre_platforms": [
"Android",
"iOS"
@ -35,6 +39,10 @@
"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html",
"https://experts.illinois.edu/en/publications/security-concerns-in-android-mhealth-apps"
],
"external_id": "APP-1",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:general-network-based"
],
"mitre_platforms": [
"Android",
"iOS"
@ -53,6 +61,10 @@
"https://media.blackhat.com/eu-13/briefings/Brodie/bh-eu-13-lacoon-attacks-mdm-brodie-wp.pdf",
"http://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions"
],
"external_id": "EMM-5",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:defense-evasion"
],
"mitre_platforms": [
"Android",
"iOS"
@ -68,6 +80,10 @@
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1022",
"https://zeltser.com/third-party-keyboards-security/"
],
"external_id": "MOB-T1022",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:discovery"
],
"mitre_platforms": [
"Android"
]
@ -83,6 +99,10 @@
"https://blog.lookout.com/blog/2013/08/02/dragon-lady/",
"https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google%20Android%20Security%202014%20Report%20Final.pdf"
],
"external_id": "MOB-T1051",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:effects"
],
"mitre_platforms": [
"Android"
]
@ -99,6 +119,10 @@
"https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-1.html",
"https://www.elcomsoft.com/eppb.html"
],
"external_id": "ECO-1",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:cloud-based"
],
"mitre_platforms": [
"Android",
"iOS"
@ -115,6 +139,11 @@
"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-3.html",
"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html"
],
"external_id": "APP-13",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:collection",
"mitre-mobile-attack:mobile-attack:credential-access"
],
"mitre_platforms": [
"Android"
]
@ -131,6 +160,10 @@
"http://dl.acm.org/citation.cfm?id=1920314",
"http://arstechnica.com/security/2016/11/meet-poisontap-the-5-tool-that-ransacks-password-protected-computers/"
],
"external_id": "PHY-2",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:lateral-movement"
],
"mitre_platforms": [
"Android"
]
@ -145,6 +178,10 @@
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1019",
"https://tools.ietf.org/html/rfc7636"
],
"external_id": "MOB-T1019",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:credential-access"
],
"mitre_platforms": [
"Android"
]
@ -163,6 +200,10 @@
"http://www.dhanjani.com/blog/2010/11/insecure-handling-of-url-schemes-in-apples-ios.html",
"https://www.fireeye.com/blog/threat-research/2015/02/ios%20masque%20attackre.html"
],
"external_id": "AUT-10",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:credential-access"
],
"mitre_platforms": [
"iOS"
]
@ -177,6 +218,10 @@
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1031",
"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-32.html"
],
"external_id": "APP-32",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:lateral-movement"
],
"mitre_platforms": [
"Android",
"iOS"
@ -194,6 +239,11 @@
"https://source.android.com/security/verifiedboot/",
"https://www.apple.com/business/docs/iOS%20Security%20Guide.pdf"
],
"external_id": "APP-27",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:defense-evasion",
"mitre-mobile-attack:mobile-attack:persistence"
],
"mitre_platforms": [
"Android",
"iOS"
@ -210,6 +260,10 @@
"https://zeltser.com/third-party-keyboards-security/",
"http://stackoverflow.com/questions/7848766/how-can-we-programmatically-detect-which-ios-version-is-device-running-on"
],
"external_id": "MOB-T1029",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:discovery"
],
"mitre_platforms": [
"Android",
"iOS"
@ -224,6 +278,10 @@
"refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1026"
],
"external_id": "MOB-T1026",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:discovery"
],
"mitre_platforms": [
"Android",
"iOS"
@ -239,6 +297,10 @@
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1036",
"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html"
],
"external_id": "APP-13",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:collection"
],
"mitre_platforms": [
"Android",
"iOS"
@ -260,6 +322,10 @@
"https://media.blackhat.com/bh-us-12/Briefings/Percoco/BH%20US%2012%20Percoco%20Adventures%20in%20Bouncerland%20WP.pdf",
"https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/wang%20tielei"
],
"external_id": "ECO-22",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:app-delivery-via-authorized-app-store"
],
"mitre_platforms": [
"Android",
"iOS"
@ -275,6 +341,10 @@
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1059",
"https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-22.html"
],
"external_id": "CEL-22",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:exploit-via-internet"
],
"mitre_platforms": [
"Android",
"iOS"
@ -290,6 +360,10 @@
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1045",
"https://jon.oberheide.org/files/summercon12-bouncer.pdf"
],
"external_id": "MOB-T1045",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:app-delivery-via-authorized-app-store"
],
"mitre_platforms": [
"Android",
"iOS"
@ -306,6 +380,10 @@
"https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-22.html",
"https://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/"
],
"external_id": "CEL-22",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:exploit-via-internet"
],
"mitre_platforms": [
"Android",
"iOS"
@ -322,6 +400,10 @@
"https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-9.html",
"https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-13.html"
],
"external_id": "ECO-13",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:app-delivery-via-other-means"
],
"mitre_platforms": [
"Android",
"iOS"
@ -338,6 +420,11 @@
"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-29.html",
"https://securelist.com/analysis/kaspersky-security-bulletin/58335/mobile-malware-evolution-2013/"
],
"external_id": "APP-29",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:command-and-control",
"mitre-mobile-attack:mobile-attack:exfiltration"
],
"mitre_platforms": [
"Android",
"iOS"
@ -352,6 +439,10 @@
"refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1023"
],
"external_id": "MOB-T1023",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:discovery"
],
"mitre_platforms": [
"Android"
]
@ -365,6 +456,10 @@
"refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1050"
],
"external_id": "MOB-T1050",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:effects"
],
"mitre_platforms": [
"Android"
]
@ -379,6 +474,10 @@
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1032",
"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html"
],
"external_id": "APP-19",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:collection"
],
"mitre_platforms": [
"Android",
"iOS"
@ -393,6 +492,10 @@
"refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1076"
],
"external_id": "MOB-T1076",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:supply-chain"
],
"mitre_platforms": [
"Android",
"iOS"
@ -412,6 +515,10 @@
"http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/",
"http://www.slideshare.net/Shakacon/fruit-vs-zombies-defeat-nonjailbroken-ios-malware-by-claud-xiao"
],
"external_id": "APP-21",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:defense-evasion"
],
"mitre_platforms": [
"Android",
"iOS"
@ -431,6 +538,10 @@
"https://developer.android.com/reference/android/app/ActivityManager.html#getRunningTasks%28int%29",
"http://stackoverflow.com/questions/30619349/android-5-1-1-and-above-getrunningappprocesses-returns-my-application-packag"
],
"external_id": "APP-31",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:credential-access"
],
"mitre_platforms": [
"Android",
"iOS"
@ -449,6 +560,10 @@
"http://www.theregister.co.uk/2015/11/12/mobile%20pwn2own1/",
"https://www.usenix.org/system/files/conference/woot12/woot12-final24.pdf"
],
"external_id": "STA-19",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:exploit-via-cellular-network"
],
"mitre_platforms": [
"Android",
"iOS"
@ -464,6 +579,10 @@
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1027",
"https://code.google.com/p/android/issues/detail?id=205565"
],
"external_id": "MOB-T1027",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:discovery"
],
"mitre_platforms": [
"Android"
]
@ -478,6 +597,10 @@
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1004",
"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html"
],
"external_id": "APP-22",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:persistence"
],
"mitre_platforms": [
"Android"
]
@ -493,6 +616,10 @@
"https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-9.html",
"https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-21.html"
],
"external_id": "ECO-21",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:app-delivery-via-other-means"
],
"mitre_platforms": [
"Android",
"iOS"
@ -507,6 +634,11 @@
"refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1015"
],
"external_id": "MOB-T1015",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:collection",
"mitre-mobile-attack:mobile-attack:credential-access"
],
"mitre_platforms": [
"Android",
"iOS"
@ -522,6 +654,10 @@
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1074",
"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-28.html"
],
"external_id": "APP-28",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:effects"
],
"mitre_platforms": [
"Android"
]
@ -537,6 +673,10 @@
"https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-23.html",
"http://www.slideshare.net/Shakacon/fruit-vs-zombies-defeat-nonjailbroken-ios-malware-by-claud-xiao"
],
"external_id": "ECO-23",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:app-delivery-via-other-means"
],
"mitre_platforms": [
"iOS"
]
@ -552,6 +692,10 @@
"https://developer.android.com/reference/java/net/NetworkInterface.html",
"https://developer.android.com/reference/android/telephony/TelephonyManager.html"
],
"external_id": "MOB-T1025",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:discovery"
],
"mitre_platforms": [
"Android"
]
@ -566,6 +710,11 @@
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1041",
"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-30.html"
],
"external_id": "APP-30",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:command-and-control",
"mitre-mobile-attack:mobile-attack:exfiltration"
],
"mitre_platforms": [
"Android",
"iOS"
@ -581,6 +730,10 @@
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1024",
"https://play.google.com/store/apps/details?id=com.antispycell.connmonitor&hl=en"
],
"external_id": "MOB-T1024",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:discovery"
],
"mitre_platforms": [
"Android"
]
@ -595,6 +748,10 @@
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1062",
"http://www.popsci.com/box-can-figure-out-your-4-digit-iphone-passcode"
],
"external_id": "MOB-T1062",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:exploit-via-physical-access"
],
"mitre_platforms": [
"Android",
"iOS"
@ -614,6 +771,11 @@
"https://usmile.at/symposium/program/2015/ekberg",
"http://bits-please.blogspot.co.il/2016/05/war-of-worlds-hijacking-linux-kernel.html"
],
"external_id": "APP-27",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:credential-access",
"mitre-mobile-attack:mobile-attack:privilege-escalation"
],
"mitre_platforms": [
"Android"
]
@ -630,6 +792,10 @@
"http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-153.pdf",
"https://blog.kaspersky.com/darkhotel-apt/6613/"
],
"external_id": "LPN-0",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:general-network-based"
],
"mitre_platforms": [
"Android",
"iOS"
@ -646,6 +812,10 @@
"https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html",
"https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html"
],
"external_id": "EMM-7",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:cloud-based"
],
"mitre_platforms": [
"Android",
"iOS"
@ -662,6 +832,10 @@
"https://srlabs.de/bites/spoofing-fingerprints/",
"https://support.apple.com/en-us/HT204587"
],
"external_id": "MOB-T1063",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:exploit-via-physical-access"
],
"mitre_platforms": [
"Android",
"iOS"
@ -681,6 +855,11 @@
"https://pages.nist.gov/mobile-threat-catalogue/gps-threats/GPS-0.html",
"http://csrc.nist.gov/publications/drafts/800-187/sp800%20187%20draft.pdf"
],
"external_id": "GPS-0",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:cellular-network-based",
"mitre-mobile-attack:mobile-attack:general-network-based"
],
"mitre_platforms": [
"Android",
"iOS"
@ -696,6 +875,11 @@
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1017",
"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-35.html"
],
"external_id": "APP-35",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:collection",
"mitre-mobile-attack:mobile-attack:credential-access"
],
"mitre_platforms": [
"Android",
"iOS"
@ -711,6 +895,10 @@
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1035",
"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html"
],
"external_id": "APP-13",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:collection"
],
"mitre_platforms": [
"Android",
"iOS"
@ -728,6 +916,10 @@
"https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-17.html",
"http://www.infoworld.com/article/2854963/mobile-development/how-to-keep-your-app-store-dev-account-from-being-hijacked.html"
],
"external_id": "ECO-17",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:app-delivery-via-authorized-app-store"
],
"mitre_platforms": [
"Android",
"iOS"
@ -743,6 +935,11 @@
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1013",
"https://www.skycure.com/blog/malicious-profiles-the-sleeping-giant-of-ios-security/"
],
"external_id": "MOB-T1013",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:collection",
"mitre-mobile-attack:mobile-attack:credential-access"
],
"mitre_platforms": [
"Android",
"iOS"
@ -758,6 +955,11 @@
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1012",
"https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-0.html"
],
"external_id": "AUT-0",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:collection",
"mitre-mobile-attack:mobile-attack:credential-access"
],
"mitre_platforms": [
"Android",
"iOS"
@ -775,6 +977,11 @@
"https://hackinparis.com/data/slides/2013/Slidesthomasroth.pdf",
"https://www.apple.com/business/docs/iOS%20Security%20Guide.pdf"
],
"external_id": "APP-27",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:defense-evasion",
"mitre-mobile-attack:mobile-attack:persistence"
],
"mitre_platforms": [
"Android"
]
@ -790,6 +997,11 @@
"https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-3.html",
"http://csrc.nist.gov/publications/drafts/800-187/sp800%20187%20draft.pdf"
],
"external_id": "CEL-3",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:cellular-network-based",
"mitre-mobile-attack:mobile-attack:general-network-based"
],
"mitre_platforms": [
"Android",
"iOS"
@ -804,6 +1016,10 @@
"refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1075"
],
"external_id": "MOB-T1075",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:effects"
],
"mitre_platforms": [
"Android",
"iOS"
@ -819,6 +1035,10 @@
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1005",
"http://ieeexplore.ieee.org/document/6234407"
],
"external_id": "MOB-T1005",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:persistence"
],
"mitre_platforms": [
"Android"
]
@ -832,6 +1052,11 @@
"refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1039"
],
"external_id": "MOB-T1039",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:command-and-control",
"mitre-mobile-attack:mobile-attack:exfiltration"
],
"mitre_platforms": [
"Android",
"iOS"
@ -846,6 +1071,10 @@
"refs": [
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1055"
],
"external_id": "MOB-T1055",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:effects"
],
"mitre_platforms": [
"Android",
"iOS"
@ -861,6 +1090,10 @@
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1038",
"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html"
],
"external_id": "APP-13",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:collection"
],
"mitre_platforms": [
"Android",
"iOS"
@ -878,6 +1111,10 @@
"https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html",
"https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/"
],
"external_id": "EMM-7",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:cloud-based"
],
"mitre_platforms": [
"Android",
"iOS"
@ -897,6 +1134,10 @@
"https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf",
"https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf"
],
"external_id": "CEL-37",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:cellular-network-based"
],
"mitre_platforms": [
"Android",
"iOS"
@ -915,6 +1156,11 @@
"https://www2.samsungknox.com/en/faq/what-knox-warranty-bit-and-how-it-triggered",
"https://www.apple.com/business/docs/iOS%20Security%20Guide.pdf"
],
"external_id": "APP-27",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:defense-evasion",
"mitre-mobile-attack:mobile-attack:persistence"
],
"mitre_platforms": [
"Android",
"iOS"
@ -930,6 +1176,11 @@
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1056",
"https://www.skycure.com/blog/accessibility-clickjacking/"
],
"external_id": "MOB-T1056",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:collection",
"mitre-mobile-attack:mobile-attack:credential-access"
],
"mitre_platforms": [
"Android"
]
@ -945,6 +1196,10 @@
"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-6.html",
"https://www.nowsecure.com/blog/2015/06/15/a-pattern-for-remote-code-execution-using-arbitrary-file-writes-and-multidex-applications/"
],
"external_id": "APP-6",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:supply-chain"
],
"mitre_platforms": [
"Android",
"iOS"
@ -964,6 +1219,10 @@
"https://www.fireeye.com/blog/threat-research/2016/01/hot%20or%20not%20the%20bene.html",
"https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/wang%20tielei"
],
"external_id": "APP-20",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:defense-evasion"
],
"mitre_platforms": [
"Android",
"iOS"
@ -983,6 +1242,10 @@
"https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf",
"https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf"
],
"external_id": "CEL-38",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:cellular-network-based"
],
"mitre_platforms": [
"Android",
"iOS"
@ -998,6 +1261,11 @@
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1020",
"https://zeltser.com/third-party-keyboards-security/"
],
"external_id": "MOB-T1020",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:collection",
"mitre-mobile-attack:mobile-attack:credential-access"
],
"mitre_platforms": [
"Android",
"iOS"
@ -1013,6 +1281,10 @@
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1007",
"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-26.html"
],
"external_id": "APP-26",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:privilege-escalation"
],
"mitre_platforms": [
"Android",
"iOS"
@ -1030,6 +1302,10 @@
"https://jon.oberheide.org/blog/2010/06/25/remote-kill-and-install-on-google-android/",
"http://www.vvdveen.com/publications/BAndroid.pdf"
],
"external_id": "ECO-4",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:app-delivery-via-authorized-app-store"
],
"mitre_platforms": [
"Android"
]
@ -1044,6 +1320,10 @@
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1006",
"https://www.blackhat.com/docs/asia-15/materials/asia-15-Sabanal-Hiding-Behind-ART-wp.pdf"
],
"external_id": "MOB-T1006",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:persistence"
],
"mitre_platforms": [
"Android"
]
@ -1059,6 +1339,11 @@
"https://developer.android.com/reference/android/content/pm/PackageManager.html",
"https://andreas-kurtz.de/2014/09/malicious-ios-apps/"
],
"external_id": "MOB-T1021",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:defense-evasion",
"mitre-mobile-attack:mobile-attack:discovery"
],
"mitre_platforms": [
"Android",
"iOS"
@ -1075,6 +1360,10 @@
"https://www.wired.com/2015/09/hack-brief-new-emergency-number-hack-easily-bypasses-android-lock-screens/",
"https://threatpost.com/ios-10-passcode-bypass-can-access-photos-contacts/122033/"
],
"external_id": "MOB-T1064",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:exploit-via-physical-access"
],
"mitre_platforms": [
"Android",
"iOS"
@ -1093,6 +1382,10 @@
"http://betanews.com/2016/02/12/everything-you-need-to-know-about-sim-swap-scams/",
"https://www.theguardian.com/money/2016/apr/16/sim-swap-fraud-mobile-banking-fraudsters"
],
"external_id": "STA-22",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:cellular-network-based"
],
"mitre_platforms": [
"Android",
"iOS"
@ -1108,6 +1401,10 @@
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1033",
"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-24.html"
],
"external_id": "APP-24",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:collection"
],
"mitre_platforms": [
"Android",
"iOS"
@ -1126,6 +1423,10 @@
"https://media.blackhat.com/us-13/US-13-Lau-Mactans-Injecting-Malware-into-iOS-Devices-via-Malicious-Chargers-WP.pdf",
"https://securityintelligence.com/android-vulnerabilities-attacking-nexus-6-and-6p-custom-boot-modes/"
],
"external_id": "PHY-1",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:exploit-via-physical-access"
],
"mitre_platforms": [
"Android",
"iOS"
@ -1142,6 +1443,10 @@
"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html",
"https://www.fireeye.com/blog/threat-research/2014/08/ssl-vulnerabilities-who-listens-when-android-applications-talk.html"
],
"external_id": "APP-1",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:general-network-based"
],
"mitre_platforms": [
"Android",
"iOS"
@ -1158,6 +1463,10 @@
"https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-7.html",
"http://www.computerworld.com/article/2484538/cybercrime-hacking/researchers-exploit-cellular-tech-flaws-to-intercept-phone-calls.html"
],
"external_id": "CEL-7",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:cellular-network-based"
],
"mitre_platforms": [
"Android",
"iOS"
@ -1174,6 +1483,11 @@
"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-14.html",
"http://ieeexplore.ieee.org/document/6234407"
],
"external_id": "APP-14",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:app-delivery-via-authorized-app-store",
"mitre-mobile-attack:mobile-attack:app-delivery-via-other-means"
],
"mitre_platforms": [
"Android",
"iOS"
@ -1190,6 +1504,10 @@
"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-28.html",
"http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/"
],
"external_id": "APP-28",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:effects"
],
"mitre_platforms": [
"Android",
"iOS"
@ -1205,6 +1523,10 @@
"https://attack.mitre.org/mobile/index.php/Technique/MOB-T1065",
"http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/"
],
"external_id": "MOB-T1065",
"kill_chain": [
"mitre-mobile-attack:mobile-attack:supply-chain"
],
"mitre_platforms": [
"Android",
"iOS"

View file

@ -2,7 +2,7 @@
"name": "Mobile Attack - Course of Action",
"type": "mitre-mobile-attack-course-of-action",
"description": "ATT&CK Mitigation",
"version": 2,
"version": 3,
"source": "https://github.com/mitre/cti",
"uuid": "03956f9e-1708-11e8-8395-976b24233e15",
"authors": [
@ -12,72 +12,114 @@
{
"description": "A variety of methods exist that can be used to enable enterprises to identify compromised (e.g. rooted/jailbroken) devices, whether using security mechanisms built directly into the device, third-party mobile security applications, enterprise mobility management (EMM)/mobile device management (MDM) capabilities, or other methods. Some methods may be trivial to evade while others may be more sophisticated.",
"value": "Deploy Compromised Device Detection Method - MOB-M1010",
"uuid": "cf2cccb1-cab8-431a-8ecf-f7874d05f433"
"uuid": "cf2cccb1-cab8-431a-8ecf-f7874d05f433",
"meta": {
"external_id": "MOB-M1010"
}
},
{
"description": "In order to mitigate Signaling System 7 (SS7) exploitation, the Communications, Security, Reliability, and Interoperability Council (CSRIC) describes filtering interconnections between network operators to block inappropriate requests (Citation: CSRIC5-WG10-FinalReport).",
"value": "Interconnection Filtering - MOB-M1014",
"uuid": "e829ee51-1caf-4665-ba15-7f8979634124"
"uuid": "e829ee51-1caf-4665-ba15-7f8979634124",
"meta": {
"external_id": "MOB-M1014"
}
},
{
"description": "Application developers should use device-provided credential storage mechanisms such as Android's KeyStore or iOS's KeyChain. These can prevent credentials from being exposed to an adversary.",
"value": "Use Device-Provided Credential Storage - MOB-M1008",
"uuid": "d2a199d2-dfea-4d0c-987d-6195ed17be9c"
"uuid": "d2a199d2-dfea-4d0c-987d-6195ed17be9c",
"meta": {
"external_id": "MOB-M1008"
}
},
{
"description": "New mobile operating system versions bring not only patches against discovered vulnerabilities but also often bring security architecture improvements that provide resilience against potential vulnerabilities or weaknesses that have not yet been discovered. They may also bring improvements that block use of observed adversary techniques.",
"value": "Use Recent OS Version - MOB-M1006",
"uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564"
"uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564",
"meta": {
"external_id": "MOB-M1006"
}
},
{
"description": "Install security updates in response to discovered vulnerabilities.\n\nPurchase devices with a vendor and/or mobile carrier commitment to provide security updates in a prompt manner for a set period of time.\n\nDecommission devices that will no longer receive security updates.\n\nLimit or block access to enterprise resources from devices that have not installed recent security updates.\n* On Android devices, access can be controlled based on each device's security patch level.\n* On iOS devices, access can be controlled based on the iOS version.",
"value": "Security Updates - MOB-M1001",
"uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d"
"uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"meta": {
"external_id": "MOB-M1001"
}
},
{
"description": "On devices that provide the capability to unlock the bootloader (hence allowing any operating system code to be flashed onto the device), perform periodic checks to ensure that the bootloader is locked.",
"value": "Lock Bootloader - MOB-M1003",
"uuid": "8ccd428d-39da-4e8f-a55b-d48ea1d56e58"
"uuid": "8ccd428d-39da-4e8f-a55b-d48ea1d56e58",
"meta": {
"external_id": "MOB-M1003"
}
},
{
"description": "Ensure that Android devices being used include and enable the Verified Boot capability, which cryptographically ensures the integrity of the system partition.",
"value": "System Partition Integrity - MOB-M1004",
"uuid": "7b1cf46f-784b-405a-a8dd-4624c19d8321"
"uuid": "7b1cf46f-784b-405a-a8dd-4624c19d8321",
"meta": {
"external_id": "MOB-M1004"
}
},
{
"description": "Enable remote attestation capabilities when available (such as Android SafetyNet or Samsung Knox TIMA Attestation) and prohibit devices that fail the attestation from accessing enterprise resources.",
"value": "Attestation - MOB-M1002",
"uuid": "ff4821f6-5afb-481b-8c0f-26c28c0d666c"
"uuid": "ff4821f6-5afb-481b-8c0f-26c28c0d666c",
"meta": {
"external_id": "MOB-M1002"
}
},
{
"description": "Warn device users not to accept requests to grant Device Administrator access to applications without good reason.\n\nAdditionally, application vetting should include a check on whether the application requests Device Administrator access. Applications that do request Device Administrator access should be carefully scrutinized and only allowed to be used if a valid reason exists.",
"value": "Caution with Device Administrator Access - MOB-M1007",
"uuid": "e944670c-d03a-4e93-a21c-b3d4c53ec4c9"
"uuid": "e944670c-d03a-4e93-a21c-b3d4c53ec4c9",
"meta": {
"external_id": "MOB-M1007"
}
},
{
"description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.",
"value": "Application Developer Guidance - MOB-M1013",
"uuid": "25dc1ce8-eb55-4333-ae30-a7cb4f5894a1"
"uuid": "25dc1ce8-eb55-4333-ae30-a7cb4f5894a1",
"meta": {
"external_id": "MOB-M1013"
}
},
{
"description": "Enterprises can vet applications for exploitable vulnerabilities or unwanted (privacy-invasive or malicious) behaviors. Enterprises can inspect applications themselves or use a third-party service.\n\nEnterprises may impose policies to only allow pre-approved applications to be installed on their devices or may impose policies to block use of specific applications known to have issues. In Bring Your Own Device (BYOD) environments, enterprises may only be able to impose these policies over an enterprise-managed portion of the device.\n\nApplication Vetting is not a complete mitigation. Techniques such as Detect App Analysis Environment exist that can enable adversaries to bypass vetting.",
"value": "Application Vetting - MOB-M1005",
"uuid": "1553b156-6767-47f7-9eb4-2a692505666d"
"uuid": "1553b156-6767-47f7-9eb4-2a692505666d",
"meta": {
"external_id": "MOB-M1005"
}
},
{
"description": "Describes any guidance or training given to users to set particular configuration settings or avoid specific potentially risky behaviors.",
"value": "User Guidance - MOB-M1011",
"uuid": "653492e3-27be-4a0e-b08c-938dd2b7e0e1"
"uuid": "653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"meta": {
"external_id": "MOB-M1011"
}
},
{
"description": "An enterprise mobility management (EMM), also known as mobile device management (MDM), system can be used to provision policies to mobile devices to control aspects of their allowed behavior.",
"value": "Enterprise Policy - MOB-M1012",
"uuid": "649f7268-4c12-483b-ac84-4b7bca9fe2ee"
"uuid": "649f7268-4c12-483b-ac84-4b7bca9fe2ee",
"meta": {
"external_id": "MOB-M1012"
}
},
{
"description": "Application developers should encrypt all of their application network traffic using the Transport Layer Security (TLS) protocol to ensure protection of sensitive data and deter network-based attacks. If desired, application developers could perform message-based encryption of data before passing it for TLS encryption.\n\niOS's App Transport Security feature can be used to help ensure that all application network traffic is appropriately protected. Apple intends to mandate use of App Transport Security (Citation: TechCrunch-ATS) for all apps in the Apple App Store unless appropriate justification is given.\n\nAndroid's Network Security Configuration feature similarly can be used by app developers to help ensure that all of their application network traffic is appropriately protected (Citation: Android-NetworkSecurityConfig).\n\nUse of Virtual Private Network (VPN) tunnels, e.g. using the IPsec protocol, can help mitigate some types of network attacks as well.",
"value": "Encrypt Network Traffic - MOB-M1009",
"uuid": "8220b57e-c400-4525-bf69-f8edc6b389a8"
"uuid": "8220b57e-c400-4525-bf69-f8edc6b389a8",
"meta": {
"external_id": "MOB-M1009"
}
}
]
}

View file

@ -2,7 +2,7 @@
"name": "Mobile Attack - intrusion Set",
"type": "mitre-mobile-attack-intrusion-set",
"description": "Name of ATT&CK Group",
"version": 2,
"version": 3,
"source": "https://github.com/mitre/cti",
"uuid": "02ab4018-1708-11e8-8f9d-e735aabdfa53",
"authors": [
@ -29,7 +29,8 @@
"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf",
"https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign"
]
],
"external_id": "G0007"
},
"uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c"
}

View file

@ -2,7 +2,7 @@
"name": "Mobile Attack - Malware",
"type": "mitre-mobile-attack-malware",
"description": "Name of ATT&CK software",
"version": 2,
"version": 3,
"source": "https://github.com/mitre/cti",
"uuid": "04a165aa-1708-11e8-b2da-c7d7625f4a4f",
"authors": [
@ -17,6 +17,7 @@
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0008",
"https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"
],
"external_id": "MOB-S0008",
"synonyms": [
"AndroRAT"
]
@ -31,6 +32,7 @@
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0023",
"https://securelist.com/analysis/kaspersky-security-bulletin/58335/mobile-malware-evolution-2013/"
],
"external_id": "MOB-S0023",
"synonyms": [
"Trojan-SMS.AndroidOS.Agent.ao"
]
@ -44,6 +46,7 @@
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0031"
],
"external_id": "MOB-S0031",
"synonyms": [
"DualToy"
]
@ -58,6 +61,7 @@
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0004",
"http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/"
],
"external_id": "MOB-S0004",
"synonyms": [
"KeyRaider"
]
@ -73,6 +77,7 @@
"http://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/",
"https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/"
],
"external_id": "MOB-S0009",
"synonyms": [
"BrainTest"
]
@ -87,6 +92,7 @@
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0010",
"https://blog.lookout.com/blog/2015/11/04/trojanized-adware/"
],
"external_id": "MOB-S0010",
"synonyms": [
"Shedun",
"Shuanet",
@ -104,6 +110,7 @@
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0016",
"http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-potential-impact-enterprises/"
],
"external_id": "MOB-S0016",
"synonyms": [
"DressCode"
]
@ -119,6 +126,7 @@
"https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html",
"http://www.bankinfosecurity.com/did-chinese-spyware-linger-in-us-phones-a-9534"
],
"external_id": "MOB-S0025",
"synonyms": [
"Adups"
]
@ -134,6 +142,7 @@
"https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf",
"https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/"
],
"external_id": "MOB-S0005",
"synonyms": [
"Pegasus"
]
@ -148,6 +157,7 @@
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0029",
"https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html"
],
"external_id": "MOB-S0029",
"synonyms": [
"RuMMS"
]
@ -162,6 +172,7 @@
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0038",
"http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/"
],
"external_id": "MOB-S0038",
"synonyms": [
"HummingBad"
]
@ -176,6 +187,7 @@
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0024",
"https://securelist.com/analysis/kaspersky-security-bulletin/58335/mobile-malware-evolution-2013/"
],
"external_id": "MOB-S0024",
"synonyms": [
"Trojan-SMS.AndroidOS.OpFake.a"
]
@ -190,6 +202,7 @@
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0017",
"https://blog.lookout.com/blog/2014/03/06/dendroid/"
],
"external_id": "MOB-S0017",
"synonyms": [
"Dendroid"
]
@ -204,6 +217,7 @@
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0019",
"https://www.tripwire.com/state-of-security/security-data-protection/android-malware-sms/"
],
"external_id": "MOB-S0019",
"synonyms": [
"MazarBOT"
]
@ -219,6 +233,7 @@
"http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/",
"https://plus.google.com/+AdrianLudwig/posts/GXzJ8vaAFsi"
],
"external_id": "MOB-S0006",
"synonyms": [
"Gooligan"
]
@ -233,6 +248,7 @@
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0001",
"http://thehackernews.com/2014/01/first-widely-distributed-android.html"
],
"external_id": "MOB-S0001",
"synonyms": [
"OldBoot"
]
@ -246,6 +262,7 @@
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0028"
],
"external_id": "MOB-S0028",
"synonyms": [
"WireLurker"
]
@ -261,6 +278,7 @@
"https://www.zscaler.com/blogs/research/super-mario-run-malware-2--droidjack-rat",
"https://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app"
],
"external_id": "MOB-S0036",
"synonyms": [
"DroidJack RAT"
]
@ -275,6 +293,7 @@
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0037",
"http://arstechnica.com/security/2017/01/virulent-android-malware-returns-gets-2-million-downloads-on-google-play/"
],
"external_id": "MOB-S0037",
"synonyms": [
"HummingWhale"
]
@ -289,6 +308,7 @@
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0026",
"http://blog.trendmicro.com/trendlabs-security-intelligence/android-malware-uses-blog-posts-as-cc/"
],
"external_id": "MOB-S0026",
"synonyms": [
"ANDROIDOS_ANSERVER.A"
]
@ -303,6 +323,7 @@
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0022",
"https://securelist.com/analysis/kaspersky-security-bulletin/58335/mobile-malware-evolution-2013/"
],
"external_id": "MOB-S0022",
"synonyms": [
"Trojan-SMS.AndroidOS.FakeInst.a"
]
@ -317,6 +338,7 @@
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0015",
"https://blog.lookout.com/blog/2014/11/19/notcompatible/"
],
"external_id": "MOB-S0015",
"synonyms": [
"NotCompatible"
]
@ -331,6 +353,7 @@
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0030",
"https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf"
],
"external_id": "MOB-S0030",
"synonyms": [
"X-Agent"
]
@ -345,6 +368,7 @@
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0018",
"http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/"
],
"external_id": "MOB-S0018",
"synonyms": [
"Twitoor"
]
@ -359,6 +383,7 @@
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0002",
"http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/"
],
"external_id": "MOB-S0002",
"synonyms": [
"OBAD"
]
@ -373,6 +398,7 @@
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0020",
"https://securelist.com/blog/incidents/35552/android-trojan-found-in-targeted-attack-58/"
],
"external_id": "MOB-S0020",
"synonyms": [
"Android/Chuli.A"
]
@ -387,6 +413,7 @@
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0007",
"https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"
],
"external_id": "MOB-S0007",
"synonyms": [
"PJApps"
]
@ -401,6 +428,7 @@
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0012",
"https://www.fireeye.com/blog/threat-research/2016/06/latest-android-overlay-malware-spreading-in-europe.html"
],
"external_id": "MOB-S0012",
"synonyms": [
"AndroidOverlayMalware"
]
@ -415,6 +443,7 @@
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0003",
"http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/"
],
"external_id": "MOB-S0003",
"synonyms": [
"ZergHelper"
]
@ -429,6 +458,7 @@
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0021",
"https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app"
],
"external_id": "MOB-S0021",
"synonyms": [
"SpyNote RAT"
]
@ -443,6 +473,7 @@
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0011",
"https://github.com/hackedteam/core-android/tree/master/RCSAndroid"
],
"external_id": "MOB-S0011",
"synonyms": [
"RCSAndroid"
]
@ -457,6 +488,7 @@
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0039",
"http://blog.checkpoint.com/2017/01/24/charger-malware/"
],
"external_id": "MOB-S0039",
"synonyms": [
"Charger"
]
@ -470,6 +502,7 @@
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0027"
],
"external_id": "MOB-S0027",
"synonyms": [
"YiSpecter"
]
@ -485,6 +518,7 @@
"https://blog.lookout.com/blog/2017/04/03/pegasus-android/",
"https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html"
],
"external_id": "MOB-S0032",
"synonyms": [
"Pegasus for Android",
"Chrysaor"
@ -501,6 +535,7 @@
"http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/",
"http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/"
],
"external_id": "MOB-S0013",
"synonyms": [
"XcodeGhost"
]

View file

@ -2,7 +2,7 @@
"name": "Mobile Attack - Tool",
"type": "mitre-mobile-attack-tool",
"description": "Name of ATT&CK software",
"version": 2,
"version": 3,
"source": "https://github.com/mitre/cti",
"uuid": "02cee87e-1708-11e8-8f15-8b33e4d6194b",
"authors": [
@ -17,6 +17,7 @@
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0014",
"http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/"
],
"external_id": "MOB-S0014",
"synonyms": [
"Xbot"
]

File diff suppressed because it is too large Load diff

View file

@ -2,7 +2,7 @@
"name": "Pre Attack - intrusion Set",
"type": "mitre-pre-attack-intrusion-set",
"description": "Name of ATT&CK Group",
"version": 2,
"version": 3,
"source": "https://github.com/mitre/cti",
"uuid": "1fdc8fa2-1708-11e8-99a3-67b4efc13c4f",
"authors": [
@ -19,7 +19,8 @@
"refs": [
"https://attack.mitre.org/wiki/Group/G0023",
"https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html"
]
],
"external_id": "G0023"
},
"uuid": "d6e88e18-81e8-4709-82d8-973095da1e70"
},
@ -43,7 +44,8 @@
"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf",
"https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign"
]
],
"external_id": "G0007"
},
"uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c"
},
@ -60,7 +62,8 @@
"https://attack.mitre.org/wiki/Group/G0003",
"https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance%20Operation%20Cleaver%20Report.pdf",
"http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/"
]
],
"external_id": "G0003"
},
"uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063"
},
@ -78,7 +81,8 @@
"refs": [
"https://attack.mitre.org/wiki/Group/G0005",
"http://www.crowdstrike.com/blog/whois-numbered-panda/"
]
],
"external_id": "G0005"
},
"uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb"
},
@ -95,21 +99,25 @@
"refs": [
"https://attack.mitre.org/wiki/Group/G0006",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
]
],
"external_id": "G0006"
},
"uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662"
},
{
"description": "Night Dragon is a threat group that has conducted activity originating primarily in China. (Citation: McAfee Night Dragon)",
"description": "Night Dragon is a campaign name for activity involving threat group that has conducted activity originating primarily in China. (Citation: McAfee Night Dragon) The activity from this group is also known as Musical Chairs. (Citation: Arbor Musical Chairs Feb 2018)",
"value": "Night Dragon - G0014",
"meta": {
"synonyms": [
"Night Dragon"
"Night Dragon",
"Musical Chairs"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0014",
"http://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf"
]
"https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee%20NightDragon%20wp%20draft%20to%20customersv1-1.pdf",
"https://www.arbornetworks.com/blog/asert/musical-chairs-playing-tetris/"
],
"external_id": "G0014"
},
"uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8"
},
@ -124,7 +132,8 @@
"refs": [
"https://attack.mitre.org/wiki/Group/G0025",
"https://www2.fireeye.com/rs/fireye/images/APT17%20Report.pdf"
]
],
"external_id": "G0025"
},
"uuid": "090242d7-73fc-4738-af68-20162f7a5aae"
}

View file

@ -3,6 +3,6 @@
"type": "mitre-enterprise-attack-attack-pattern",
"description": "ATT&CK Tactic",
"uuid": "fa7016a8-1707-11e8-82d0-1b73d76eb204",
"version": 3,
"version": 4,
"icon": "map"
}

View file

@ -3,6 +3,6 @@
"type": "mitre-enterprise-attack-course-of-action",
"description": "ATT&CK Mitigation",
"uuid": "fb5a36c0-1707-11e8-81f5-d732b22a4982",
"version": 3,
"version": 4,
"icon": "chain"
}

View file

@ -3,6 +3,6 @@
"type": "mitre-enterprise-attack-intrusion-set",
"description": "Name of ATT&CK Group",
"uuid": "1f3b8c56-1708-11e8-b211-17a60c0f73ee",
"version": 3,
"version": 4,
"icon": "user-secret"
}

View file

@ -3,6 +3,6 @@
"type": "mitre-enterprise-attack-malware",
"description": "Name of ATT&CK software",
"uuid": "fbb19af0-1707-11e8-9fd6-dbd88a04d33a",
"version": 3,
"version": 4,
"icon": "optin-monster"
}

View file

@ -3,6 +3,6 @@
"type": "mitre-enterprise-attack-tool",
"description": "Name of ATT&CK software",
"uuid": "fbfa0470-1707-11e8-be22-eb46b373fdd3",
"version": 3,
"version": 4,
"icon": "gavel"
}

View file

@ -3,6 +3,6 @@
"type": "mitre-mobile-attack-attack-pattern",
"description": "ATT&CK Tactic",
"uuid": "1c6d1332-1708-11e8-847c-e3c5643c41a5",
"version": 2,
"version": 3,
"icon": "map"
}

View file

@ -3,6 +3,6 @@
"type": "mitre-mobile-attack-course-of-action",
"description": "ATT&CK Mitigation",
"uuid": "0282356a-1708-11e8-8f53-975633d5c03c",
"version": 2,
"version": 3,
"icon": "chain"
}

View file

@ -3,6 +3,6 @@
"type": "mitre-mobile-attack-intrusion-set",
"description": "Name of ATT&CK Group",
"uuid": "0314e554-1708-11e8-b049-8f8a42b5bb62",
"version": 2,
"version": 3,
"icon": "user-secret"
}

View file

@ -3,6 +3,6 @@
"type": "mitre-mobile-attack-malware",
"description": "Name of ATT&CK software",
"uuid": "03e3853a-1708-11e8-95c1-67cf3f801a18",
"version": 2,
"version": 3,
"icon": "optin-monster"
}

View file

@ -3,6 +3,6 @@
"type": "mitre-mobile-attack-tool",
"description": "Name of ATT&CK software",
"uuid": "1d0b4bce-1708-11e8-9e6e-1b130c9b0a91",
"version": 2,
"version": 3,
"icon": "gavel"
}

View file

@ -3,6 +3,6 @@
"type": "mitre-pre-attack-attack-pattern",
"description": "ATT&CK Tactic",
"uuid": "1f665850-1708-11e8-9cfe-4792b2a91402",
"version": 2,
"version": 3,
"icon": "map"
}

View file

@ -3,6 +3,6 @@
"type": "mitre-pre-attack-intrusion-set",
"description": "Name of ATT&CK Group",
"uuid": "1fb6d5b4-1708-11e8-9836-8bbc8ce6866e",
"version": 2,
"version": 3,
"icon": "user-secret"
}

View file

@ -30,6 +30,9 @@ for element in os.listdir('.'):
value['meta']['refs'].append(reference['url'])
if 'external_id' in reference:
value['meta']['external_id'] = reference['external_id']
value['meta']['kill_chain'] = []
for killchain in temp['kill_chain_phases']:
value['meta']['kill_chain'].append(killchain['kill_chain_name'] + ':enterprise-attack:' + killchain['phase_name'])
if 'x_mitre_data_sources' in temp:
value['meta']['mitre_data_sources'] = temp['x_mitre_data_sources']
if 'x_mitre_platforms' in temp:

View file

@ -21,16 +21,18 @@ for element in os.listdir('.'):
temp = d['objects'][0]
value = {}
value['description'] = temp['description']
if 'description' in temp:
value['description'] = temp['description']
value['value'] = temp['name'] + ' - ' + temp['external_references'][0]['external_id']
value['meta'] = {}
value['meta']['synonyms'] = temp['aliases']
if 'aliases' in temp:
value['meta']['synonyms'] = temp['aliases']
value['meta']['refs']= []
for reference in temp['external_references']:
if 'url' in reference and reference['url'] not in value['meta']['refs']:
value['meta']['refs'].append(reference['url'])
if 'external_id' in reference:
value['meta']['external_id'] = reference['external_id']
value['meta']['external_id'] = reference['external_id']
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
values.append(value)

View file

@ -30,6 +30,9 @@ for element in os.listdir('.'):
value['meta']['refs'].append(reference['url'])
if 'external_id' in reference:
value['meta']['external_id'] = reference['external_id']
value['meta']['kill_chain'] = []
for killchain in temp['kill_chain_phases']:
value['meta']['kill_chain'].append(killchain['kill_chain_name'] + ':mobile-attack:' + killchain['phase_name'])
if 'x_mitre_data_sources' in temp:
value['meta']['mitre_data_sources'] = temp['x_mitre_data_sources']
if 'x_mitre_platforms' in temp:

View file

@ -30,6 +30,9 @@ for element in os.listdir('.'):
value['meta']['refs'].append(reference['url'])
if 'external_id' in reference:
value['meta']['external_id'] = reference['external_id']
value['meta']['kill_chain'] = []
for killchain in temp['kill_chain_phases']:
value['meta']['kill_chain'].append(killchain['kill_chain_name'] + ':pre-attack:' + killchain['phase_name'])
if 'x_mitre_data_sources' in temp:
value['meta']['mitre_data_sources'] = temp['x_mitre_data_sources']
if 'x_mitre_platforms' in temp: