From 39073004c4db2713bc75dbd886e3881d8a72f721 Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Wed, 25 May 2022 21:03:14 +0200 Subject: [PATCH] [mitre] bump to MITRE ATT&CK v11.2 --- clusters/mitre-attack-pattern.json | 282 +++++++---------------------- clusters/mitre-intrusion-set.json | 50 +---- clusters/mitre-malware.json | 216 +++++++++++++++------- clusters/mitre-tool.json | 82 +++------ 4 files changed, 252 insertions(+), 378 deletions(-) diff --git a/clusters/mitre-attack-pattern.json b/clusters/mitre-attack-pattern.json index 811f5df..9f4d03e 100644 --- a/clusters/mitre-attack-pattern.json +++ b/clusters/mitre-attack-pattern.json @@ -626,7 +626,7 @@ "value": "Identify vulnerabilities in third-party software libraries - T1389" }, { - "description": "Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.\n\nPlacing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\\Users\\\\[Username]\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup. The startup folder path for all users is C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp.\n\nThe following run keys are created by default on Windows systems:\n\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n\nRun keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency.(Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a \"Depend\" key with RunOnceEx: reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \"C:\\temp\\evil[.]dll\" (Citation: Oddvar Moe RunOnceEx Mar 2018)\n\nThe following Registry keys can be used to set startup folder items for persistence:\n\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\n* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\n* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n\nThe following Registry keys can control automatic startup of services during boot:\n\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n\nUsing policy settings to specify startup programs creates corresponding values in either of two Registry keys:\n\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\n\nThe Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit and HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell subkeys can automatically launch programs.\n\nPrograms listed in the load value of the registry key HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows run when any user logs on.\n\nBy default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.\n\nAdversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.", + "description": "Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.\n\nPlacing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\\Users\\\\[Username]\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup. The startup folder path for all users is C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp.\n\nThe following run keys are created by default on Windows systems:\n\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n\nRun keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency.(Citation: Microsoft Run Key) For example, it is possible to load a DLL at logon using a \"Depend\" key with RunOnceEx: reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \"C:\\temp\\evil[.]dll\" (Citation: Oddvar Moe RunOnceEx Mar 2018)\n\nThe following Registry keys can be used to set startup folder items for persistence:\n\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\n* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\n* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n\nThe following Registry keys can control automatic startup of services during boot:\n\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n\nUsing policy settings to specify startup programs creates corresponding values in either of two Registry keys:\n\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\n\nThe Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit and HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell subkeys can automatically launch programs.\n\nPrograms listed in the load value of the registry key HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows run when any user logs on.\n\nBy default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.\n\nAdversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.", "meta": { "external_id": "CAPEC-270", "kill_chain": [ @@ -650,7 +650,6 @@ "https://capec.mitre.org/data/definitions/270.html", "https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry", "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", - "https://support.microsoft.com/help/310593/description-of-the-runonceex-registry-key", "https://technet.microsoft.com/en-us/sysinternals/bb963902" ] }, @@ -700,7 +699,9 @@ "kill_chain": [ "mitre-attack:initial-access" ], - "mitre_data_sources": [], + "mitre_data_sources": [ + "File: File Metadata" + ], "mitre_platforms": [ "Linux", "macOS", @@ -829,7 +830,6 @@ "kill_chain": [ "mitre-attack:persistence" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -994,7 +994,6 @@ "mitre-attack:lateral-movement", "mitre-attack:execution" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -2160,7 +2159,6 @@ "kill_chain": [ "mitre-attack:persistence" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -2192,7 +2190,6 @@ "kill_chain": [ "mitre-attack:command-and-control" ], - "mitre_data_sources": [], "mitre_platforms": [ "Linux", "macOS", @@ -2269,7 +2266,6 @@ "mitre-attack:persistence", "mitre-attack:defense-evasion" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -2304,7 +2300,6 @@ "mitre-attack:defense-evasion", "mitre-attack:persistence" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -3043,7 +3038,6 @@ "kill_chain": [ "mitre-attack:credential-access" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -3276,7 +3270,9 @@ "kill_chain": [ "mitre-attack:defense-evasion" ], - "mitre_data_sources": [], + "mitre_data_sources": [ + "Application Log: Application Log Content" + ], "mitre_platforms": [ "Linux", "macOS", @@ -3507,7 +3503,9 @@ "kill_chain": [ "mitre-attack:initial-access" ], - "mitre_data_sources": [], + "mitre_data_sources": [ + "File: File Metadata" + ], "mitre_platforms": [ "Linux", "macOS", @@ -3564,7 +3562,9 @@ "kill_chain": [ "mitre-attack:initial-access" ], - "mitre_data_sources": [], + "mitre_data_sources": [ + "Sensor Health: Host Status" + ], "mitre_platforms": [ "Linux", "macOS", @@ -4448,7 +4448,7 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1005", - "https://www.mandiant.com/resources/apt41-initiates-global-intrusion-campaign-using-multiple-exploits ", + "https://www.mandiant.com/resources/apt41-initiates-global-intrusion-campaign-using-multiple-exploits", "https://www.us-cert.gov/ncas/alerts/TA18-106A" ] }, @@ -4565,7 +4565,7 @@ "refs": [ "https://attack.mitre.org/techniques/T1016", "https://capec.mitre.org/data/definitions/309.html", - "https://www.mandiant.com/resources/apt41-initiates-global-intrusion-campaign-using-multiple-exploits ", + "https://www.mandiant.com/resources/apt41-initiates-global-intrusion-campaign-using-multiple-exploits", "https://www.us-cert.gov/ncas/alerts/TA18-106A" ] }, @@ -4626,7 +4626,6 @@ "kill_chain": [ "mitre-attack:persistence" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -4822,7 +4821,6 @@ "kill_chain": [ "mitre-attack:credential-access" ], - "mitre_data_sources": [], "mitre_platforms": [ "Linux", "macOS", @@ -4887,7 +4885,6 @@ "mitre-attack:privilege-escalation", "mitre-attack:defense-evasion" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -4956,7 +4953,6 @@ "mitre-attack:persistence", "mitre-attack:privilege-escalation" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows", "Linux", @@ -5147,7 +5143,6 @@ "mitre-attack:persistence", "mitre-attack:privilege-escalation" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -5209,7 +5204,6 @@ "kill_chain": [ "mitre-attack:reconnaissance" ], - "mitre_data_sources": [], "mitre_platforms": [ "PRE" ], @@ -5230,7 +5224,6 @@ "kill_chain": [ "mitre-attack:defense-evasion" ], - "mitre_data_sources": [], "mitre_platforms": [ "Linux", "macOS", @@ -5286,7 +5279,6 @@ "mitre-attack:defense-evasion", "mitre-attack:privilege-escalation" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -5323,7 +5315,10 @@ "kill_chain": [ "mitre-attack:defense-evasion" ], - "mitre_data_sources": [], + "mitre_data_sources": [ + "Application Log: Application Log Content", + "Process: Process Creation" + ], "mitre_platforms": [ "Linux", "Windows", @@ -5344,7 +5339,6 @@ "mitre-attack:defense-evasion", "mitre-attack:privilege-escalation" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -5378,7 +5372,11 @@ "kill_chain": [ "mitre-attack:credential-access" ], - "mitre_data_sources": [], + "mitre_data_sources": [ + "Application Log: Application Log Content", + "Process: Process Creation", + "User Account: User Account Authentication" + ], "mitre_platforms": [ "Linux", "Windows", @@ -5401,7 +5399,6 @@ "mitre-attack:defense-evasion", "mitre-attack:persistence" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -5479,7 +5476,6 @@ "kill_chain": [ "mitre-attack:persistence" ], - "mitre_data_sources": [], "mitre_platforms": [ "Linux", "macOS" @@ -5545,7 +5541,6 @@ "kill_chain": [ "mitre-attack:defense-evasion" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -5714,7 +5709,6 @@ "kill_chain": [ "mitre-attack:privilege-escalation" ], - "mitre_data_sources": [], "mitre_platforms": [ "macOS" ], @@ -5764,7 +5758,6 @@ "mitre-attack:defense-evasion", "mitre-attack:persistence" ], - "mitre_data_sources": [], "mitre_platforms": [ "Linux", "macOS", @@ -5796,7 +5789,6 @@ "kill_chain": [ "mitre-attack:reconnaissance" ], - "mitre_data_sources": [], "mitre_platforms": [ "PRE" ], @@ -5859,7 +5851,6 @@ "kill_chain": [ "mitre-attack:credential-access" ], - "mitre_data_sources": [], "mitre_platforms": [ "IaaS" ], @@ -6584,7 +6575,6 @@ "kill_chain": [ "mitre-attack:reconnaissance" ], - "mitre_data_sources": [], "mitre_platforms": [ "PRE" ], @@ -7550,7 +7540,7 @@ "https://attack.mitre.org/techniques/T1550/001", "https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/", "https://capec.mitre.org/data/definitions/593.html", - "https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials ", + "https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials", "https://cloud.google.com/iam/docs/service-account-monitoring", "https://developer.okta.com/blog/2018/06/20/what-happens-if-your-jwt-is-stolen", "https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html", @@ -7889,9 +7879,9 @@ "refs": [ "http://pages.endgame.com/rs/627-YBU-612/images/EndgameJournal_The%20Masquerade%20Ball_Pages_R2.pdf", "https://attack.mitre.org/techniques/T1036/003", - "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163418/CozyDuke.pdf", "https://lolbas-project.github.io/", - "https://twitter.com/ItsReallyNick/status/1055321652777619457" + "https://twitter.com/ItsReallyNick/status/1055321652777619457", + "https://www.f-secure.com/documents/996508/1030745/CozyDuke" ] }, "related": [ @@ -8099,7 +8089,6 @@ "kill_chain": [ "mitre-attack:reconnaissance" ], - "mitre_data_sources": [], "mitre_platforms": [ "PRE" ], @@ -8224,7 +8213,7 @@ "refs": [ "https://attack.mitre.org/techniques/T1098/003", "https://cloud.google.com/iam/docs/policies", - "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html ", + "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html", "https://docs.microsoft.com/en-us/office365/admin/add-users/about-admin-roles?view=o365-worldwide", "https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/", "https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5", @@ -8494,7 +8483,6 @@ "kill_chain": [ "mitre-attack:reconnaissance" ], - "mitre_data_sources": [], "mitre_platforms": [ "PRE" ], @@ -8824,7 +8812,6 @@ "kill_chain": [ "mitre-attack:reconnaissance" ], - "mitre_data_sources": [], "mitre_platforms": [ "PRE" ], @@ -8993,7 +8980,6 @@ "kill_chain": [ "mitre-attack:reconnaissance" ], - "mitre_data_sources": [], "mitre_platforms": [ "PRE" ], @@ -9055,7 +9041,9 @@ "kill_chain": [ "mitre-attack:defense-evasion" ], - "mitre_data_sources": [], + "mitre_data_sources": [ + "Process: Process Creation" + ], "mitre_platforms": [ "Windows" ], @@ -9170,7 +9158,7 @@ "https://attack.mitre.org/techniques/T1499/001", "https://capec.mitre.org/data/definitions/469.html", "https://capec.mitre.org/data/definitions/482.html", - "https://web.archive.org/web/20180320005525/https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf", + "https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf", "https://www.cloudflare.com/learning/ddos/syn-flood-ddos-attack/", "https://www.corero.com/resources/ddos-attack-types/syn-flood-ack.html" @@ -9408,7 +9396,6 @@ "kill_chain": [ "mitre-attack:reconnaissance" ], - "mitre_data_sources": [], "mitre_platforms": [ "PRE" ], @@ -9518,7 +9505,7 @@ "https://capec.mitre.org/data/definitions/488.html", "https://capec.mitre.org/data/definitions/489.html", "https://capec.mitre.org/data/definitions/528.html", - "https://web.archive.org/web/20180320005525/https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf", + "https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf", "https://www.cloudflare.com/learning/ddos/http-flood-ddos-attack/", "https://www.netscout.com/blog/asert/ddos-attacks-ssl-something-old-something-new" @@ -9649,7 +9636,7 @@ "https://attack.mitre.org/techniques/T1557/002", "https://pen-testing.sans.org/resources/papers/gcih/real-world-arp-spoofing-105411", "https://tools.ietf.org/html/rfc826", - "https://web.archive.org/web/20200302085133/https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" + "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" ] }, "related": [ @@ -9871,7 +9858,6 @@ "kill_chain": [ "mitre-attack:reconnaissance" ], - "mitre_data_sources": [], "mitre_platforms": [ "PRE" ], @@ -10052,7 +10038,7 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1499/003", - "https://web.archive.org/web/20180320005525/https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf", + "https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf" ] }, @@ -10311,7 +10297,7 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1555/004", - "https://blog.malwarebytes.com/101/2016/01/the-windows-vaults/ ", + "https://blog.malwarebytes.com/101/2016/01/the-windows-vaults/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-8.1-and-8/jj554668(v=ws.11)?redirectedfrom=MSDN", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh994565(v=ws.11)#credential-manager-store", "https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-credenumeratea", @@ -10821,7 +10807,6 @@ "kill_chain": [ "mitre-attack:reconnaissance" ], - "mitre_data_sources": [], "mitre_platforms": [ "PRE" ], @@ -10923,7 +10908,6 @@ "kill_chain": [ "mitre-attack:persistence" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -10976,7 +10960,6 @@ "kill_chain": [ "mitre-attack:defense-evasion" ], - "mitre_data_sources": [], "mitre_platforms": [ "Linux", "macOS", @@ -11083,7 +11066,6 @@ "kill_chain": [ "mitre-attack:persistence" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -11183,7 +11165,6 @@ "kill_chain": [ "mitre-attack:defense-evasion" ], - "mitre_data_sources": [], "mitre_platforms": [ "Linux", "Windows", @@ -11220,7 +11201,6 @@ "kill_chain": [ "mitre-attack:persistence" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -11284,7 +11264,7 @@ "refs": [ "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf", "https://attack.mitre.org/techniques/T1105", - "https://lolbas-project.github.io/#t1105 ", + "https://lolbas-project.github.io/#t1105", "https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-Snatch-eng.pdf" ] }, @@ -11298,7 +11278,6 @@ "kill_chain": [ "mitre-attack:execution" ], - "mitre_data_sources": [], "mitre_platforms": [ "Linux", "macOS", @@ -11341,7 +11320,6 @@ "kill_chain": [ "mitre-attack:lateral-movement" ], - "mitre_data_sources": [], "mitre_platforms": [ "Linux", "macOS", @@ -11395,7 +11373,6 @@ "kill_chain": [ "mitre-attack:credential-access" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows", "IaaS", @@ -11511,7 +11488,6 @@ "kill_chain": [ "mitre-attack:command-and-control" ], - "mitre_data_sources": [], "mitre_platforms": [ "Linux", "macOS", @@ -11558,7 +11534,6 @@ "kill_chain": [ "mitre-attack:command-and-control" ], - "mitre_data_sources": [], "mitre_platforms": [ "Linux", "macOS", @@ -11611,7 +11586,6 @@ "mitre-attack:defense-evasion", "mitre-attack:privilege-escalation" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -11765,7 +11739,6 @@ "mitre-attack:execution", "mitre-attack:lateral-movement" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -11796,7 +11769,6 @@ "kill_chain": [ "mitre-attack:command-and-control" ], - "mitre_data_sources": [], "mitre_platforms": [ "Linux", "macOS", @@ -11831,7 +11803,6 @@ "kill_chain": [ "mitre-attack:discovery" ], - "mitre_data_sources": [], "mitre_platforms": [ "macOS", "Windows" @@ -12072,7 +12043,6 @@ "mitre-attack:defense-evasion", "mitre-attack:lateral-movement" ], - "mitre_data_sources": [], "mitre_platforms": [ "Office 365", "SaaS" @@ -12102,7 +12072,6 @@ "kill_chain": [ "mitre-attack:command-and-control" ], - "mitre_data_sources": [], "mitre_platforms": [ "Linux", "macOS", @@ -12149,7 +12118,6 @@ "kill_chain": [ "mitre-attack:lateral-movement" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -12316,7 +12284,6 @@ "kill_chain": [ "mitre-attack:lateral-movement" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -12376,7 +12343,6 @@ "kill_chain": [ "mitre-attack:defense-evasion" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -12447,7 +12413,6 @@ "kill_chain": [ "mitre-attack:lateral-movement" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -12482,7 +12447,6 @@ "kill_chain": [ "mitre-attack:lateral-movement" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -12514,7 +12478,6 @@ "kill_chain": [ "mitre-attack:defense-evasion" ], - "mitre_data_sources": [], "mitre_platforms": [ "Linux", "macOS", @@ -12545,7 +12508,6 @@ "mitre-attack:defense-evasion", "mitre-attack:execution" ], - "mitre_data_sources": [], "mitre_platforms": [ "Linux", "macOS" @@ -12638,7 +12600,6 @@ "kill_chain": [ "mitre-attack:credential-access" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -12749,7 +12710,6 @@ "kill_chain": [ "mitre-attack:persistence" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -12974,7 +12934,6 @@ "kill_chain": [ "mitre-attack:execution" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -13089,7 +13048,6 @@ "kill_chain": [ "mitre-attack:defense-evasion" ], - "mitre_data_sources": [], "mitre_platforms": [ "Linux", "macOS" @@ -13149,7 +13107,6 @@ "kill_chain": [ "mitre-attack:credential-access" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -13191,7 +13148,6 @@ "kill_chain": [ "mitre-attack:initial-access" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows", "macOS", @@ -13236,7 +13192,7 @@ "https://attack.mitre.org/techniques/T1615", "https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult", - "https://github.com/EmpireProject/Empire" + "https://github.com/PowerShellEmpire/Empire" ] }, "uuid": "1b20efbf-8063-4fc3-a07d-b575318a301b", @@ -13249,7 +13205,6 @@ "kill_chain": [ "mitre-attack:persistence" ], - "mitre_data_sources": [], "mitre_platforms": [ "Linux", "macOS" @@ -13304,7 +13259,10 @@ "kill_chain": [ "mitre-attack:initial-access" ], - "mitre_data_sources": [], + "mitre_data_sources": [ + "File: File Metadata", + "Sensor Health: Host Status" + ], "mitre_platforms": [ "Linux", "Windows", @@ -13335,7 +13293,6 @@ "mitre-attack:privilege-escalation", "mitre-attack:persistence" ], - "mitre_data_sources": [], "mitre_platforms": [ "Linux", "macOS" @@ -13366,7 +13323,6 @@ "mitre-attack:persistence", "mitre-attack:execution" ], - "mitre_data_sources": [], "mitre_platforms": [ "Linux", "macOS" @@ -13401,7 +13357,6 @@ "mitre-attack:defense-evasion", "mitre-attack:execution" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -13447,7 +13402,6 @@ "mitre-attack:defense-evasion", "mitre-attack:execution" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -13919,7 +13873,6 @@ "kill_chain": [ "mitre-attack:impact" ], - "mitre_data_sources": [], "mitre_platforms": [ "Linux", "macOS", @@ -14035,7 +13988,6 @@ "mitre-attack:defense-evasion", "mitre-attack:lateral-movement" ], - "mitre_data_sources": [], "mitre_platforms": [ "SaaS", "Office 365" @@ -14347,7 +14299,6 @@ "kill_chain": [ "mitre-attack:command-and-control" ], - "mitre_data_sources": [], "mitre_platforms": [ "Linux", "macOS", @@ -14406,7 +14357,6 @@ "kill_chain": [ "mitre-attack:impact" ], - "mitre_data_sources": [], "mitre_platforms": [ "Linux", "macOS", @@ -14469,7 +14419,6 @@ "kill_chain": [ "mitre-attack:defense-evasion" ], - "mitre_data_sources": [], "mitre_platforms": [ "IaaS" ], @@ -14689,7 +14638,6 @@ "kill_chain": [ "mitre-attack:impact" ], - "mitre_data_sources": [], "mitre_platforms": [ "Linux", "macOS", @@ -14850,7 +14798,6 @@ "kill_chain": [ "mitre-attack:impact" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows", "macOS", @@ -14884,7 +14831,6 @@ "kill_chain": [ "mitre-attack:impact" ], - "mitre_data_sources": [], "mitre_platforms": [ "Linux", "macOS", @@ -14989,7 +14935,6 @@ "kill_chain": [ "mitre-attack:reconnaissance" ], - "mitre_data_sources": [], "mitre_platforms": [ "PRE" ], @@ -15451,7 +15396,6 @@ "kill_chain": [ "mitre-attack:defense-evasion" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -15499,7 +15443,6 @@ "kill_chain": [ "mitre-attack:persistence" ], - "mitre_data_sources": [], "mitre_platforms": [ "macOS" ], @@ -15554,7 +15497,6 @@ "kill_chain": [ "mitre-attack:privilege-escalation" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -15587,7 +15529,6 @@ "kill_chain": [ "mitre-attack:command-and-control" ], - "mitre_data_sources": [], "mitre_platforms": [ "Linux", "macOS", @@ -15752,7 +15693,6 @@ "kill_chain": [ "mitre-attack:reconnaissance" ], - "mitre_data_sources": [], "mitre_platforms": [ "PRE" ], @@ -16106,7 +16046,7 @@ "refs": [ "https://attack.mitre.org/techniques/T1110/001", "https://capec.mitre.org/data/definitions/49.html", - "https://web.archive.org/web/20200302085133/https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf", + "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/emotet-now-spreads-via-wi-fi", "https://www.us-cert.gov/ncas/alerts/TA18-086A" ] @@ -16440,7 +16380,7 @@ "https://github.com/nccgroup/demiguise/blob/master/examples/virginkey.js", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134940/kaspersky-lab-gauss.pdf", "https://pdfs.semanticscholar.org/2721/3d206bc3c1e8c229fb4820b6af09e7f975da.pdf", - "https://research.nccgroup.com/2017/08/08/smuggling-hta-files-in-internet-explorer-edge/", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/smuggling-hta-files-in-internet-exploreredge/", "https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices", "https://www.schneier.com/academic/paperfiles/paper-clueless-agents.pdf" ] @@ -16461,7 +16401,6 @@ "kill_chain": [ "mitre-attack:reconnaissance" ], - "mitre_data_sources": [], "mitre_platforms": [ "PRE" ], @@ -16664,8 +16603,8 @@ "Windows" ], "refs": [ - " https://www.bleepingcomputer.com/news/security/psa-dont-open-spam-containing-password-protected-word-docs/", - "https://attack.mitre.org/techniques/T1204/002" + "https://attack.mitre.org/techniques/T1204/002", + "https://www.bleepingcomputer.com/news/security/psa-dont-open-spam-containing-password-protected-word-docs/" ] }, "related": [ @@ -17338,7 +17277,6 @@ "kill_chain": [ "mitre-attack:reconnaissance" ], - "mitre_data_sources": [], "mitre_platforms": [ "PRE" ], @@ -17469,7 +17407,6 @@ "kill_chain": [ "mitre-attack:reconnaissance" ], - "mitre_data_sources": [], "mitre_platforms": [ "PRE" ], @@ -17994,7 +17931,6 @@ "kill_chain": [ "mitre-attack:reconnaissance" ], - "mitre_data_sources": [], "mitre_platforms": [ "PRE" ], @@ -18293,7 +18229,6 @@ "kill_chain": [ "mitre-attack:reconnaissance" ], - "mitre_data_sources": [], "mitre_platforms": [ "PRE" ], @@ -18421,7 +18356,6 @@ "kill_chain": [ "mitre-attack:reconnaissance" ], - "mitre_data_sources": [], "mitre_platforms": [ "PRE" ], @@ -18804,7 +18738,6 @@ "kill_chain": [ "mitre-attack:resource-development" ], - "mitre_data_sources": [], "mitre_platforms": [ "PRE" ], @@ -18829,7 +18762,6 @@ "kill_chain": [ "mitre-attack:reconnaissance" ], - "mitre_data_sources": [], "mitre_platforms": [ "PRE" ], @@ -19071,7 +19003,7 @@ "https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/", "https://blog.cloudflare.com/reflections-on-reflections/", "https://capec.mitre.org/data/definitions/490.html", - "https://web.archive.org/web/20180320005525/https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf", + "https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf", "https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/", "https://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/" @@ -19155,7 +19087,6 @@ "kill_chain": [ "mitre-attack:resource-development" ], - "mitre_data_sources": [], "mitre_platforms": [ "PRE" ], @@ -19310,7 +19241,6 @@ "kill_chain": [ "mitre-attack:resource-development" ], - "mitre_data_sources": [], "mitre_platforms": [ "PRE" ], @@ -19453,7 +19383,7 @@ "https://unit42.paloaltonetworks.com/acidbox-rare-malware/", "https://www.crowdstrike.com/blog/how-crowdstrike-falcon-protects-against-wiper-malware-used-in-ukraine-attacks/", "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", - "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf " + "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf" ] }, "related": [ @@ -19734,7 +19664,6 @@ "kill_chain": [ "mitre-attack:reconnaissance" ], - "mitre_data_sources": [], "mitre_platforms": [ "PRE" ], @@ -19787,7 +19716,6 @@ "kill_chain": [ "mitre-attack:reconnaissance" ], - "mitre_data_sources": [], "mitre_platforms": [ "PRE" ], @@ -20217,7 +20145,12 @@ "mitre-attack:defense-evasion", "mitre-attack:persistence" ], - "mitre_data_sources": [], + "mitre_data_sources": [ + "Active Directory: Active Directory Object Modification", + "Command: Command Execution", + "Script: Script Execution", + "User Account: User Account Metadata" + ], "mitre_platforms": [ "Windows" ], @@ -20245,7 +20178,6 @@ "kill_chain": [ "mitre-attack:reconnaissance" ], - "mitre_data_sources": [], "mitre_platforms": [ "PRE" ], @@ -20664,7 +20596,6 @@ "mitre-attack:persistence", "mitre-attack:privilege-escalation" ], - "mitre_data_sources": [], "mitre_platforms": [ "Linux", "Windows", @@ -20724,7 +20655,11 @@ "kill_chain": [ "mitre-attack:initial-access" ], - "mitre_data_sources": [], + "mitre_data_sources": [ + "Application Log: Application Log Content", + "Drive: Drive Creation", + "Network Traffic: Network Traffic Flow" + ], "mitre_platforms": [ "Windows", "Linux", @@ -20749,7 +20684,6 @@ "kill_chain": [ "mitre-attack:exfiltration" ], - "mitre_data_sources": [], "mitre_platforms": [ "Linux", "Windows", @@ -20792,13 +20726,13 @@ "IaaS" ], "refs": [ - " https://posts.specterops.io/through-the-looking-glass-part-1-f539ae308512 ", "https://attack.mitre.org/techniques/T1040", "https://capec.mitre.org/data/definitions/158.html", - "https://cloud.google.com/vpc/docs/packet-mirroring ", + "https://cloud.google.com/vpc/docs/packet-mirroring", "https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-how-it-works.html", "https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-tap-overview", - "https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/ " + "https://posts.specterops.io/through-the-looking-glass-part-1-f539ae308512", + "https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/" ] }, "uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", @@ -20812,7 +20746,6 @@ "mitre-attack:persistence", "mitre-attack:privilege-escalation" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -20890,7 +20823,6 @@ "kill_chain": [ "mitre-attack:defense-evasion" ], - "mitre_data_sources": [], "mitre_platforms": [ "Linux", "macOS", @@ -21043,7 +20975,6 @@ "mitre-attack:persistence", "mitre-attack:privilege-escalation" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -21075,7 +21006,6 @@ "mitre-attack:persistence", "mitre-attack:privilege-escalation" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -21106,7 +21036,6 @@ "mitre-attack:persistence", "mitre-attack:privilege-escalation" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -21162,7 +21091,6 @@ "mitre-attack:persistence", "mitre-attack:privilege-escalation" ], - "mitre_data_sources": [], "mitre_platforms": [ "macOS" ], @@ -21190,7 +21118,6 @@ "kill_chain": [ "mitre-attack:persistence" ], - "mitre_data_sources": [], "mitre_platforms": [ "Linux" ], @@ -21224,7 +21151,6 @@ "kill_chain": [ "mitre-attack:lateral-movement" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -21312,7 +21238,6 @@ "mitre-attack:persistence", "mitre-attack:privilege-escalation" ], - "mitre_data_sources": [], "mitre_platforms": [ "macOS" ], @@ -21343,7 +21268,6 @@ "kill_chain": [ "mitre-attack:defense-evasion" ], - "mitre_data_sources": [], "mitre_platforms": [ "Linux", "macOS", @@ -21374,7 +21298,6 @@ "mitre-attack:defense-evasion", "mitre-attack:persistence" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows", "Azure AD", @@ -21400,7 +21323,6 @@ "mitre-attack:defense-evasion", "mitre-attack:persistence" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -21429,7 +21351,6 @@ "kill_chain": [ "mitre-attack:persistence" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -21465,7 +21386,6 @@ "kill_chain": [ "mitre-attack:exfiltration" ], - "mitre_data_sources": [], "mitre_platforms": [ "Linux", "macOS", @@ -21510,7 +21430,6 @@ "kill_chain": [ "mitre-attack:persistence" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -21640,7 +21559,6 @@ "kill_chain": [ "mitre-attack:command-and-control" ], - "mitre_data_sources": [], "mitre_platforms": [ "Linux", "macOS", @@ -21661,7 +21579,6 @@ "kill_chain": [ "mitre-attack:privilege-escalation" ], - "mitre_data_sources": [], "mitre_platforms": [ "Linux", "macOS" @@ -21691,7 +21608,6 @@ "kill_chain": [ "mitre-attack:persistence" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -21762,7 +21678,6 @@ "mitre-attack:persistence", "mitre-attack:privilege-escalation" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -21810,7 +21725,6 @@ "kill_chain": [ "mitre-attack:execution" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -21851,7 +21765,6 @@ "kill_chain": [ "mitre-attack:defense-evasion" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -21903,7 +21816,6 @@ "kill_chain": [ "mitre-attack:defense-evasion" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -21958,7 +21870,6 @@ "mitre-attack:persistence", "mitre-attack:privilege-escalation" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -21989,7 +21900,6 @@ "kill_chain": [ "mitre-attack:defense-evasion" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows", "macOS" @@ -22279,7 +22189,6 @@ "kill_chain": [ "mitre-attack:command-and-control" ], - "mitre_data_sources": [], "mitre_platforms": [ "Linux", "macOS", @@ -22381,7 +22290,6 @@ "kill_chain": [ "mitre-attack:persistence" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -22520,7 +22428,6 @@ "kill_chain": [ "mitre-attack:credential-access" ], - "mitre_data_sources": [], "mitre_platforms": [ "macOS", "Windows" @@ -22579,7 +22486,6 @@ "kill_chain": [ "mitre-attack:persistence" ], - "mitre_data_sources": [], "mitre_platforms": [ "macOS" ], @@ -22608,7 +22514,6 @@ "kill_chain": [ "mitre-attack:defense-evasion" ], - "mitre_data_sources": [], "mitre_platforms": [ "macOS", "Windows" @@ -22790,7 +22695,6 @@ "kill_chain": [ "mitre-attack:persistence" ], - "mitre_data_sources": [], "mitre_platforms": [ "macOS" ], @@ -22821,7 +22725,6 @@ "kill_chain": [ "mitre-attack:command-and-control" ], - "mitre_data_sources": [], "mitre_platforms": [ "Linux", "macOS", @@ -22852,7 +22755,6 @@ "mitre-attack:persistence", "mitre-attack:privilege-escalation" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -22882,7 +22784,6 @@ "kill_chain": [ "mitre-attack:initial-access" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows", "macOS", @@ -22960,7 +22861,6 @@ "kill_chain": [ "mitre-attack:defense-evasion" ], - "mitre_data_sources": [], "mitre_platforms": [ "macOS", "Windows" @@ -23043,7 +22943,6 @@ "mitre-attack:persistence", "mitre-attack:privilege-escalation" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -23086,7 +22985,6 @@ "kill_chain": [ "mitre-attack:initial-access" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows", "macOS", @@ -23116,7 +23014,6 @@ "kill_chain": [ "mitre-attack:credential-access" ], - "mitre_data_sources": [], "mitre_platforms": [ "Linux", "macOS" @@ -23145,7 +23042,6 @@ "kill_chain": [ "mitre-attack:defense-evasion" ], - "mitre_data_sources": [], "mitre_platforms": [ "macOS" ], @@ -23199,7 +23095,6 @@ "kill_chain": [ "mitre-attack:credential-access" ], - "mitre_data_sources": [], "mitre_platforms": [ "Linux", "macOS", @@ -23295,7 +23190,6 @@ "kill_chain": [ "mitre-attack:defense-evasion" ], - "mitre_data_sources": [], "mitre_platforms": [ "macOS" ], @@ -23344,7 +23238,6 @@ "kill_chain": [ "mitre-attack:lateral-movement" ], - "mitre_data_sources": [], "mitre_platforms": [ "Linux", "macOS" @@ -23394,7 +23287,6 @@ "kill_chain": [ "mitre-attack:defense-evasion" ], - "mitre_data_sources": [], "mitre_platforms": [ "macOS" ], @@ -23464,7 +23356,6 @@ "mitre-attack:persistence", "mitre-attack:privilege-escalation" ], - "mitre_data_sources": [], "mitre_platforms": [ "macOS" ], @@ -23513,7 +23404,6 @@ "mitre-attack:persistence", "mitre-attack:privilege-escalation" ], - "mitre_data_sources": [], "mitre_platforms": [ "macOS" ], @@ -23575,7 +23465,6 @@ "kill_chain": [ "mitre-attack:persistence" ], - "mitre_data_sources": [], "mitre_platforms": [ "macOS" ], @@ -23670,7 +23559,6 @@ "kill_chain": [ "mitre-attack:credential-access" ], - "mitre_data_sources": [], "mitre_platforms": [ "macOS" ], @@ -23700,7 +23588,6 @@ "kill_chain": [ "mitre-attack:defense-evasion" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -23751,7 +23638,6 @@ "mitre-attack:execution", "mitre-attack:persistence" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -25215,7 +25101,6 @@ "kill_chain": [ "mitre-attack:reconnaissance" ], - "mitre_data_sources": [], "mitre_platforms": [ "PRE" ], @@ -25276,7 +25161,6 @@ "mitre-attack:persistence", "mitre-attack:privilege-escalation" ], - "mitre_data_sources": [], "mitre_platforms": [ "macOS" ], @@ -25937,7 +25821,6 @@ "kill_chain": [ "mitre-attack:reconnaissance" ], - "mitre_data_sources": [], "mitre_platforms": [ "PRE" ], @@ -26028,7 +25911,6 @@ "kill_chain": [ "mitre-attack:reconnaissance" ], - "mitre_data_sources": [], "mitre_platforms": [ "PRE" ], @@ -26115,7 +25997,6 @@ "kill_chain": [ "mitre-attack:reconnaissance" ], - "mitre_data_sources": [], "mitre_platforms": [ "PRE" ], @@ -26199,7 +26080,6 @@ "kill_chain": [ "mitre-attack:resource-development" ], - "mitre_data_sources": [], "mitre_platforms": [ "PRE" ], @@ -26325,7 +26205,6 @@ "kill_chain": [ "mitre-attack:resource-development" ], - "mitre_data_sources": [], "mitre_platforms": [ "PRE" ], @@ -26352,7 +26231,6 @@ "kill_chain": [ "mitre-attack:reconnaissance" ], - "mitre_data_sources": [], "mitre_platforms": [ "PRE" ], @@ -26377,7 +26255,6 @@ "kill_chain": [ "mitre-attack:resource-development" ], - "mitre_data_sources": [], "mitre_platforms": [ "PRE" ], @@ -26403,7 +26280,6 @@ "kill_chain": [ "mitre-attack:resource-development" ], - "mitre_data_sources": [], "mitre_platforms": [ "PRE" ], @@ -26432,7 +26308,6 @@ "kill_chain": [ "mitre-attack:resource-development" ], - "mitre_data_sources": [], "mitre_platforms": [ "PRE" ], @@ -26504,7 +26379,7 @@ "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5", "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/", "https://redcanary.com/blog/verclsid-exe-threat-detection/", - "https://www.winosbite.com/verclsid-exe/ " + "https://www.winosbite.com/verclsid-exe/" ] }, "related": [ @@ -26571,7 +26446,7 @@ "https://docs.microsoft.com/en-us/windows/win32/com/clsid-key-hklm", "https://research.checkpoint.com/2019/microsoft-management-console-mmc-vulnerabilities/", "https://www.ghacks.net/2017/06/10/windows-msc-files-overview/", - "https://www.virustotal.com/gui/file/0b4c743246478a6a8c9fa3ff8e04f297507c2f0ea5d61a1284fe65387d172f81/detection " + "https://www.virustotal.com/gui/file/0b4c743246478a6a8c9fa3ff8e04f297507c2f0ea5d61a1284fe65387d172f81/detection" ] }, "related": [ @@ -26630,7 +26505,9 @@ "mitre-attack:privilege-escalation", "mitre-attack:defense-evasion" ], - "mitre_data_sources": [], + "mitre_data_sources": [ + "Process: OS API Execution" + ], "mitre_platforms": [ "Windows" ], @@ -26691,7 +26568,6 @@ "kill_chain": [ "mitre-attack:persistence" ], - "mitre_data_sources": [], "mitre_platforms": [ "macOS" ], @@ -26721,7 +26597,6 @@ "mitre-attack:defense-evasion", "mitre-attack:execution" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -26809,7 +26684,6 @@ "mitre-attack:defense-evasion", "mitre-attack:execution" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -26844,7 +26718,6 @@ "kill_chain": [ "mitre-attack:persistence" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -26874,7 +26747,6 @@ "mitre-attack:defense-evasion", "mitre-attack:execution" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -26903,7 +26775,6 @@ "kill_chain": [ "mitre-attack:persistence" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -26926,7 +26797,6 @@ "kill_chain": [ "mitre-attack:credential-access" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -26996,7 +26866,6 @@ "mitre-attack:defense-evasion", "mitre-attack:execution" ], - "mitre_data_sources": [], "mitre_platforms": [ "Linux", "macOS", @@ -27021,7 +26890,6 @@ "kill_chain": [ "mitre-attack:persistence" ], - "mitre_data_sources": [], "mitre_platforms": [ "Linux", "Windows" @@ -27051,7 +26919,6 @@ "kill_chain": [ "mitre-attack:execution" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -27086,7 +26953,6 @@ "kill_chain": [ "mitre-attack:defense-evasion" ], - "mitre_data_sources": [], "mitre_platforms": [ "Linux", "Windows", @@ -27117,7 +26983,6 @@ "mitre-attack:defense-evasion", "mitre-attack:execution" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -27149,7 +27014,6 @@ "mitre-attack:defense-evasion", "mitre-attack:execution" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -27179,7 +27043,6 @@ "mitre-attack:defense-evasion", "mitre-attack:execution" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -27212,7 +27075,6 @@ "kill_chain": [ "mitre-attack:credential-access" ], - "mitre_data_sources": [], "mitre_platforms": [ "macOS" ], @@ -27243,7 +27105,6 @@ "mitre-attack:execution", "mitre-attack:persistence" ], - "mitre_data_sources": [], "mitre_platforms": [ "macOS" ], @@ -27271,7 +27132,6 @@ "kill_chain": [ "mitre-attack:execution" ], - "mitre_data_sources": [], "mitre_platforms": [ "Linux", "macOS" @@ -27292,7 +27152,6 @@ "mitre-attack:execution", "mitre-attack:persistence" ], - "mitre_data_sources": [], "mitre_platforms": [ "Linux", "macOS" @@ -27322,7 +27181,6 @@ "kill_chain": [ "mitre-attack:defense-evasion" ], - "mitre_data_sources": [], "mitre_platforms": [ "Linux", "macOS" @@ -27377,7 +27235,6 @@ "kill_chain": [ "mitre-attack:execution" ], - "mitre_data_sources": [], "mitre_platforms": [ "macOS" ], @@ -27427,7 +27284,6 @@ "mitre-attack:persistence", "mitre-attack:privilege-escalation" ], - "mitre_data_sources": [], "mitre_platforms": [ "macOS" ], @@ -27474,7 +27330,6 @@ "kill_chain": [ "mitre-attack:privilege-escalation" ], - "mitre_data_sources": [], "mitre_platforms": [ "Linux", "macOS" @@ -27505,7 +27360,6 @@ "mitre-attack:privilege-escalation", "mitre-attack:credential-access" ], - "mitre_data_sources": [], "mitre_platforms": [ "Windows" ], @@ -27607,5 +27461,5 @@ "value": "Keychain - T1579" } ], - "version": 19 + "version": 20 } diff --git a/clusters/mitre-intrusion-set.json b/clusters/mitre-intrusion-set.json index b041aea..4997bd1 100644 --- a/clusters/mitre-intrusion-set.json +++ b/clusters/mitre-intrusion-set.json @@ -19,7 +19,7 @@ "https://documents.trendmicro.com/assets/wp/wp-operation-woolen-goldfish.pdf", "https://iranthreats.github.io/resources/attribution-flying-rocket-kitten/", "https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/", - "https://www.mandiant.com/resources/operation-saffron-rose" + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-operation-saffron-rose.pdf" ], "synonyms": [ "Ajax Security Team", @@ -19529,8 +19529,7 @@ "external_id": "G0042", "refs": [ "https://attack.mitre.org/groups/G0042" - ], - "synonyms": [] + ] }, "related": [ { @@ -20217,8 +20216,7 @@ "external_id": "G0057", "refs": [ "https://attack.mitre.org/groups/G0057" - ], - "synonyms": [] + ] }, "related": [ { @@ -29037,7 +29035,7 @@ "value": "Chimera - G0114" }, { - "description": "[Gelsemium](https://attack.mitre.org/groups/G0141) is a cyberespionage group that has been active since at least 2014, targeting governmental institutions, electronics manufacturers, universities, and religious organizations in Eastern Asia and the Middle East.(Citation: ESET Gelsemium June 2021)", + "description": "[Gelsemium](https://attack.mitre.org/groups/G0141) is a cyberespionage group that has been active since at least 2014, targeting governmental institutions, electronics manufacturers, universities, and religious organizations in East Asia and the Middle East.(Citation: ESET Gelsemium June 2021)", "meta": { "external_id": "G0141", "refs": [ @@ -29048,43 +29046,7 @@ "Gelsemium" ] }, - "related": [ - { - "dest-uuid": "60c4b628-4807-4b0b-bbf5-fdac8643c337", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "bd369cd9-abb8-41ce-b5bb-fff23ee86c00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "efa7c4d6-8e30-41d9-a8fd-26dc337f4a1b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - } - ], + "related": [], "uuid": "99910207-1741-4da1-9b5d-537410186b51", "value": "Gelsemium - G0141" }, @@ -30747,5 +30709,5 @@ "value": "TeamTNT - G0139" } ], - "version": 25 + "version": 26 } diff --git a/clusters/mitre-malware.json b/clusters/mitre-malware.json index 9ae4aef..e1ec9c9 100644 --- a/clusters/mitre-malware.json +++ b/clusters/mitre-malware.json @@ -13,7 +13,6 @@ "description": "[Hacking Team UEFI Rootkit](https://attack.mitre.org/software/S0047) is a rootkit developed by the company Hacking Team as a method of persistence for remote access software. (Citation: TrendMicro Hacking Team UEFI)", "meta": { "external_id": "S0047", - "mitre_platforms": [], "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-uses-uefi-bios-rootkit-to-keep-rcs-9-agent-in-target-systems/", "https://attack.mitre.org/software/S0047" @@ -2248,7 +2247,7 @@ ], "refs": [ "https://attack.mitre.org/software/S0056", - "https://web.archive.org/web/20200302085133/https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" + "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" ], "synonyms": [ "Net Crawler", @@ -3609,13 +3608,11 @@ "description": "[Power Loader](https://attack.mitre.org/software/S0177) is modular code sold in the cybercrime market used as a downloader in malware families such as Carberp, Redyms and Gapz. (Citation: MalwareTech Power Loader Aug 2013) (Citation: WeLiveSecurity Gapz and Redyms Mar 2013)", "meta": { "external_id": "S0177", - "mitre_platforms": [], "refs": [ "https://attack.mitre.org/software/S0177", "https://www.malwaretech.com/2013/08/powerloader-injection-something-truly.html", "https://www.welivesecurity.com/2013/03/19/gapz-and-redyms-droppers-based-on-power-loader-code/" - ], - "synonyms": [] + ] }, "related": [ { @@ -6007,12 +6004,10 @@ "description": "[Miner-C](https://attack.mitre.org/software/S0133) is malware that mines victims for the Monero cryptocurrency. It has targeted FTP servers and Network Attached Storage (NAS) devices to spread. (Citation: Softpedia MinerC)", "meta": { "external_id": "S0133", - "mitre_platforms": [], "refs": [ "http://news.softpedia.com/news/cryptocurrency-mining-malware-discovered-targeting-seagate-nas-hard-drives-508119.shtml", "https://attack.mitre.org/software/S0133" - ], - "synonyms": [] + ] }, "related": [ { @@ -7807,7 +7802,7 @@ ], "refs": [ "https://attack.mitre.org/software/S0004", - "https://web.archive.org/web/20200302085133/https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" + "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" ], "synonyms": [ "TinyZBot" @@ -10156,12 +10151,10 @@ "description": "[Wiper](https://attack.mitre.org/software/S0041) is a family of destructive malware used in March 2013 during breaches of South Korean banks and media companies. (Citation: Dell Wiper)", "meta": { "external_id": "S0041", - "mitre_platforms": [], "refs": [ "http://www.secureworks.com/cyber-threat-intelligence/threats/wiper-malware-analysis-attacking-korean-financial-sector/", "https://attack.mitre.org/software/S0041" - ], - "synonyms": [] + ] }, "related": [ { @@ -12151,12 +12144,10 @@ "description": "[Uroburos](https://attack.mitre.org/software/S0022) is a rootkit used by [Turla](https://attack.mitre.org/groups/G0010). (Citation: Kaspersky Turla)", "meta": { "external_id": "S0022", - "mitre_platforms": [], "refs": [ "https://attack.mitre.org/software/S0022", "https://securelist.com/the-epic-turla-operation/65545/" - ], - "synonyms": [] + ] }, "related": [ { @@ -15000,12 +14991,10 @@ "description": "[Zeroaccess](https://attack.mitre.org/software/S0027) is a kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that attempts to add victims to the ZeroAccess botnet, often for monetary gain. (Citation: Sophos ZeroAccess)", "meta": { "external_id": "S0027", - "mitre_platforms": [], "refs": [ "https://attack.mitre.org/software/S0027", "https://sophosnews.files.wordpress.com/2012/04/zeroaccess2.pdf" - ], - "synonyms": [] + ] }, "related": [ { @@ -15030,12 +15019,10 @@ "description": "[SHIPSHAPE](https://attack.mitre.org/software/S0028) is malware developed by [APT30](https://attack.mitre.org/groups/G0013) that allows propagation and exfiltration of data over removable devices. [APT30](https://attack.mitre.org/groups/G0013) may use this capability to exfiltrate data across air-gaps. (Citation: FireEye APT30)", "meta": { "external_id": "S0028", - "mitre_platforms": [], "refs": [ "https://attack.mitre.org/software/S0028", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" - ], - "synonyms": [] + ] }, "related": [ { @@ -15331,11 +15318,9 @@ "description": "", "meta": { "external_id": "S0209", - "mitre_platforms": [], "refs": [ "https://attack.mitre.org/software/S0209" - ], - "synonyms": [] + ] }, "related": [ { @@ -16073,7 +16058,6 @@ "description": "[FrameworkPOS](https://attack.mitre.org/software/S0503) is a point of sale (POS) malware used by [FIN6](https://attack.mitre.org/groups/G0037) to steal payment card data from sytems that run physical POS devices.(Citation: SentinelOne FrameworkPOS September 2019)", "meta": { "external_id": "S0503", - "mitre_platforms": [], "refs": [ "https://attack.mitre.org/software/S0503", "https://labs.sentinelone.com/fin6-frameworkpos-point-of-sale-malware-analysis-internals-2/" @@ -16665,7 +16649,7 @@ "https://us-cert.cisa.gov/ics/advisories/ICSA-10-272-01", "https://www.esetnod32.ru/company/viruslab/analytics/doc/Stuxnet_Under_the_Microscope.pdf", "https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf", - "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf " + "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf" ], "synonyms": [ "Stuxnet", @@ -17637,7 +17621,6 @@ "description": "[SQLRat](https://attack.mitre.org/software/S0390) is malware that executes SQL scripts to avoid leaving traditional host artifacts. [FIN7](https://attack.mitre.org/groups/G0046) has been observed using it.(Citation: Flashpoint FIN 7 March 2019)", "meta": { "external_id": "S0390", - "mitre_platforms": [], "refs": [ "https://attack.mitre.org/software/S0390", "https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/" @@ -19094,9 +19077,9 @@ ], "refs": [ "https://attack.mitre.org/software/S0604", - "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf ", - "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf ", - "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf " + "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", + "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf", + "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" ], "synonyms": [ "Industroyer", @@ -23022,12 +23005,10 @@ "description": "[MobileOrder](https://attack.mitre.org/software/S0079) is a Trojan intended to compromise Android mobile devices. It has been used by [Scarlet Mimic](https://attack.mitre.org/groups/G0029). (Citation: Scarlet Mimic Jan 2016)", "meta": { "external_id": "S0079", - "mitre_platforms": [], "refs": [ "http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/", "https://attack.mitre.org/software/S0079" - ], - "synonyms": [] + ] }, "related": [ { @@ -23679,12 +23660,10 @@ "description": "[TINYTYPHON](https://attack.mitre.org/software/S0131) is a backdoor that has been used by the actors responsible for the MONSOON campaign. The majority of its code was reportedly taken from the MyDoom worm. (Citation: Forcepoint Monsoon)", "meta": { "external_id": "S0131", - "mitre_platforms": [], "refs": [ "https://attack.mitre.org/software/S0131", "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" - ], - "synonyms": [] + ] }, "related": [ { @@ -24092,12 +24071,10 @@ "description": "[HALFBAKED](https://attack.mitre.org/software/S0151) is a malware family consisting of multiple components intended to establish persistence in victim networks. (Citation: FireEye FIN7 April 2017)", "meta": { "external_id": "S0151", - "mitre_platforms": [], "refs": [ "https://attack.mitre.org/software/S0151", "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html" - ], - "synonyms": [] + ] }, "related": [ { @@ -25488,12 +25465,10 @@ "description": "[HAPPYWORK](https://attack.mitre.org/software/S0214) is a downloader used by [APT37](https://attack.mitre.org/groups/G0067) to target South Korean government and financial victims in November 2016. (Citation: FireEye APT37 Feb 2018)", "meta": { "external_id": "S0214", - "mitre_platforms": [], "refs": [ "https://attack.mitre.org/software/S0214", "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" - ], - "synonyms": [] + ] }, "related": [ { @@ -27737,12 +27712,10 @@ "description": "[SHUTTERSPEED](https://attack.mitre.org/software/S0217) is a backdoor used by [APT37](https://attack.mitre.org/groups/G0067). (Citation: FireEye APT37 Feb 2018)", "meta": { "external_id": "S0217", - "mitre_platforms": [], "refs": [ "https://attack.mitre.org/software/S0217", "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" - ], - "synonyms": [] + ] }, "related": [ { @@ -28479,12 +28452,10 @@ "description": "[WINERACK](https://attack.mitre.org/software/S0219) is a backdoor used by [APT37](https://attack.mitre.org/groups/G0067). (Citation: FireEye APT37 Feb 2018)", "meta": { "external_id": "S0219", - "mitre_platforms": [], "refs": [ "https://attack.mitre.org/software/S0219", "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" - ], - "synonyms": [] + ] }, "related": [ { @@ -30286,6 +30257,7 @@ "macOS" ], "refs": [ + "http://www.thesafemac.com/new-signed-malware-called-janicab/", "https://attack.mitre.org/software/S0163" ], "synonyms": [ @@ -33577,12 +33549,10 @@ "description": "[WINDSHIELD](https://attack.mitre.org/software/S0155) is a signature backdoor used by [APT32](https://attack.mitre.org/groups/G0050). (Citation: FireEye APT32 May 2017)", "meta": { "external_id": "S0155", - "mitre_platforms": [], "refs": [ "https://attack.mitre.org/software/S0155", "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" - ], - "synonyms": [] + ] }, "related": [ { @@ -35328,7 +35298,6 @@ "description": "[Tomiris](https://attack.mitre.org/software/S0671) is a backdoor written in Go that continuously queries its C2 server for executables to download and execute on a victim system. It was first reported in September 2021 during an investigation of a successful DNS hijacking campaign against a Commonwealth of Independent States (CIS) member. Security researchers assess there are similarities between [Tomiris](https://attack.mitre.org/software/S0671) and [GoldMax](https://attack.mitre.org/software/S0588).(Citation: Kaspersky Tomiris Sep 2021)", "meta": { "external_id": "S0671", - "mitre_platforms": [], "refs": [ "https://attack.mitre.org/software/S0671", "https://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/" @@ -43808,12 +43777,10 @@ "description": "[DDKONG](https://attack.mitre.org/software/S0255) is a malware sample that was part of a campaign by [Rancor](https://attack.mitre.org/groups/G0075). [DDKONG](https://attack.mitre.org/software/S0255) was first seen used in February 2017. (Citation: Rancor Unit42 June 2018)", "meta": { "external_id": "S0255", - "mitre_platforms": [], "refs": [ "https://attack.mitre.org/software/S0255", "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/" - ], - "synonyms": [] + ] }, "related": [ { @@ -56577,7 +56544,6 @@ "description": "[JCry](https://attack.mitre.org/software/S0389) is ransomware written in Go. It was identified as apart of the #OpJerusalem 2019 campaign.(Citation: Carbon Black JCry May 2019)", "meta": { "external_id": "S0389", - "mitre_platforms": [], "refs": [ "https://attack.mitre.org/software/S0389", "https://www.carbonblack.com/2019/05/14/cb-tau-threat-intelligence-notification-jcry-ransomware-pretends-to-be-adobe-flash-player-update-installer/" @@ -66563,7 +66529,7 @@ "value": "Kinsing - S0599" }, { - "description": "[Gelsemium](https://attack.mitre.org/software/S0666) is a modular malware comprised of dropper (Gelsemine), loader (Gelsenicine), and main (Gelsevirine) plug ins that has been used by the [Gelsemium](https://attack.mitre.org/groups/G0141) group since at least 2014.(Citation: ESET Gelsemium June 2021)", + "description": "[Gelsemium](https://attack.mitre.org/software/S0666) is a modular malware comprised of a dropper (Gelsemine), a loader (Gelsenicine), and main (Gelsevirine) plug-ins written using the Microsoft Foundation Class (MFC) framework. [Gelsemium](https://attack.mitre.org/software/S0666) has been used by the Gelsemium group since at least 2014.(Citation: ESET Gelsemium June 2021)", "meta": { "external_id": "S0666", "mitre_platforms": [ @@ -66595,6 +66561,13 @@ ], "type": "uses" }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "tags": [ @@ -66602,6 +66575,13 @@ ], "type": "uses" }, + { + "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "2de47683-f398-448f-b947-9abcc3e32fad", "tags": [ @@ -66609,6 +66589,13 @@ ], "type": "uses" }, + { + "dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ @@ -66616,6 +66603,20 @@ ], "type": "uses" }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "tags": [ @@ -66624,14 +66625,14 @@ "type": "uses" }, { - "dest-uuid": "41868330-6ee2-4d0f-b743-9f2294c3c9b6", + "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", + "dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -66658,6 +66659,20 @@ ], "type": "uses" }, + { + "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ @@ -66679,6 +66694,13 @@ ], "type": "uses" }, + { + "dest-uuid": "b4b7458f-81f2-4d38-84be-1c5ba0167a52", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "tags": [ @@ -66686,6 +66708,13 @@ ], "type": "uses" }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "tags": [ @@ -66693,6 +66722,13 @@ ], "type": "uses" }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "tags": [ @@ -66700,6 +66736,13 @@ ], "type": "uses" }, + { + "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "tags": [ @@ -66714,6 +66757,13 @@ ], "type": "uses" }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "tags": [ @@ -66726,7 +66776,7 @@ "value": "Gelsemium - S0666" }, { - "description": "[Chrommme](https://attack.mitre.org/software/S0667) is a backdoor tool, written using the Microsoft Foundation Class (MFC) framework, that has infrastructure overlaps with [Gelsemium](https://attack.mitre.org/software/S0666).(Citation: ESET Gelsemium June 2021)", + "description": "[Chrommme](https://attack.mitre.org/software/S0667) is a backdoor tool written using the Microsoft Foundation Class (MFC) framework that was first reported in June 2021; security researchers noted infrastructure overlaps with [Gelsemium](https://attack.mitre.org/software/S0666) malware.(Citation: ESET Gelsemium June 2021)", "meta": { "external_id": "S0667", "mitre_platforms": [ @@ -66755,6 +66805,13 @@ ], "type": "uses" }, + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ @@ -66763,7 +66820,35 @@ "type": "uses" }, { - "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -66776,6 +66861,13 @@ ], "type": "uses" }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ @@ -68231,5 +68323,5 @@ "value": "HermeticWizard - S0698" } ], - "version": 24 + "version": 25 } diff --git a/clusters/mitre-tool.json b/clusters/mitre-tool.json index 6864bc4..1e8736f 100644 --- a/clusters/mitre-tool.json +++ b/clusters/mitre-tool.json @@ -41,12 +41,10 @@ "description": "[Pass-The-Hash Toolkit](https://attack.mitre.org/software/S0122) is a toolkit that allows an adversary to \"pass\" a password hash (without knowing the original password) to log in to systems. (Citation: Mandiant APT1)", "meta": { "external_id": "S0122", - "mitre_platforms": [], "refs": [ "https://attack.mitre.org/software/S0122", "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" - ], - "synonyms": [] + ] }, "related": [ { @@ -300,12 +298,10 @@ "description": "[Invoke-PSImage](https://attack.mitre.org/software/S0231) takes a PowerShell script and embeds the bytes of the script into the pixels of a PNG image. It generates a one liner for executing either from a file of from the web. Example of usage is embedding the PowerShell code from the Invoke-Mimikatz module and embed it into an image file. By calling the image file from a macro for example, the macro will download the picture and execute the PowerShell code, which in this case will dump the passwords. (Citation: GitHub Invoke-PSImage)", "meta": { "external_id": "S0231", - "mitre_platforms": [], "refs": [ "https://attack.mitre.org/software/S0231", "https://github.com/peewpw/Invoke-PSImage" - ], - "synonyms": [] + ] }, "related": [ { @@ -323,12 +319,10 @@ "description": "[ipconfig](https://attack.mitre.org/software/S0100) is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration. (Citation: TechNet Ipconfig)", "meta": { "external_id": "S0100", - "mitre_platforms": [], "refs": [ "https://attack.mitre.org/software/S0100", "https://technet.microsoft.com/en-us/library/bb490921.aspx" - ], - "synonyms": [] + ] }, "related": [ { @@ -726,12 +720,10 @@ "description": "[ifconfig](https://attack.mitre.org/software/S0101) is a Unix-based utility used to gather information about and interact with the TCP/IP settings on a system. (Citation: Wikipedia Ifconfig)", "meta": { "external_id": "S0101", - "mitre_platforms": [], "refs": [ "https://attack.mitre.org/software/S0101", "https://en.wikipedia.org/wiki/Ifconfig" - ], - "synonyms": [] + ] }, "related": [ { @@ -776,12 +768,10 @@ "description": "[nbtstat](https://attack.mitre.org/software/S0102) is a utility used to troubleshoot NetBIOS name resolution. (Citation: TechNet Nbtstat)", "meta": { "external_id": "S0102", - "mitre_platforms": [], "refs": [ "https://attack.mitre.org/software/S0102", "https://technet.microsoft.com/en-us/library/cc940106.aspx" - ], - "synonyms": [] + ] }, "related": [ { @@ -806,12 +796,10 @@ "description": "[route](https://attack.mitre.org/software/S0103) can be used to find or change information within the local system IP routing table. (Citation: TechNet Route)", "meta": { "external_id": "S0103", - "mitre_platforms": [], "refs": [ "https://attack.mitre.org/software/S0103", "https://technet.microsoft.com/en-us/library/bb490991.aspx" - ], - "synonyms": [] + ] }, "related": [ { @@ -829,12 +817,10 @@ "description": "[netstat](https://attack.mitre.org/software/S0104) is an operating system utility that displays active TCP connections, listening ports, and network statistics. (Citation: TechNet Netstat)", "meta": { "external_id": "S0104", - "mitre_platforms": [], "refs": [ "https://attack.mitre.org/software/S0104", "https://technet.microsoft.com/en-us/library/bb490947.aspx" - ], - "synonyms": [] + ] }, "related": [ { @@ -1747,12 +1733,10 @@ "description": "The [Tasklist](https://attack.mitre.org/software/S0057) utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface. (Citation: Microsoft Tasklist)", "meta": { "external_id": "S0057", - "mitre_platforms": [], "refs": [ "https://attack.mitre.org/software/S0057", "https://technet.microsoft.com/en-us/library/bb491010.aspx" - ], - "synonyms": [] + ] }, "related": [ { @@ -1896,12 +1880,10 @@ "description": "[Systeminfo](https://attack.mitre.org/software/S0096) is a Windows utility that can be used to gather detailed information about a computer. (Citation: TechNet Systeminfo)", "meta": { "external_id": "S0096", - "mitre_platforms": [], "refs": [ "https://attack.mitre.org/software/S0096", "https://technet.microsoft.com/en-us/library/bb491007.aspx" - ], - "synonyms": [] + ] }, "related": [ { @@ -1919,12 +1901,10 @@ "description": "[Ping](https://attack.mitre.org/software/S0097) is an operating system utility commonly used to troubleshoot and verify network connections. (Citation: TechNet Ping)", "meta": { "external_id": "S0097", - "mitre_platforms": [], "refs": [ "https://attack.mitre.org/software/S0097", "https://technet.microsoft.com/en-us/library/bb490968.aspx" - ], - "synonyms": [] + ] }, "related": [ { @@ -2034,12 +2014,10 @@ "description": "[UACMe](https://attack.mitre.org/software/S0116) is an open source assessment tool that contains many methods for bypassing Windows User Account Control on multiple versions of the operating system. (Citation: Github UACMe)", "meta": { "external_id": "S0116", - "mitre_platforms": [], "refs": [ "https://attack.mitre.org/software/S0116", "https://github.com/hfiref0x/UACME" - ], - "synonyms": [] + ] }, "related": [ { @@ -2091,13 +2069,11 @@ "description": "[Winexe](https://attack.mitre.org/software/S0191) is a lightweight, open source tool similar to [PsExec](https://attack.mitre.org/software/S0029) designed to allow system administrators to execute commands on remote servers. (Citation: Winexe Github Sept 2013) [Winexe](https://attack.mitre.org/software/S0191) is unique in that it is a GNU/Linux based client. (Citation: Überwachung APT28 Forfiles June 2015)", "meta": { "external_id": "S0191", - "mitre_platforms": [], "refs": [ "https://attack.mitre.org/software/S0191", "https://github.com/skalkoto/winexe/", "https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/" - ], - "synonyms": [] + ] }, "related": [ { @@ -2122,12 +2098,10 @@ "description": "[xCmd](https://attack.mitre.org/software/S0123) is an open source tool that is similar to [PsExec](https://attack.mitre.org/software/S0029) and allows the user to execute applications on remote systems. (Citation: xCmd)", "meta": { "external_id": "S0123", - "mitre_platforms": [], "refs": [ "https://ashwinrayaprolu.wordpress.com/2011/04/12/xcmd-an-alternative-to-psexec/", "https://attack.mitre.org/software/S0123" - ], - "synonyms": [] + ] }, "related": [ { @@ -2682,12 +2656,10 @@ "description": "[Forfiles](https://attack.mitre.org/software/S0193) is a Windows utility commonly used in batch jobs to execute commands on one or more selected files or directories (ex: list all directories in a drive, read the first line of all files created yesterday, etc.). Forfiles can be executed from either the command line, Run window, or batch files/scripts. (Citation: Microsoft Forfiles Aug 2016)", "meta": { "external_id": "S0193", - "mitre_platforms": [], "refs": [ "https://attack.mitre.org/software/S0193", "https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc753551(v=ws.11)" - ], - "synonyms": [] + ] }, "related": [ { @@ -2774,12 +2746,10 @@ "description": "Responder is an open source tool used for LLMNR, NBT-NS and MDNS poisoning, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. (Citation: GitHub Responder)", "meta": { "external_id": "S0174", - "mitre_platforms": [], "refs": [ "https://attack.mitre.org/software/S0174", "https://github.com/SpiderLabs/Responder" - ], - "synonyms": [] + ] }, "related": [ { @@ -3061,8 +3031,8 @@ "Windows" ], "refs": [ - " https://unit42.paloaltonetworks.com/ironnetinjector/", - "https://attack.mitre.org/software/S0581" + "https://attack.mitre.org/software/S0581", + "https://unit42.paloaltonetworks.com/ironnetinjector/" ], "synonyms": [ "IronNetInjector" @@ -3237,12 +3207,10 @@ "description": "[Havij](https://attack.mitre.org/software/S0224) is an automatic SQL Injection tool distributed by the Iranian ITSecTeam security company. Havij has been used by penetration testers and adversaries. (Citation: Check Point Havij Analysis)", "meta": { "external_id": "S0224", - "mitre_platforms": [], "refs": [ "https://attack.mitre.org/software/S0224", "https://blog.checkpoint.com/2015/05/14/analysis-havij-sql-injection-tool/" - ], - "synonyms": [] + ] }, "related": [ { @@ -3260,12 +3228,10 @@ "description": "[sqlmap](https://attack.mitre.org/software/S0225) is an open source penetration testing tool that can be used to automate the process of detecting and exploiting SQL injection flaws. (Citation: sqlmap Introduction)", "meta": { "external_id": "S0225", - "mitre_platforms": [], "refs": [ "http://sqlmap.org/", "https://attack.mitre.org/software/S0225" - ], - "synonyms": [] + ] }, "related": [ { @@ -3810,7 +3776,7 @@ ], "refs": [ "https://attack.mitre.org/software/S0552", - "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/ ", + "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html", "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html" ], @@ -4336,7 +4302,7 @@ ], "refs": [ "https://attack.mitre.org/software/S0363", - "https://github.com/EmpireProject/Empire", + "https://github.com/PowerShellEmpire/Empire", "https://github.com/dstepanic/attck_empire", "https://www.ncsc.gov.uk/report/joint-report-on-publicly-available-hacking-tools" ], @@ -5607,7 +5573,6 @@ "description": "[ROADTools](https://attack.mitre.org/software/S0684) is a framework for enumerating Azure Active Directory environments. The tool is written in Python and publicly available on GitHub.(Citation: ROADtools Github)", "meta": { "external_id": "S0684", - "mitre_platforms": [], "refs": [ "https://attack.mitre.org/software/S0684", "https://github.com/dirkjanm/ROADtools" @@ -5962,7 +5927,8 @@ "refs": [ "https://attack.mitre.org/software/S0677", "https://github.com/Gerenios/AADInternals", - "https://o365blog.com/aadinternals" + "https://o365blog.com/aadinternals", + "https://o365blog.com/aadinternals/" ], "synonyms": [ "AADInternals" @@ -6216,5 +6182,5 @@ "value": "Mythic - S0699" } ], - "version": 23 + "version": 24 }