Merge branch 'master' into master

This commit is contained in:
Kafeine 2017-08-29 12:41:33 +01:00 committed by GitHub
commit 4b94d36d2e
35 changed files with 20312 additions and 2424 deletions

View file

@ -20,13 +20,24 @@ to localized information (which is not shared) or additional information (that c
- [clusters/microsoft-activity-group.json](clusters/microsoft-activity-group.json) - Activity groups as described by Microsoft.
- [clusters/preventive-measure.json](clusters/preventive-measure.json) - Preventive measures.
- [clusters/ransomware.json](clusters/ransomware.json) - Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml
- [clusters/rat.json](clusters/rat.json) - remote administration tool or remote access tool (RAT), also called sometimes remote access trojan, is a piece of software or programming that allows a remote "operator" to control a system as if they have physical access to that system.
- [clusters/tds.json](clusters/tds.json) - TDS is a list of Traffic Direction System used by adversaries.
- [clusters/threat-actor.json](clusters/threat-actor.json) - Adversary groups - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. MISP
- [clusters/tool.json](clusters/tool.json) - tool is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.
- [clusters/mitre_attack-pattern.json](clusters/mitre_attack-pattern.json) - Attack Pattern - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK)
- [clusters/mitre_course-of-action.json](clusters/mitre_course-of-action.json) - Course of Action - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK)
- [clusters/mitre_intrusion-set.json](clusters/mitre_intrusion-set.json) - Intrusion Test - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK)
- [clusters/mitre_malware.json](clusters/mitre_malware.json) - Malware - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK)
- [clusters/mitre_tool.json](clusters/mitre_tool.json) - Tool - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK)
# Available Vocabularies
A [readable PDF overview of the MISP galaxy is available](https://www.misp.software/galaxy.pdf) or [HTML](https://www.misp.software/galaxy.html) and generated from the JSON.
## Common
- [vocabularies/common/certainty-level.json](vocabularies/common/certainty-level.json) - Certainty level of an associated element or cluster.
@ -50,7 +61,7 @@ In the world of threat intelligence, there are many different models or approach
Fork the project, update or create elements or clusters and make a pull-request.
We recommend to validate the JSON file using [jq](https://stedolan.github.io/jq/) before doing a pull-request.
We recommend to validate the JSON file using [jq](https://stedolan.github.io/jq/) and [validate_all.sh](https://github.com/MISP/misp-galaxy/blob/master/validate_all.sh) before doing a pull-request.
## License

View file

@ -1,16 +1,11 @@
{
"values": [
{
"values": [{
"value": "Astrum",
"description": "Astrum Exploit Kit is a private Exploit Kit used in massive scale malvertising campaigns. It's notable by its use of Steganography",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2014/09/astrum-ek.html",
"http://www.welivesecurity.com/2016/12/06/readers-popular-websites-targeted-stealthy-stegano-exploit-kit-hiding-pixels-malicious-ads/"
],
"synonyms": [
"Stegano EK"
],
"refs": ["http://malware.dontneedcoffee.com/2014/09/astrum-ek.html",
"http://www.welivesecurity.com/2016/12/06/readers-popular-websites-targeted-stealthy-stegano-exploit-kit-hiding-pixels-malicious-ads/"],
"synonyms": ["Stegano EK"],
"status": "Active"
}
},
@ -20,33 +15,24 @@
"meta": {
"status": "Active"
}
}
,
{ "value": "Terror EK",
},
{
"value": "Terror EK",
"description": "Terror EK is built on Hunter, Sundown and RIG EK code",
"meta": {
"refs": [
"https://www.trustwave.com/Resources/SpiderLabs-Blog/Terror-Exploit-Kit--More-like-Error-Exploit-Kit/"
],
"synonyms": [
"Blaze EK",
"Neptune EK"
]
,
"refs": ["https://www.trustwave.com/Resources/SpiderLabs-Blog/Terror-Exploit-Kit--More-like-Error-Exploit-Kit/"],
"synonyms": ["Blaze EK",
"Neptune EK"],
"status": "Active"
}
}
,
{ "value": "DealersChoice",
},
{
"value": "DealersChoice",
"description": "DealersChoice is a Flash Player Exploit platform triggered by RTF",
"meta": {
"refs": [
"http://researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/",
"http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-ramps-up-spear-phishing-before-zero-days-get-patched/"
],
"synonyms": [
"Sednit RTF EK"
],
"refs": ["http://researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/",
"http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-ramps-up-spear-phishing-before-zero-days-get-patched/"],
"synonyms": ["Sednit RTF EK"],
"status": "Active"
}
},
@ -54,39 +40,27 @@
"value": "DNSChanger",
"description": "DNSChanger Exploit Kit is an exploit kit targeting Routers via the browser",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html",
"https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices"
],
"synonyms": [
"RouterEK"
],
"refs": ["http://malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html",
"https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices"],
"synonyms": ["RouterEK"],
"status": "Active"
}
}
,{
},
{
"value": "Disdain",
"description": "Disdain EK has been introduced on underground forum on 2017-08-07. The panel is stolen from Sundown, the pattern are Terror alike and the obfuscation reminds Nebula",
"meta": {
"refs": [
"http://blog.trendmicro.com/trendlabs-security-intelligence/new-disdain-exploit-kit-detected-wild/"
],
"refs": ["http://blog.trendmicro.com/trendlabs-security-intelligence/new-disdain-exploit-kit-detected-wild/"],
"status": "Active"
}
}
,
},
{
"value": "Kaixin",
"description": "Kaixin is an exploit kit mainly seen behind compromised website in Asia",
"meta": {
"refs": [
"http://www.kahusecurity.com/2013/deobfuscating-the-ck-exploit-kit/",
"http://www.kahusecurity.com/2012/new-chinese-exploit-pack/"
],
"synonyms": [
"CK vip"
],
"refs": ["http://www.kahusecurity.com/2013/deobfuscating-the-ck-exploit-kit/",
"http://www.kahusecurity.com/2012/new-chinese-exploit-pack/"],
"synonyms": ["CK vip"],
"status": "Active"
}
},
@ -94,16 +68,12 @@
"value": "Magnitude",
"description": "Magnitude EK",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2013/10/Magnitude.html",
"refs": ["http://malware.dontneedcoffee.com/2013/10/Magnitude.html",
"https://www.trustwave.com/Resources/SpiderLabs-Blog/A-Peek-Into-the-Lion-s-Den-%E2%80%93-The-Magnitude--aka-PopAds--Exploit-Kit/",
"http://malware.dontneedcoffee.com/2014/02/and-real-name-of-magnitude-is.html",
"https://community.rsa.com/community/products/netwitness/blog/2017/02/09/magnitude-exploit-kit-under-the-hood"
],
"synonyms": [
"Popads EK",
"TopExp"
],
"https://community.rsa.com/community/products/netwitness/blog/2017/02/09/magnitude-exploit-kit-under-the-hood"],
"synonyms": ["Popads EK",
"TopExp"],
"status": "Active"
}
},
@ -111,29 +81,23 @@
"value": "MWI",
"description": "Microsoft Word Intruder is an exploit kit focused on Word and embedded flash exploits. The author wants to avoid their customer to use it in mass spam campaign, so it's most often connected to semi-targeted attacks",
"meta": {
"refs": [
"https://www.fireeye.com/blog/threat-research/2015/04/a_new_word_document.html",
"https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-microsoft-word-intruder-revealed.pdf"
],
"refs": ["https://www.fireeye.com/blog/threat-research/2015/04/a_new_word_document.html",
"https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-microsoft-word-intruder-revealed.pdf"],
"status": "Active"
}
}
,
{ "value": "RIG",
},
{
"value": "RIG",
"description": "RIG is an exploit kit that takes its source in Infinity EK itself an evolution of Redkit. It became dominant after the fall of Angler, Nuclear Pack and the end of public access to Neutrino. RIG-v is the name given to RIG 4 when it was only accessible by \"vip\" customers and when RIG 3 was still in use.",
"meta": {
"refs": [
"http://www.kahusecurity.com/2014/rig-exploit-pack/",
"refs": ["http://www.kahusecurity.com/2014/rig-exploit-pack/",
"https://www.trustwave.com/Resources/SpiderLabs-Blog/RIG-Reloaded---Examining-the-Architecture-of-RIG-Exploit-Kit-3-0/",
"https://www.trustwave.com/Resources/SpiderLabs-Blog/RIG-Exploit-Kit-%E2%80%93-Diving-Deeper-into-the-Infrastructure/",
"http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html"
],
"synonyms": [
"RIG 3",
"http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html"],
"synonyms": ["RIG 3",
"RIG-v",
"RIG 4",
"Meadgive"
],
"Meadgive"],
"status": "Active"
}
},
@ -141,10 +105,8 @@
"value": "Sednit EK",
"description": "Sednit EK is the exploit kit used by APT28",
"meta": {
"refs": [
"http://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/",
"http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/"
],
"refs": ["http://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/",
"http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/"],
"status": "Active"
}
},
@ -152,13 +114,9 @@
"value": "Sundown-P",
"description": "Sundown-P/Sundown-Pirate is a rip of Sundown seen used in a private way (One group using it only) - First spotted at the end of June 2017, branded as CaptainBlack in August 2017",
"meta": {
"refs": [
"http://blog.trendmicro.com/trendlabs-security-intelligence/promediads-malvertising-sundown-pirate-exploit-kit/"
],
"synonyms": [
"Sundown-Pirate",
"CaptainBlack"
],
"refs": ["http://blog.trendmicro.com/trendlabs-security-intelligence/promediads-malvertising-sundown-pirate-exploit-kit/"],
"synonyms": ["Sundown-Pirate",
"CaptainBlack"],
"status": "Active"
}
},
@ -166,24 +124,18 @@
"value": "Bizarro Sundown",
"description": "Bizarro Sundown appears to be a fork of Sundown with added anti-analysis features",
"meta": {
"refs": [
"http://blog.trendmicro.com/trendlabs-security-intelligence/new-bizarro-sundown-exploit-kit-spreads-locky/",
"https://blog.malwarebytes.com/cybercrime/exploits/2016/10/yet-another-sundown-ek-variant/"
],
"synonyms": [
"Sundown-b"
],
"refs": ["http://blog.trendmicro.com/trendlabs-security-intelligence/new-bizarro-sundown-exploit-kit-spreads-locky/",
"https://blog.malwarebytes.com/cybercrime/exploits/2016/10/yet-another-sundown-ek-variant/"],
"synonyms": ["Sundown-b"],
"status": "Retired"
}
}, { "value": "Hunter",
},
{
"value": "Hunter",
"description": "Hunter EK is an evolution of 3Ros EK",
"meta": {
"refs": [
"https://www.proofpoint.com/us/threat-insight/post/Hunter-Exploit-Kit-Targets-Brazilian-Banking-Customers"
],
"synonyms": [
"3ROS Exploit Kit"
],
"refs": ["https://www.proofpoint.com/us/threat-insight/post/Hunter-Exploit-Kit-Targets-Brazilian-Banking-Customers"],
"synonyms": ["3ROS Exploit Kit"],
"status": "Retired - Last seen 2017-02-06"
}
},
@ -191,12 +143,8 @@
"value": "GreenFlash Sundown",
"description": "GreenFlash Sundown is a variation of Bizarro Sundown without landing",
"meta": {
"refs": [
"http://blog.trendmicro.com/trendlabs-security-intelligence/new-bizarro-sundown-exploit-kit-spreads-locky/"
],
"synonyms": [
"Sundown-GF"
],
"refs": ["http://blog.trendmicro.com/trendlabs-security-intelligence/new-bizarro-sundown-exploit-kit-spreads-locky/"],
"synonyms": ["Sundown-GF"],
"status": "Active"
}
},
@ -204,16 +152,12 @@
"value": "Angler",
"description": "The Angler Exploit Kit has been the most popular and evolved exploit kit from 2014 to middle of 2016. There was several variation. The historical \"indexm\" variant was used to spread Lurk. A vip version used notabily to spread Poweliks, the \"standard\" commercial version, and a declinaison tied to load selling (mostly bankers) that can be associated to EmpirePPC",
"meta": {
"refs": [
"https://blogs.sophos.com/2015/07/21/a-closer-look-at-the-angler-exploit-kit/",
"refs": ["https://blogs.sophos.com/2015/07/21/a-closer-look-at-the-angler-exploit-kit/",
"http://malware.dontneedcoffee.com/2015/12/xxx-is-angler-ek.html",
"http://malware.dontneedcoffee.com/2016/06/is-it-end-of-angler.html"
],
"synonyms": [
"XXX",
"http://malware.dontneedcoffee.com/2016/06/is-it-end-of-angler.html"],
"synonyms": ["XXX",
"AEK",
"Axpergle"
],
"Axpergle"],
"status": "Retired - Last seen: 2016-06-07"
}
},
@ -221,9 +165,7 @@
"value": "Archie",
"description": "Archie EK",
"meta": {
"refs": [
"https://www.alienvault.com/blogs/labs-research/archie-just-another-exploit-kit"
],
"refs": ["https://www.alienvault.com/blogs/labs-research/archie-just-another-exploit-kit"],
"status": "Retired"
}
},
@ -231,13 +173,9 @@
"value": "BlackHole",
"description": "The BlackHole Exploit Kit has been the most popular exploit kit from 2011 to 2013. Its activity stopped with Paunch's arrest (all activity since then is anecdotal and based on an old leak)",
"meta": {
"refs": [
"https://www.trustwave.com/Resources/SpiderLabs-Blog/Blackhole-Exploit-Kit-v2/",
"https://nakedsecurity.sophos.com/exploring-the-blackhole-exploit-kit/"
],
"synonyms": [
"BHEK"
],
"refs": ["https://www.trustwave.com/Resources/SpiderLabs-Blog/Blackhole-Exploit-Kit-v2/",
"https://nakedsecurity.sophos.com/exploring-the-blackhole-exploit-kit/"],
"synonyms": ["BHEK"],
"status": "Retired - Last seen: 2013-10-07"
}
},
@ -245,14 +183,10 @@
"value": "Bleeding Life",
"description": "Bleeding Life is an exploit kit that became open source with its version 2",
"meta": {
"refs": [
"http://www.kahusecurity.com/2011/flash-used-in-idol-malvertisement/",
"http://thehackernews.com/2011/10/bleeding-life-2-exploit-pack-released.html"
],
"synonyms": [
"BL",
"BL2"
],
"refs": ["http://www.kahusecurity.com/2011/flash-used-in-idol-malvertisement/",
"http://thehackernews.com/2011/10/bleeding-life-2-exploit-pack-released.html"],
"synonyms": ["BL",
"BL2"],
"status": "Retired"
}
},
@ -260,15 +194,11 @@
"value": "Cool",
"description": "The Cool Exploit Kit was a kind of BlackHole VIP in 2012/2013",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2012/10/newcoolek.html",
"refs": ["http://malware.dontneedcoffee.com/2012/10/newcoolek.html",
"http://malware.dontneedcoffee.com/2013/07/a-styxy-cool-ek.html",
"http://blog.trendmicro.com/trendlabs-security-intelligence/styx-exploit-pack-how-it-works/"
],
"synonyms": [
"CEK",
"Styxy Cool"
],
"http://blog.trendmicro.com/trendlabs-security-intelligence/styx-exploit-pack-how-it-works/"],
"synonyms": ["CEK",
"Styxy Cool"],
"status": "Retired - Last seen: 2013-10-07"
}
},
@ -276,46 +206,32 @@
"value": "Fiesta",
"description": "Fiesta Exploit Kit",
"meta": {
"refs": [
"http://blog.0x3a.com/post/110052845124/an-in-depth-analysis-of-the-fiesta-exploit-kit-an",
"http://www.kahusecurity.com/2011/neosploit-is-back/"
],
"synonyms": [
"NeoSploit",
"Fiexp"
]
,
"refs": ["http://blog.0x3a.com/post/110052845124/an-in-depth-analysis-of-the-fiesta-exploit-kit-an",
"http://www.kahusecurity.com/2011/neosploit-is-back/"],
"synonyms": ["NeoSploit",
"Fiexp"],
"status": "Retired - Last Seen: beginning of 2015-07"
}
}
,
{ "value": "Empire",
},
{
"value": "Empire",
"description": "The Empire Pack is a variation of RIG operated by a load seller. It's being fed by many traffic actors",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html"
],
"synonyms": [
"RIG-E"
]
,
"refs": ["http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html"],
"synonyms": ["RIG-E"],
"status": "Retired - Last seen: 2016-12-29"
}
}
,
{ "value": "FlashPack",
},
{
"value": "FlashPack",
"description": "FlashPack EK got multiple fork. The most common variant seen was the standalone Flash version",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html",
"http://malware.dontneedcoffee.com/2013/04/meet-safe-pack-v20-again.html"
],
"synonyms": [
"FlashEK",
"refs": ["http://malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html",
"http://malware.dontneedcoffee.com/2013/04/meet-safe-pack-v20-again.html"],
"synonyms": ["FlashEK",
"SafePack",
"CritXPack",
"Vintage Pack"
],
"Vintage Pack"],
"status": "Retired - Last seen: middle of 2015-04"
}
},
@ -323,15 +239,11 @@
"value": "GrandSoft",
"description": "GrandSoft Exploit Kit was a quite common exploit kit used in 2012/2013",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2013/09/FinallyGrandSoft.html",
"refs": ["http://malware.dontneedcoffee.com/2013/09/FinallyGrandSoft.html",
"http://malware.dontneedcoffee.com/2012/10/neosploit-now-showing-bh-ek-20-like.html",
"https://nakedsecurity.sophos.com/2012/08/24/sophos-sucks-malware/"
],
"synonyms": [
"StampEK",
"SofosFO"
],
"https://nakedsecurity.sophos.com/2012/08/24/sophos-sucks-malware/"],
"synonyms": ["StampEK",
"SofosFO"],
"status": "Retired - Last seen: 2014-03"
}
},
@ -339,12 +251,10 @@
"value": "HanJuan",
"description": "Hanjuan EK was a one actor fed variation of Angler EK used in evolved malvertising chain targeting USA. It has been using a 0day (CVE-2015-0313) from beginning of December 2014 till beginning of February 2015",
"meta": {
"refs": [
"http://www.malwaresigs.com/2013/10/14/unknown-ek/",
"refs": ["http://www.malwaresigs.com/2013/10/14/unknown-ek/",
"https://blog.malwarebytes.com/threat-analysis/2014/08/shining-some-light-on-the-unknown-exploit-kit/",
"http://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-the-exploit-kit-in-cve-2015-0313-attack",
"https://twitter.com/kafeine/status/562575744501428226"
],
"https://twitter.com/kafeine/status/562575744501428226"],
"status": "Retired - Last seen: 2015-07"
}
},
@ -352,12 +262,8 @@
"value": "Himan",
"description": "Himan Exploit Kit",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2013/10/HiMan.html"
],
"synonyms": [
"High Load"
],
"refs": ["http://malware.dontneedcoffee.com/2013/10/HiMan.html"],
"synonyms": ["High Load"],
"status": "Retired - Last seen: 2014-04"
}
},
@ -365,9 +271,7 @@
"value": "Impact",
"description": "Impact EK",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2012/12/inside-impact-exploit-kit-back-on-track.html"
],
"refs": ["http://malware.dontneedcoffee.com/2012/12/inside-impact-exploit-kit-back-on-track.html"],
"status": "Retired"
}
},
@ -375,14 +279,10 @@
"value": "Infinity",
"description": "Infinity is an evolution of Redkit",
"meta": {
"refs": [
"http://blog.talosintel.com/2013/11/im-calling-this-goon-exploit-kit-for-now.html",
"http://www.kahusecurity.com/2014/the-resurrection-of-redkit/"
],
"synonyms": [
"Redkit v2.0",
"Goon"
],
"refs": ["http://blog.talosintel.com/2013/11/im-calling-this-goon-exploit-kit-for-now.html",
"http://www.kahusecurity.com/2014/the-resurrection-of-redkit/"],
"synonyms": ["Redkit v2.0",
"Goon"],
"status": "Retired - Last seen: 2014-07"
}
},
@ -390,52 +290,39 @@
"value": "Lightsout",
"description": "Lightsout Exploit Kit has been used in Watering Hole attack performed by the APT Group havex",
"meta": {
"refs": [
"http://blog.talosintel.com/2014/03/hello-new-exploit-kit.html",
"refs": ["http://blog.talosintel.com/2014/03/hello-new-exploit-kit.html",
"http://blog.talosintel.com/2014/05/continued-analysis-of-lightsout-exploit.html",
"http://malwageddon.blogspot.fr/2013/09/unknown-ek-by-way-how-much-is-fish.html"
],
"http://malwageddon.blogspot.fr/2013/09/unknown-ek-by-way-how-much-is-fish.html"],
"status": "Unknown - Last seen: 2014-03"
}
},
{ "value": "Nebula",
{
"value": "Nebula",
"description": "Nebula Exploit Kit has been built on Sundown source and features an internal TDS",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2017/03/nebula-exploit-kit.html"
],
"refs": ["http://malware.dontneedcoffee.com/2017/03/nebula-exploit-kit.html"],
"status": "Retired - Last seen 2017-03-09"
}
}
,
{ "value": "Neutrino",
},
{
"value": "Neutrino",
"description": "Neutrino Exploit Kit has been one of the major exploit kit from its launch in 2013 till september 2016 when it become private (defense name for this variation is Neutrino-v). This EK vanished from march 2014 till november 2014.",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html",
"http://malware.dontneedcoffee.com/2014/11/neutrino-come-back.html"
],
"synonyms": [
"Job314",
"refs": ["http://malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html",
"http://malware.dontneedcoffee.com/2014/11/neutrino-come-back.html"],
"synonyms": ["Job314",
"Neutrino Rebooted",
"Neutrino-v"
]
,
"Neutrino-v"],
"status": "Retired - Last seen 2017-04-10"
}
}
,
},
{
"value": "Niteris",
"description": "Niteris was used mainly to target Russian.",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2014/06/cottoncastle.html",
"http://malware.dontneedcoffee.com/2015/05/another-look-at-niteris-post.html"
],
"synonyms": [
"CottonCastle"
],
"refs": ["http://malware.dontneedcoffee.com/2014/06/cottoncastle.html",
"http://malware.dontneedcoffee.com/2015/05/another-look-at-niteris-post.html"],
"synonyms": ["CottonCastle"],
"status": "Unknown - Last seen: 2015-11"
}
},
@ -443,15 +330,11 @@
"value": "Nuclear",
"description": "The Nuclear Pack appeared in 2009 and has been one of the longer living one. Spartan EK was a landing less variation of Nuclear Pack",
"meta": {
"refs": [
"http://blog.checkpoint.com/2016/05/17/inside-nuclears-core-unraveling-a-ransomware-as-a-service-infrastructure/"
],
"synonyms": [
"NEK",
"refs": ["http://blog.checkpoint.com/2016/05/17/inside-nuclears-core-unraveling-a-ransomware-as-a-service-infrastructure/"],
"synonyms": ["NEK",
"Nuclear Pack",
"Spartan",
"Neclu"
],
"Neclu"],
"status": "Retired - Last seen: 2015-04-30"
}
},
@ -459,13 +342,9 @@
"value": "Phoenix",
"description": "Phoenix Exploit Kit",
"meta": {
"refs": [
"http://malwareint.blogspot.fr/2010/09/phoenix-exploits-kit-v21-inside.html",
"http://blog.trendmicro.com/trendlabs-security-intelligence/now-exploiting-phoenix-exploit-kit-version-2-5/"
],
"synonyms": [
"PEK"
],
"refs": ["http://malwareint.blogspot.fr/2010/09/phoenix-exploits-kit-v21-inside.html",
"http://blog.trendmicro.com/trendlabs-security-intelligence/now-exploiting-phoenix-exploit-kit-version-2-5/"],
"synonyms": ["PEK"],
"status": "Retired"
}
},
@ -473,13 +352,9 @@
"value": "Private Exploit Pack",
"description": "Private Exploit Pack",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2013/07/pep-new-bep.html",
"http://malwageddon.blogspot.fr/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html"
],
"synonyms": [
"PEP"
],
"refs": ["http://malware.dontneedcoffee.com/2013/07/pep-new-bep.html",
"http://malwageddon.blogspot.fr/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html"],
"synonyms": ["PEP"],
"status": "Retired"
}
},
@ -487,11 +362,9 @@
"value": "Redkit",
"description": "Redkit has been a major exploit kit in 2012. One of its specific features was to allow its access against a share of a percentage of the customer's traffic",
"meta": {
"refs": [
"https://www.trustwave.com/Resources/SpiderLabs-Blog/A-Wild-Exploit-Kit-Appears----Meet-RedKit/",
"refs": ["https://www.trustwave.com/Resources/SpiderLabs-Blog/A-Wild-Exploit-Kit-Appears----Meet-RedKit/",
"http://malware.dontneedcoffee.com/2012/05/inside-redkit.html",
"https://nakedsecurity.sophos.com/2013/05/09/redkit-exploit-kit-part-2/"
],
"https://nakedsecurity.sophos.com/2013/05/09/redkit-exploit-kit-part-2/"],
"status": "Retired"
}
},
@ -499,43 +372,30 @@
"value": "Sakura",
"description": "Description Here",
"meta": {
"refs": [
"http://www.xylibox.com/2012/01/sakura-exploit-pack-10.html"
],
"refs": ["http://www.xylibox.com/2012/01/sakura-exploit-pack-10.html"],
"status": "Retired - Last seen: 2013-09"
}
}
,
},
{
"value": "Sundown",
"description": "Sundown Exploit Kit is mainly built out of stolen code from other exploit kits",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2015/06/fast-look-at-sundown-ek.html",
"https://www.virusbulletin.com/virusbulletin/2015/06/beta-exploit-pack-one-more-piece-crimeware-infection-road"
],
"synonyms": [
"Beps",
"refs": ["http://malware.dontneedcoffee.com/2015/06/fast-look-at-sundown-ek.html",
"https://www.virusbulletin.com/virusbulletin/2015/06/beta-exploit-pack-one-more-piece-crimeware-infection-road"],
"synonyms": ["Beps",
"Xer",
"Beta"
],
"Beta"],
"status": "Retired - Last seen 2017-03-08",
"colour": "#C03701"
}
}
,
},
{
"value": "Sweet-Orange",
"description": "Sweet Orange",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2012/12/juice-sweet-orange-2012-12.html"
],
"synonyms": [
"SWO",
"Anogre"
],
"refs": ["http://malware.dontneedcoffee.com/2012/12/juice-sweet-orange-2012-12.html"],
"synonyms": ["SWO",
"Anogre"],
"status": "Retired - Last seen: 2015-04-05"
}
},
@ -543,11 +403,9 @@
"value": "Styx",
"description": "Styx Exploit Kit",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2012/12/crossing-styx-styx-sploit-pack-20-cve.html",
"refs": ["http://malware.dontneedcoffee.com/2012/12/crossing-styx-styx-sploit-pack-20-cve.html",
"https://krebsonsecurity.com/2013/07/styx-exploit-pack-domo-arigato-pc-roboto/",
"http://malware.dontneedcoffee.com/2013/05/inside-styx-2013-05.html"
],
"http://malware.dontneedcoffee.com/2013/05/inside-styx-2013-05.html"],
"status": "Retired - Last seen: 2014-06"
}
},
@ -555,9 +413,7 @@
"value": "WhiteHole",
"description": "WhiteHole Exploit Kit appeared in January 2013 in the tail of the CVE-2013-0422",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2013/02/briefly-wave-whitehole-exploit-kit-hello.html"
],
"refs": ["http://malware.dontneedcoffee.com/2013/02/briefly-wave-whitehole-exploit-kit-hello.html"],
"status": "Retired - Last seen: 2013-12"
}
},
@ -565,22 +421,17 @@
"value": "Unknown",
"description": "Unknown Exploit Kit. This is a place holder for any undocumented Exploit Kit. If you use this tag, we will be more than happy to give the associated EK a deep look.",
"meta": {
"refs": [
"https://twitter.com/kafeine",
"refs": ["https://twitter.com/kafeine",
"https://twitter.com/node5",
"https://twitter.com/kahusecurity"
]
"https://twitter.com/kahusecurity"]
}
}
],
}],
"version": 5,
"uuid": "454f4e78-bd7c-11e6-a4a6-cec0c932ce01",
"description": "Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits.It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years",
"authors": [
"Kafeine",
"authors": ["Kafeine",
"Will Metcalf",
"KahuSecurity"
],
"KahuSecurity"],
"source": "MISP Project",
"type": "exploit-kit",
"name": "Exploit-Kit"

View file

@ -1,36 +1,49 @@
{
"version": 3,
"uuid": "28b5e55d-acba-4748-a79d-0afa3512689a",
"description": "Activity groups as described by Microsoft",
"authors": [
"Various"
],
"source": "MISP Project",
"type": "microsoft-activity-group",
"name": "Microsoft Activity Group actor",
"values": [
{
"value": "PROMETHIUM",
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"
]
},
"description": "PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.",
"value": "PROMETHIUM"
},
{
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"
]
}
},
{
"value": "NEODYMIUM",
"description": "NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird. This backdoors characteristics closely match FinFisher, a government-grade commercial surveillance package. Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks.",
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"
]
}
"value": "NEODYMIUM"
},
{
"value": "TERBIUM",
"description": "Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names.",
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/"
]
}
},
"description": "Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names.",
"value": "TERBIUM"
},
{
"value": "STRONTIUM",
"description": "STRONTIUM has been active since at least 2007. Whereas most modern untargeted malware is ultimately profit-oriented, STRONTIUM mainly seeks sensitive information. Its primary institutional targets have included government bodies, diplomatic institutions, and military forces and installations in NATO member states and certain Eastern European countries. Additional targets have included journalists, political advisors, and organizations associated with political activism in central Asia. STRONTIUM is an activity group that usually targets government agencies, diplomatic institutions, and military organizations, as well as affiliated private sector organizations such as defense contractors and public policy research institutes. Microsoft has attributed more 0-day exploits to STRONTIUM than any other tracked group in 2016. STRONTIUM frequently uses compromised e-mail accounts from one victim to send malicious e-mails to a second victim and will persistently pursue specific targets for months until they are successful in compromising the victims computer. ",
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/11/01/our-commitment-to-our-customers-security/",
"http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_A_Profile_Of_A_Persistent_Adversary_English.pdf",
"https://blogs.technet.microsoft.com/mmpc/2015/11/16/microsoft-security-intelligence-report-strontium/"
],
"country": "RU",
"synonyms": [
"APT 28",
"APT28",
@ -42,66 +55,62 @@
"Group-4127",
"Sofacy",
"Grey-Cloud"
],
"country": "RU",
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/11/01/our-commitment-to-our-customers-security/",
"http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_A_Profile_Of_A_Persistent_Adversary_English.pdf",
"https://blogs.technet.microsoft.com/mmpc/2015/11/16/microsoft-security-intelligence-report-strontium/"
]
}
},
"description": "STRONTIUM has been active since at least 2007. Whereas most modern untargeted malware is ultimately profit-oriented, STRONTIUM mainly seeks sensitive information. Its primary institutional targets have included government bodies, diplomatic institutions, and military forces and installations in NATO member states and certain Eastern European countries. Additional targets have included journalists, political advisors, and organizations associated with political activism in central Asia. STRONTIUM is an activity group that usually targets government agencies, diplomatic institutions, and military organizations, as well as affiliated private sector organizations such as defense contractors and public policy research institutes. Microsoft has attributed more 0-day exploits to STRONTIUM than any other tracked group in 2016. STRONTIUM frequently uses compromised e-mail accounts from one victim to send malicious e-mails to a second victim and will persistently pursue specific targets for months until they are successful in compromising the victims computer. ",
"value": "STRONTIUM"
},
{
"description": "DUBNIUM (which shares indicators with what Kaspersky researchers have called DarkHotel) is one of the activity groups that has been very active in recent years, and has many distinctive features.",
"value": "DUBNIUM",
"meta": {
"synonyms": [
"darkhotel"
],
"refs": [
"https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/",
"https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2",
"https://blogs.technet.microsoft.com/mmpc/2016/06/20/reverse-engineering-dubniums-flash-targeting-exploit/",
"https://blogs.technet.microsoft.com/mmpc/2016/07/14/reverse-engineering-dubnium-stage-2-payload-analysis/"
],
"synonyms": [
"darkhotel"
]
},
"value": "DUBNIUM",
"description": "DUBNIUM (which shares indicators with what Kaspersky researchers have called DarkHotel) is one of the activity groups that has been very active in recent years, and has many distinctive features."
}
},
{
"description": "PLATINUM has been targeting its victims since at least as early as 2009, and may have been active for several years prior. Its activities are distinctly different not only from those typically seen in untargeted attacks, but from many targeted attacks as well. A large share of targeted attacks can be characterized as opportunistic: the activity group changes its target profiles and attack geographies based on geopolitical seasons, and may attack institutions all over the world. Like many such groups, PLATINUM seeks to steal sensitive intellectual property related to government interests, but its range of preferred targets is consistently limited to specific governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. The groups persistent use of spear phishing tactics (phishing attempts aimed at specific individuals) and access to previously undiscovered zero-day exploits have made it a highly resilient threat.",
"value": "PLATINUM",
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/04/26/digging-deep-for-platinum/",
"http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf"
]
},
"value": "PLATINUM",
"description": "PLATINUM has been targeting its victims since at least as early as 2009, and may have been active for several years prior. Its activities are distinctly different not only from those typically seen in untargeted attacks, but from many targeted attacks as well. A large share of targeted attacks can be characterized as opportunistic: the activity group changes its target profiles and attack geographies based on geopolitical seasons, and may attack institutions all over the world. Like many such groups, PLATINUM seeks to steal sensitive intellectual property related to government interests, but its range of preferred targets is consistently limited to specific governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. The groups persistent use of spear phishing tactics (phishing attempts aimed at specific individuals) and access to previously undiscovered zero-day exploits have made it a highly resilient threat."
}
},
{
"value": "BARIUM",
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/"
]
},
"description": "Microsoft Threat Intelligence associates Winnti with multiple activity groups—collections of malware, supporting infrastructure, online personas, victimology, and other attack artifacts that the Microsoft intelligent security graph uses to categorize and attribute threat activity. Microsoft labels activity groups using code names derived from elements in the periodic table. In the case of this malware, the activity groups strongly associated with Winnti are BARIUM and LEAD. But even though they share the use of Winnti, the BARIUM and LEAD activity groups are involved in very different intrusion scenarios. BARIUM begins its attacks by cultivating relationships with potential victims—particularly those working in Business Development or Human Resources—on various social media platforms. Once BARIUM has established rapport, they spear-phish the victim using a variety of unsophisticated malware installation vectors, including malicious shortcut (.lnk) files with hidden payloads, compiled HTML help (.chm) files, or Microsoft Office documents containing macros or exploits. Initial intrusion stages feature the Win32/Barlaiy implant—notable for its use of social network profiles, collaborative document editing sites, and blogs for C&C. Later stages of the intrusions rely upon Winnti for persistent access. The majority of victims recorded to date have been in electronic gaming, multimedia, and Internet content industries, although occasional intrusions against technology companies have occurred.",
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/"
]
}
"value": "BARIUM"
},
{
"value": "LEAD",
"description": "In contrast, LEAD has established a far greater reputation for industrial espionage. In the past few years, LEADs victims have included: Multinational, multi-industry companies involved in the manufacture of textiles, chemicals, and electronics Pharmaceutical companies A company in the chemical industry University faculty specializing in aeronautical engineering and research A company involved in the design and manufacture of motor vehicles A cybersecurity company focusing on protecting industrial control systems During these intrusions, LEADs objective was to steal sensitive data, including research materials, process documents, and project plans. LEAD also steals code-signing certificates to sign its malware in subsequent attacks. In most cases, LEADs attacks do not feature any advanced exploit techniques. The group also does not make special effort to cultivate victims prior to an attack. Instead, the group often simply emails a Winnti installer to potential victims, relying on basic social engineering tactics to convince recipients to run the attached malware. In some other cases, LEAD gains access to a target by brute-forcing remote access login credentials, performing SQL injection, or exploiting unpatched web servers, and then they copy the Winnti installer directly to compromised machines.",
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/"
]
},
"description": "In contrast, LEAD has established a far greater reputation for industrial espionage. In the past few years, LEADs victims have included: Multinational, multi-industry companies involved in the manufacture of textiles, chemicals, and electronics Pharmaceutical companies A company in the chemical industry University faculty specializing in aeronautical engineering and research A company involved in the design and manufacture of motor vehicles A cybersecurity company focusing on protecting industrial control systems During these intrusions, LEADs objective was to steal sensitive data, including research materials, process documents, and project plans. LEAD also steals code-signing certificates to sign its malware in subsequent attacks. In most cases, LEADs attacks do not feature any advanced exploit techniques. The group also does not make special effort to cultivate victims prior to an attack. Instead, the group often simply emails a Winnti installer to potential victims, relying on basic social engineering tactics to convince recipients to run the attached malware. In some other cases, LEAD gains access to a target by brute-forcing remote access login credentials, performing SQL injection, or exploiting unpatched web servers, and then they copy the Winnti installer directly to compromised machines.",
"value": "LEAD"
},
{
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2017/03/27/detecting-and-mitigating-elevation-of-privilege-exploit-for-cve-2017-0005/"
]
},
"description": "In addition to strengthening generic detection of EoP exploits, Microsoft security researchers are actively gathering threat intelligence and indicators attributable to ZIRCONIUM, the activity group using the CVE-2017-0005 exploit. ",
"value": "ZIRCONIUM"
}
}
],
"name": "Microsoft Activity Group actor",
"type": "microsoft-activity-group",
"source": "MISP Project",
"authors": [
"Various"
],
"description": "Activity groups as described by Microsoft",
"uuid": "28b5e55d-acba-4748-a79d-0afa3512689a",
"version": 2
]
}

File diff suppressed because it is too large Load diff

View file

@ -0,0 +1,909 @@
{
"uuid": "a8825ae8-6dea-11e7-8d57-7728f3cfe086",
"description": "ATT&CK Mitigation",
"type": "mitre-course-of-action",
"source": "https://github.com/mitre/cti",
"authors": [
"MITRE"
],
"name": "Course of Action",
"version": 3,
"values": [
{
"meta": {
"uuid": "ff5d862a-ae6b-4833-8c15-e235d654d28e"
},
"description": "Direct mitigation of this technique may not be recommended for a particular environment since COM objects are a legitimate part of the operating system and installed software. Blocking COM object changes may have unforeseen side effects to legitimate functionality.\n\nInstead, identify and block potentially malicious software that may execute, or be executed by, this technique using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Component Object Model Hijacking Mitigation"
},
{
"meta": {
"uuid": "92c28497-2820-445e-9f3e-a03dd77dc0c8"
},
"description": "Mitigations for command and control apply. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool command and control signatures over time or construct protocols in such a way to avoid detection by common defensive tools.[[CiteRef::University of Birmingham C2]]",
"value": "Exfiltration Over Command and Control Channel Mitigation"
},
{
"meta": {
"uuid": "74febc44-8955-4e4d-aca0-d4dad2f967d7"
},
"description": "Mitigating specific API calls will likely have unintended side effects, such as preventing legitimate software from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior. \n\nIdentify or block potentially malicious software that may contain DLL injection functionality by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "DLL Injection Mitigation"
},
{
"meta": {
"uuid": "beb45abb-11e8-4aef-9778-1f9ac249784f"
},
"description": "Remove users from the local administrator group on systems. Although UAC bypass techniques exist, it is still prudent to use the highest enforcement level for UAC when possible and mitigate bypass opportunities that exist with techniques such as [[Technique/T1038|DLL Search Order Hijacking]]. \n\nCheck for common UAC bypass weaknesses on Windows systems to be aware of the risk posture and address issues where appropriate.[[CiteRef::Github UACMe]]",
"value": "Bypass User Account Control Mitigation"
},
{
"meta": {
"uuid": "f28a20fd-d173-4603-807e-2cb3f51bdf04"
},
"description": "Audit and/or block command-line interpreters by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Command-Line Interface Mitigation"
},
{
"meta": {
"uuid": "96913243-2b5e-4483-a65c-bb152ddd2f04"
},
"description": "Use auditing tools capable of detecting DLL search order hijacking opportunities on systems within an enterprise and correct them. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for DLL hijacking weaknesses.[[CiteRef::Powersploit]]\n\nIdentify and block potentially malicious software that may be executed through search order hijacking by using whitelisting[[CiteRef::Beechey 2010]] tools like AppLocker[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] that are capable of auditing and/or blocking unknown DLLs.",
"value": "DLL Search Order Hijacking Mitigation"
},
{
"meta": {
"uuid": "a0d8db1d-a731-4428-8209-c07175f4b1fe"
},
"description": "Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports. \n\nNetwork intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.[[CiteRef::University of Birmingham C2]]",
"value": "Uncommonly Used Port Mitigation"
},
{
"meta": {
"uuid": "a90da496-b460-47e8-92e7-cc36eb00bd9a"
},
"description": "Regsvcs and Regasm may not be necessary within a given environment. Block execution of Regsvcs.exe and Regasm.exe if they are not required for a given system or network to prevent potential misuess by adversaries.",
"value": "Regsvcs/Regasm Mitigation"
},
{
"meta": {
"uuid": "c88151a5-fe3f-4773-8147-d801587065a4"
},
"description": "Grant access to application deployment systems only to a limited number of authorized administrators. Ensure proper system and access isolation for critical network systems through use of firewalls, account privilege separation, group policy, and multifactor authentication. Verify that account credentials that may be used to access deployment systems are unique and not used throughout the enterprise network. Patch deployment systems regularly to prevent potential remote access through [[Technique/T1068|Exploitation of Vulnerability]]. \n\nIf the application deployment system can be configured to deploy only signed binaries, then ensure that the trusted signing certificates are not co-located with the application deployment system and are instead located on a system that cannot be accessed remotely or to which remote access is tightly controlled.",
"value": "Application Deployment Software Mitigation"
},
{
"meta": {
"uuid": "7c1796c7-9fc3-4c3e-9416-527295bf5d95"
},
"description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.[[CiteRef::University of Birmingham C2]]",
"value": "Commonly Used Port Mitigation"
},
{
"meta": {
"uuid": "ba2ec548-fb75-4b8c-88d6-d91a77a943cf"
},
"description": "Disabling WMI or RPCS may cause system instability and should be evaluated to assess the impact to a network. By default, only administrators are allowed to connect remotely using WMI. Restrict other users who are allowed to connect, or disallow all users to connect remotely to WMI. Prevent credential overlap across systems of administrator and privileged accounts.[[CiteRef::FireEye WMI 2015]]",
"value": "Windows Management Instrumentation Mitigation"
},
{
"meta": {
"uuid": "e0703d4f-3972-424a-8277-84004817e024"
},
"description": "Eliminate path interception weaknesses in program configuration files, scripts, the PATH environment variable, services, and in shortcuts by surrounding PATH variables with quotation marks when functions allow for them[[CiteRef::Microsoft CreateProcess]]. Be aware of the search order Windows uses for executing or loading binaries and use fully qualified paths wherever appropriate[[CiteRef::MSDN DLL Security]]. Clean up old Windows Registry keys when software is uninstalled to avoid keys with no associated legitimate binaries.\n\nPeriodically search for and correct or report path interception weaknesses on systems that may have been introduced using custom or available tools that report software using insecure path configurations[[CiteRef::Kanthak Sentinel]]. \n\nRequire that all executables be placed in write-protected directories. Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory <code>C:</code> and system directories, such as <code>C:\\Windows\\</code>, to reduce places where malicious files could be placed for execution.\n\nIdentify and block potentially malicious software that may be executed through the path interception by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies,[[CiteRef::Corio 2008]] that are capable of auditing and/or blocking unknown executables.",
"value": "Path Interception Mitigation"
},
{
"meta": {
"uuid": "aaa92b37-f96c-4a0a-859c-b1cb6faeb13d"
},
"description": "Prevent adversaries from gaining access to credentials through [[Credential Access]] that can be used to log into remote desktop sessions on systems.\n\nIdentify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to log into remote interactive sessions, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] and Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Graphical User Interface Mitigation"
},
{
"meta": {
"uuid": "ac008435-af58-4f77-988a-c9b96c5920f5"
},
"description": "It may be difficult or inadvisable to block access to EA. Efforts should be focused on preventing potentially malicious software from running. Identify and block potentially malicious software that may contain functionality to hide information in EA by using whitelisting[[CiteRef::Beechey 2010]] tools like AppLocker[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "NTFS Extended Attributes Mitigation"
},
{
"meta": {
"uuid": "4b998a71-7b8f-4dcc-8f3f-277f2e740271"
},
"description": "Mitigation is difficult in instances like this because the adversary may have access to the system through another channel and can learn what techniques or tools are blocked by resident defenses. Exercising best practices with configuration and security as well as ensuring that proper process is followed during investigation of potential compromise is essential to detecting a larger intrusion through discrete alerts.\n\nIdentify and block potentially malicious software that may be used by an adversary by using whitelisting[[CiteRef::Beechey 2010]] tools like AppLocker[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Indicator Removal from Tools Mitigation"
},
{
"meta": {
"uuid": "19edfa02-1a5f-47e4-ad82-3288f57f64cf"
},
"description": "Instead of blocking software based on clipboard capture behavior, identify potentially malicious software that may contain this functionality, and audit and/or block it by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Clipboard Data Mitigation"
},
{
"meta": {
"uuid": "8b36d944-f274-4d46-9acd-dbba6927ce7a"
},
"description": "Identify and block potentially malicious software that may be executed through run key or startup folder persistence using whitelisting[[CiteRef::Beechey 2010]] tools like AppLocker[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Registry Run Keys / Start Folder Mitigation"
},
{
"meta": {
"uuid": "514e7371-a344-4de7-8ec3-3aa42b801d52"
},
"description": "Command and control infrastructure used in a multi-stage channel may be blocked if known ahead of time. If unique signatures are present in the C2 traffic, they could also be used as the basis of identifying and blocking the channel.[[CiteRef::University of Birmingham C2]]",
"value": "Multi-Stage Channels Mitigation"
},
{
"meta": {
"uuid": "4320b080-9ae9-4541-9b8b-bcd0961dbbbd"
},
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to collect data from removable media, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Data Staged Mitigation"
},
{
"meta": {
"uuid": "39706d54-0d06-4a25-816a-78cc43455100"
},
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to collect data from removable media, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Data from Removable Media Mitigation"
},
{
"meta": {
"uuid": "d9727aee-48b8-4fdb-89e2-4c49746ba4dd"
},
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to collect data from a network share, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Data from Network Shared Drive Mitigation"
},
{
"meta": {
"uuid": "fdb1ae84-7b00-4d3d-b7dc-c774beef6425"
},
"description": "Use multifactor authentication. Follow guidelines to prevent or limit adversary access to [[Technique/T1078|Legitimate Credentials]].\n\nProtect domain controllers by ensuring proper security configuration for critical servers. Configure access controls and firewalls to limit access to these systems. Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.",
"value": "Credential Manipulation Mitigation"
},
{
"meta": {
"uuid": "d0415180-51e9-40ce-b57c-c332b0b441f2"
},
"description": "It may be possible to remove PowerShell from systems when not needed, but a review should be performed to assess the impact to an environment, since it could be in use for many legitimate purposes and administrative functions. When PowerShell is necessary, restrict PowerShell execution policy to administrators and to only execute signed scripts. Be aware that there are methods of bypassing the PowerShell execution policy, depending on environment configuration.[[CiteRef::Netspi PowerShell Execution Policy Bypass]] Disable/restrict the WinRM Service to help prevent uses of PowerShell for remote execution.",
"value": "PowerShell Mitigation"
},
{
"meta": {
"uuid": "c620e3a1-fff5-424f-abea-d2b0f3616f67"
},
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about the operating system and underlying hardware, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "System Information Discovery Mitigation"
},
{
"meta": {
"uuid": "313c8b20-4d49-40c1-9ac0-4c573aca28f3"
},
"description": "Upgrade the operating system to a newer version of Windows if using a version prior to Vista. \n\nLimit the privileges of user accounts so that only authorized administrators can perform Winlogon helper changes.\n\nIdentify and block potentially malicious software that may be executed through the Winlogon helper process by using whitelisting[[CiteRef::Beechey 2010]] tools like AppLocker[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] that are capable of auditing and/or blocking unknown DLLs.",
"value": "Winlogon Helper DLL Mitigation"
},
{
"meta": {
"uuid": "624d063d-cda8-4616-b4e4-54c04e427aec"
},
"description": "Identify and block potentially malicious software that may persist in this manner by using whitelisting[[CiteRef::Beechey 2010]] tools capable of monitoring DLL loads by Windows utilities like AppLocker.[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]]",
"value": "Netsh Helper DLL Mitigation"
},
{
"meta": {
"uuid": "94e95eeb-7cdb-4bd7-afba-f32fda303dbb"
},
"description": "Follow best practices for mitigation of activity related to establishing [[Technique/T1077|Windows Admin Shares]]. \n\nIdentify unnecessary system utilities or potentially malicious software that may be used to leverage network shares, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Network Share Connection Removal Mitigation"
},
{
"meta": {
"uuid": "d75a3d1b-b536-4f15-a23c-f4bcc17837b8"
},
"description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific C2 protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.[[CiteRef::University of Birmingham C2]]",
"value": "Connection Proxy Mitigation"
},
{
"meta": {
"uuid": "25d5e1d8-c6fb-4735-bc57-115a21222f4b"
},
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Application Window Discovery Mitigation"
},
{
"meta": {
"uuid": "d4fd04e0-d1a4-4b5a-a5bb-16683cdbcce2"
},
"description": "Limit access to remote services through centrally managed concentrators such as VPNs and other managed remote access systems. Deny direct remote access to internal systems through uses of network proxies, gateways, and firewalls as appropriate. Use strong two-factor or multi-factor authentication for remote service accounts to mitigate an adversary's ability to leverage stolen credentials, but be aware of [[Technique/T1111|Two-Factor Authentication Interception]] techniques for some two-factor authentication implementations.",
"value": "External Remote Services Mitigation"
},
{
"meta": {
"uuid": "bcee7b05-89a6-41a5-b7aa-fce4da7ede9e"
},
"description": "Monitor systems and domain logs for unusual credential logon activity. Prevent access to [[Technique/T1078|Legitimate Credentials]]. Apply patch KB2871997 to Windows 7 and higher systems to limit the default access of accounts in the local administrator group. Limit credential overlap across systems to prevent the damage of credential compromise and reduce the adversary's ability to perform [[Lateral Movement]] between systems. Ensure that built-in and created local administrator accounts have complex, unique passwords. Do not allow a domain user to be in the local administrator group on multiple systems.",
"value": "Pass the Hash Mitigation"
},
{
"meta": {
"uuid": "5c49bc54-9929-48ca-b581-7018219b5a97"
},
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about system and domain accounts, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Account Discovery Mitigation"
},
{
"meta": {
"uuid": "823fbfe9-b015-4bf3-9e67-d340c7373ca0"
},
"description": "MSBuild.exe may not be necessary within a given environment and should be removed if not used. Use application whitelisting configured to block MSBuild.exe to prevent potential misuse by adversaries.[[CiteRef::SubTee MSBuild]][[CiteRef::Exploit Monday Mitigate Device Guard Bypases]][[CiteRef::GitHub mattifestation DeviceGuardBypass]]",
"value": "MSBuild Mitigation"
},
{
"meta": {
"uuid": "3a476d83-43eb-4fad-9b75-b1febd834e3d"
},
"description": "Monitor domains for unusual credential logons. Limit credential overlap across systems to prevent the damage of credential compromise. Ensure that local administrator accounts have complex, unique passwords. Do not allow a user to be a local administrator for multiple systems. Limit domain admin account permissions to domain controllers and limited servers. Delegate other admin functions to separate accounts.[[CiteRef::ADSecurity AD Kerberos Attacks]]\n\nAttempt to identify and block unknown or malicious software that could be used to obtain Kerberos tickets and use them to authenticate by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Pass the Ticket Mitigation"
},
{
"meta": {
"uuid": "16f144e4-c780-4ed2-98b4-55d14e2dfa44"
},
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about system users, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "System Owner/User Discovery Mitigation"
},
{
"meta": {
"uuid": "aeff5887-8f9e-48d5-a523-9b395e2ce80a"
},
"description": "Monitor/harden access to LSASS and SAM table with tools that allow process whitelisting. Limit credential overlap across systems to prevent lateral movement opportunities using [[Technique/T1078|Legitimate Credentials]] if passwords and hashes are obtained. Ensure that local administrator accounts have complex, unique passwords across all systems on the network. Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. On Windows 8.1 and Windows Server 2012 R2, enable Protected Process Light for LSA.[[CiteRef::Microsoft LSA]]\n\nIdentify and block potentially malicious software that may be used to dump credentials by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]\n\nWith Windows 10, Microsoft implemented new protections called Credential Guard to protect the LSA secrets that can be used to obtain credentials through forms of credential dumping. It is not implemented by default and has hardware requirements.[[CiteRef::TechNet Credential Guard]]",
"value": "Credential Dumping Mitigation"
},
{
"meta": {
"uuid": "12c13879-b7bd-4bc5-8def-aacec386d432"
},
"description": "Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block regsvr32.exe from being used to bypass whitelisting.[[CiteRef::Secure Host Baseline EMET]]",
"value": "Regsvr32 Mitigation"
},
{
"meta": {
"uuid": "7c39ebbf-244e-4d1c-b0ac-b282453ece43"
},
"description": "Mitigating specific API calls will likely have unintended side effects, such as preventing legitimate software from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior. \n\nAlthough process hollowing may be used to evade certain types of defenses, it is still good practice to identify potentially malicious software that may be used to perform adversarial actions, including process hollowing, and audit and/or block it by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Process Hollowing Mitigation"
},
{
"meta": {
"uuid": "56db6ccc-433d-4411-8383-c3fd7053e2c8"
},
"description": "Mitigating specific API calls will likely have unintended side effects, such as preventing legitimate software from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior. Audit and/or block potentially malicious software by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Execution through API Mitigation"
},
{
"meta": {
"uuid": "f0a42cad-9b1f-44da-a672-718f18381018"
},
"description": "Protect shared folders by minimizing users who have write access. Use utilities that detect or mitigate common features used in exploitation, such as the Microsoft Enhanced Mitigation Experience Toolkit (EMET).\n\nIdentify potentially malicious software that may be used to taint content or may result from it and audit and/or block the unknown programs by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Taint Shared Content Mitigation"
},
{
"meta": {
"uuid": "f9b3e5d9-7454-4b7d-bce6-27620e19924e"
},
"description": "Identify and block potentially malicious software that may be used as a remote access tool, and audit and/or block it by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]\n\nNetwork intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and will be different across various malware families and versions. Adversaries will likely change tool signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.[[CiteRef::University of Birmingham C2]]",
"value": "Redundant Access Mitigation"
},
{
"meta": {
"uuid": "16dd03c6-0dfb-4d77-89cd-9ff3ee6e533d"
},
"description": "Mitigating this technique specifically may be difficult as it requires fine-grained API control. Efforts should be focused on preventing unwanted or unknown code from executing on a system.\n\nIdentify and block potentially malicious software that may be used to record audio by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Audio Capture Mitigation"
},
{
"meta": {
"uuid": "b7b2c89c-09c1-4b71-ae7c-000ec2893aab"
},
"description": "Limit privileges of user accounts and remediate [[Privilege Escalation]] vectors so only authorized administrators can create new services.\n\nIdentify and block unnecessary system utilities or potentially malicious software that may be used to create services by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "New Service Mitigation"
},
{
"meta": {
"uuid": "57019a80-8523-46b6-be7d-f763a15a2cc6"
},
"description": "Turn off unused features or restrict access to scripting engines such as VBScript or scriptable administration frameworks such as PowerShell.",
"value": "Scripting Mitigation"
},
{
"meta": {
"uuid": "515f6584-fa98-44fe-a4e8-e428c7188514"
},
"description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.[[CiteRef::University of Birmingham C2]]",
"value": "Fallback Channels Mitigation"
},
{
"meta": {
"uuid": "d8787791-d22e-45bb-a9a8-251d8d0a1ff2"
},
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about services, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "System Service Discovery Mitigation"
},
{
"meta": {
"uuid": "6cac62ce-550b-4793-8ee6-6a1b8836edb0"
},
"description": "Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system. Protect generated event files that are stored locally with proper permissions and authentication. Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.",
"value": "Indicator Removal on Host Mitigation"
},
{
"meta": {
"uuid": "9378f139-10ef-4e4b-b679-2255a0818902"
},
"description": "Identify and block potentially malicious software that may be executed through service abuse by using whitelisting[[CiteRef::Beechey 2010]] tools like AppLocker[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] that are capable of auditing and/or blocking unknown programs.",
"value": "Service Registry Permissions Weakness Mitigation"
},
{
"meta": {
"uuid": "5c167af7-c2cb-42c8-ae67-3fb275bf8488"
},
"description": "Mitigation of timestomping specifically is likely difficult. Efforts should be focused on preventing potentially malicious software from running. Identify and block potentially malicious software that may contain functionality to perform timestomping by using whitelisting[[CiteRef::Beechey 2010]] tools like AppLocker[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Timestomp Mitigation"
},
{
"meta": {
"uuid": "684feec3-f9ba-4049-9d8f-52d52f3e0e40"
},
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about a system's network configuration, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Local Network Configuration Discovery Mitigation"
},
{
"meta": {
"uuid": "cfd2cd3b-93e7-4b3e-ab46-f8bcafdbdfcf"
},
"description": "Directly mitigating module loads and API calls related to module loads will likely have unintended side effects, such as preventing legitimate software from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying and correlated subsequent behavior to determine if it is the result of malicious activity.",
"value": "Execution through Module Load Mitigation"
},
{
"meta": {
"uuid": "43b366a4-b5ff-4d4e-8a3b-f09a9d2faff5"
},
"description": "Networks that allow for open development and testing of Web content and allow users to set up their own Web servers on the enterprise network may be particularly vulnerable if the systems and Web servers are not properly secured to limit privileged account use, unauthenticated network share access, and network/system isolation.\n\nEnsure proper permissions on directories that are accessible through a Web server. Disallow remote access to the webroot or other directories used to serve Web content. Disable execution on directories within the webroot. Ensure that permissions of the Web server process are only what is required by not using built-in accounts; instead, create specific accounts to limit unnecessary access or permissions overlap across multiple systems.",
"value": "Shared Webroot Mitigation"
},
{
"meta": {
"uuid": "f2cb6ce2-188d-4162-8feb-594f949b13dd"
},
"description": "Limit privileges of user accounts and remediate [[Privilege Escalation]] vectors so only authorized administrators can create scheduled tasks. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges.[[CiteRef::Powersploit]]\n\nIdentify and block unnecessary system utilities or potentially malicious software that may be used to schedule tasks using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Scheduled Task Mitigation"
},
{
"meta": {
"uuid": "16a8ac85-a06f-460f-ad22-910167bd7332"
},
"description": "Identify potentially malicious software that may be executed from a padded or otherwise obfuscated binary, and audit and/or block it by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Binary Padding Mitigation"
},
{
"meta": {
"uuid": "46b7ef91-4e1d-43c5-a2eb-00fa9444f6f4"
},
"description": "Ensure that all wireless traffic is encrypted appropriately. Use Kerberos, SSL, and multifactor authentication wherever possible. Monitor switches and network for span port usage, ARP/DNS poisoning, and router reconfiguration.\n\nIdentify and block potentially malicious software that may be used to sniff or analyze network traffic by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Network Sniffing Mitigation"
},
{
"meta": {
"uuid": "2a8de25c-f743-4348-b101-3ee33ab5871b"
},
"description": "Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to encrypt files, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Data Encrypted Mitigation"
},
{
"meta": {
"uuid": "a766ce73-5583-48f3-b7c0-0bb43c6ef8c7"
},
"description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Use of encryption protocols may make typical network-based C2 detection more difficult due to a reduced ability to signature the traffic. Prior knowledge of adversary C2 infrastructure may be useful for domain and IP address blocking, but will likely not be an effective long-term solution because adversaries can change infrastructure often.[[CiteRef::University of Birmingham C2]]",
"value": "Standard Cryptographic Protocol Mitigation"
},
{
"meta": {
"uuid": "24478001-2eb3-4b06-a02e-96b3d61d27ec"
},
"description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Use of encryption protocols may make typical network-based C2 detection more difficult due to a reduced ability to signature the traffic. Prior knowledge of adversary C2 infrastructure may be useful for domain and IP address blocking, but will likely not be an effective long-term solution because adversaries can change infrastructure often.[[CiteRef::University of Birmingham C2]]",
"value": "Multilayer Encryption Mitigation"
},
{
"meta": {
"uuid": "45e7f570-6a0b-4095-bf02-4bca05da6bae"
},
"description": "When creating security rules, avoid exclusions based on file name or file path. Require signed binaries. Use file system access controls to protect folders such as C:\\Windows\\System32. Use tools that restrict program execution via whitelisting by attributes other than file name.\n\nIdentify potentially malicious software that may look like a legitimate program based on name and location, and audit and/or block it by using whitelisting[[CiteRef::Beechey 2010]] tools like AppLocker[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Masquerading Mitigation"
},
{
"meta": {
"uuid": "902286b2-96cc-4dd7-931f-e7340c9961da"
},
"description": "Identify potentially malicious software that may be used to access logical drives in this manner, and audit and/or block it by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "File System Logical Offsets Mitigation"
},
{
"meta": {
"uuid": "979e6485-7a2f-42bd-ae96-4e622c3cd173"
},
"description": "Limit the number of accounts that may use remote services. Use multifactor authentication where possible. Limit the permissions for accounts that are at higher risk of compromise; for example, configure SSH so users can only run specific programs. Prevent [[Credential Access]] techniques that may allow an adversary to acquire [[Technique/T1078|Legitimate Credentials]] that can be used by existing services.",
"value": "Remote Services Mitigation"
},
{
"meta": {
"uuid": "34efb2fd-4dc2-40d4-a564-0c147c85034d"
},
"description": "Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to delete files, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools like AppLocker[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "File Deletion Mitigation"
},
{
"meta": {
"uuid": "28adf6fd-ab6c-4553-9aa7-cef18a191f33"
},
"description": "Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to compress files, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]\n\nIf network intrusion prevention or data loss prevention tools are set to block specific file types from leaving the network over unencrypted channels, then an adversary may move to an encrypted channel.",
"value": "Data Compressed Mitigation"
},
{
"meta": {
"uuid": "943d370b-2054-44df-8be2-ab4139bde1c5"
},
"description": "Windows 8.1 and Windows Server 2012 R2 may make LSA run as a Protected Process Light (PPL) by setting the Registry key <code>HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\RunAsPPL</code>, which requires all DLLs loaded by LSA to be signed by Microsoft.[[CiteRef::Graeber 2014]][[CiteRef::Microsoft Configure LSA]]",
"value": "Authentication Package Mitigation"
},
{
"meta": {
"uuid": "1c6bc7f3-d517-4971-aed4-8f939090846b"
},
"description": "Identify and block potentially malicious software that may persist in this manner by using whitelisting[[CiteRef::Beechey 2010]] tools capable of monitoring DLL loads by processes running under SYSTEM permissions.",
"value": "Local Port Monitor Mitigation"
},
{
"meta": {
"uuid": "c085476e-1964-4d7f-86e1-d8657a7741e8"
},
"description": "To use this technique remotely, an adversary must use it in conjunction with RDP. Ensure that Network Level Authentication is enabled to force the remote desktop session to authenticate before the session is created and the login screen displayed. It is enabled by default on Windows Vista and later.[[CiteRef::TechNet RDP NLA]]\n\nIf possible, use a Remote Desktop Gateway to manage connections and security configuration of RDP within a network.[[CiteRef::TechNet RDP Gateway]]\n\nIdentify and block potentially malicious software that may be executed by an adversary with this technique by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Accessibility Features Mitigation"
},
{
"meta": {
"uuid": "96150c35-466f-4f0a-97a9-ae87ee27f751"
},
"description": "Ensure proper permissions are in place to help prevent adversary access to privileged accounts necessary to perform this action. Use Trusted Platform Module technology and a secure or trusted boot process to prevent system integrity from being compromised.[[CiteRef::TCG Trusted Platform Module]][[CiteRef::TechNet Secure Boot Process]]",
"value": "Bootkit Mitigation"
},
{
"meta": {
"uuid": "d45f03a8-790a-4f90-b956-cd7e5b8886bf"
},
"description": "Take measures to detect or prevent techniques such as [[Technique/T1003|Credential Dumping]] or installation of keyloggers to acquire credentials through [[Technique/T1056|Input Capture]]. Limit credential overlap across systems to prevent access if account credentials are obtained. Ensure that local administrator accounts have complex, unique passwords across all systems on the network. Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled and use of accounts is segmented, as this is often equivalent to having a local administrator account with the same password on all systems. Audit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account.[[CiteRef::TechNet Credential Theft]][[CiteRef::TechNet Least Privilege]]",
"value": "Legitimate Credentials Mitigation"
},
{
"meta": {
"uuid": "388606d3-f38f-45bf-885d-a9dc9df3c8a8"
},
"description": "Ensure proper process, registry, and file permissions are in place to prevent adversaries from disabling or interfering with security services.",
"value": "Disabling Security Tools Mitigation"
},
{
"meta": {
"uuid": "0640214c-95af-4c04-a574-2a1ba6dda00b"
},
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information within the Registry, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Query Registry Mitigation"
},
{
"meta": {
"uuid": "25e53928-6f33-49b7-baee-8180578286f6"
},
"description": "Prevent adversary access to privileged accounts or access necessary to perform this technique. Check the integrity of the existing BIOS to determine if it is vulnerable to modification. Patch the BIOS as necessary. Use Trusted Platform Module technology.[[CiteRef::TCG Trusted Platform Module]]",
"value": "Basic Input/Output System Mitigation"
},
{
"meta": {
"uuid": "da987565-27b6-4b31-bbcd-74b909847116"
},
"description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.[[CiteRef::University of Birmingham C2]]",
"value": "Multiband Communication Mitigation"
},
{
"meta": {
"uuid": "9a902722-cecd-4fbe-a6c9-49333aa0f8c2"
},
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information on remotely available systems, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Remote System Discovery Mitigation"
},
{
"meta": {
"uuid": "2ace01f8-67c8-43eb-b7b1-a7b9f1fe67e1"
},
"description": "File system activity is a common part of an operating system, so it is unlikely that mitigation would be appropriate for this technique. It may still be beneficial to identify and block unnecessary system utilities or potentially malicious software by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "File and Directory Discovery Mitigation"
},
{
"meta": {
"uuid": "1022138b-497c-40e6-b53a-13351cbd4090"
},
"description": "Use auditing tools capable of detecting file system permissions abuse opportunities on systems within an enterprise and correct them. Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for service file system permissions weaknesses.[[CiteRef::Powersploit]]\n\nIdentify and block potentially malicious software that may be executed through abuse of file, directory, and service permissions by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] that are capable of auditing and/or blocking unknown programs. Deny execution from user directories such as file download directories and temp directories where able.[[CiteRef::Seclists Kanthak 7zip Installer]]\n\nTurn off UAC's privilege elevation for standard users and installer detection for all users by modifying registry key\n<code>[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System]</code>to automatically deny elevation requests, add: <code>\"ConsentPromptBehaviorUser\"=dword:00000000</code>; to disable installer detection, add: <code>\"EnableInstallerDetection\"=dword:00000000</code>.[[CiteRef::Seclists Kanthak 7zip Installer]]",
"value": "File System Permissions Weakness Mitigation"
},
{
"meta": {
"uuid": "d5dce4b9-f1fa-4c03-aff9-ce177246cb64"
},
"description": "Ensure that permissions disallow services that run at a higher permissions level from being created or interacted with by a user with a lower permission level. Also ensure that high permission level service binaries cannot be replaced or modified by users with a lower permission level.\n\nIdentify unnecessary system utilities or potentially malicious software that may be used to interact with Windows services, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Service Execution Mitigation"
},
{
"meta": {
"uuid": "b8d57b16-d8e2-428c-a645-1083795b3445"
},
"description": "Disable Autorun if it is unnecessary.[[CiteRef::Microsoft Disable Autorun]] Disallow or restrict removable media at an organizational policy level if they are not required for business operations.[[CiteRef::TechNet Removable Media Control]]",
"value": "Communication Through Removable Media Mitigation"
},
{
"meta": {
"uuid": "e8d22ec6-2236-48de-954b-974d17492782"
},
"description": "Remove smart cards when not in use. Protect devices and services used to transmit and receive out-of-band codes.\n\nIdentify and block potentially malicious software that may be used to intercept 2FA credentials on a system by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Two-Factor Authentication Interception Mitigation"
},
{
"meta": {
"uuid": "399d9038-b100-43ef-b28d-a5065106b935"
},
"description": "Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports and through proper network gateway systems.\n\nNetwork intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.[[CiteRef::University of Birmingham C2]]",
"value": "Standard Non-Application Layer Protocol Mitigation"
},
{
"meta": {
"uuid": "ba06d68a-4891-4eb5-b634-152e05ec60ee"
},
"description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool command and control signatures over time or construct protocols in such a way to avoid detection by common defensive tools.[[CiteRef::University of Birmingham C2]]",
"value": "Data Transfer Size Limits Mitigation"
},
{
"meta": {
"uuid": "10571bf2-8073-4edf-a71c-23bad225532e"
},
"description": "Upgrade to Windows 8 or later and enable secure boot.\n\nIdentify and block potentially malicious software that may be executed through AppInit DLLs by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] that are capable of auditing and/or blocking unknown DLLs.",
"value": "AppInit DLLs Mitigation"
},
{
"meta": {
"uuid": "ec418d1b-4963-439f-b055-f914737ef362"
},
"description": "InstallUtil may not be necessary within a given environment. Use application whitelisting configured to block execution of InstallUtil.exe if it is not required for a given system or network to prevent potential misuse by adversaries.",
"value": "InstallUtil Mitigation"
},
{
"meta": {
"uuid": "a13e35cc-8c90-4d77-a965-5461042c1612"
},
"description": "Identify and block unknown, potentially malicious software that may be executed through shortcut modification by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Shortcut Modification Mitigation"
},
{
"meta": {
"uuid": "f3d0c735-330f-43c2-8e8e-51bcfa51e8c3"
},
"description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.[[CiteRef::University of Birmingham C2]]",
"value": "Custom Command and Control Protocol Mitigation"
},
{
"meta": {
"uuid": "2497ac92-e751-4391-82c6-1b86e34d0294"
},
"description": "Identify unnecessary system utilities, scripts, or potentially malicious software that may be used to transfer data outside of a network, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Automated Exfiltration Mitigation"
},
{
"meta": {
"uuid": "d7c49196-b40e-42bc-8eed-b803113692ed"
},
"description": "Direct mitigation of this technique is not recommended since it is a legitimate function that can be performed by users for software preferences. Follow Microsoft's best practices for file associations.[[CiteRef::MSDN File Associations]]\n\nIdentify and block potentially malicious software that may be executed by this technique using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Change Default File Association Mitigation"
},
{
"meta": {
"uuid": "1881da33-fdf2-4eea-afd0-e04caf9c000f"
},
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about peripheral devices, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Peripheral Device Discovery Mitigation"
},
{
"meta": {
"uuid": "addb3703-5a59-4461-9bcd-7e2b5d4e92a0"
},
"description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and will be different across various malware families and versions. Adversaries will likely change tool signatures over time or construct protocols in such a way to avoid detection by common defensive tools.[[CiteRef::University of Birmingham C2]]",
"value": "Standard Application Layer Protocol Mitigation"
},
{
"meta": {
"uuid": "da8a87d2-946d-4c34-9a30-709058b98996"
},
"description": "Identify and block potentially malicious software that may be used to acquire credentials or information from the user by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]\n\nIn cases where this behavior is difficult to detect or mitigate, efforts can be made to lessen some of the impact that might result from an adversary acquiring credential information. It is also good practice to follow mitigation recommendations for adversary use of [[Technique/T1078|Legitimate Credentials]].",
"value": "Input Capture Mitigation"
},
{
"meta": {
"uuid": "9e57c770-5a39-49a2-bb91-253ba629e3ac"
},
"description": "Windows 8.1 and Windows Server 2012 R2 may make LSA run as a Protected Process Light (PPL) by setting the Registry key <code>HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\RunAsPPL</code>, which requires all SSP DLLs to be signed by Microsoft.[[CiteRef::Graeber 2014]][[CiteRef::Microsoft Configure LSA]]",
"value": "Security Support Provider Mitigation"
},
{
"meta": {
"uuid": "f6469191-1814-4dbe-a081-2a6daf83a10b"
},
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about processes, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Process Discovery Mitigation"
},
{
"meta": {
"uuid": "effb83a0-ead1-4b36-b7f6-b7bdf9c4616e"
},
"description": "Disable Autorun if it is unnecessary.[[CiteRef::Microsoft Disable Autorun]] Disallow or restrict removable media at an organizational policy level if it is not required for business operations.[[CiteRef::TechNet Removable Media Control]]\n\nIdentify potentially malicious software that may be used to infect removable media or may result from tainted removable media, and audit and/or block it by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Replication Through Removable Media Mitigation"
},
{
"meta": {
"uuid": "1c0711c8-2a73-48a1-893d-ff88bcd23824"
},
"description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool command and control signatures over time or construct protocols in such a way to avoid detection by common defensive tools.[[CiteRef::University of Birmingham C2]]",
"value": "Scheduled Transfer Mitigation"
},
{
"meta": {
"uuid": "2c3ce852-06a2-40ee-8fe6-086f6402a739"
},
"description": "Prevent adversary access to privileged accounts necessary to install a hypervisor.",
"value": "Hypervisor Mitigation"
},
{
"meta": {
"uuid": "8bd1ae32-a686-48f4-a6f8-470287f76152"
},
"description": "Encryption and off-system storage of sensitive information may be one way to mitigate collection of files, but may not stop an adversary from acquiring the information if an intrusion persists over a long period of time and the adversary is able to discover and access the data through other means. A keylogger installed on a system may be able to intercept passwords through [[Technique/T1056|Input Capture]] and be used to decrypt protected documents that an adversary may have collected. Strong passwords should be used to prevent offline cracking of encrypted documents through [[Technique/T1110|Brute Force]] techniques.\n\nIdentify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to collect files and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Automated Collection Mitigation"
},
{
"meta": {
"uuid": "e547ed6a-f1ca-40df-8613-2ce27927f145"
},
"description": "Disable Autorun if it is unnecessary.[[CiteRef::Microsoft Disable Autorun]] Disallow or restrict removable media at an organizational policy level if they are not required for business operations.[[CiteRef::TechNet Removable Media Control]]",
"value": "Exfiltration Over Physical Medium Mitigation"
},
{
"meta": {
"uuid": "fcbe8424-eb3e-4794-b76d-e743f5a49b8b"
},
"description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.[[CiteRef::University of Birmingham C2]]",
"value": "Data Encoding Mitigation"
},
{
"meta": {
"uuid": "7a14d974-f3d9-4e4e-9b7d-980385762908"
},
"description": "Update software regularly. Install software in write-protected locations. Use the program sxstrace.exe that is included with Windows along with manual inspection to check manifest files for side-loading vulnerabilities in software.",
"value": "DLL Side-Loading Mitigation"
},
{
"meta": {
"uuid": "95ddb356-7ba0-4bd9-a889-247262b8946f"
},
"description": "Identify potentially malicious software that may contain rootkit functionality, and audit and/or block it by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Rootkit Mitigation"
},
{
"meta": {
"uuid": "ed202147-4026-4330-b5bd-1e8dfa8cf7cc"
},
"description": "Identify and block unnecessary system utilities or potentially malicious software that may be used to modify the Registry by using whitelisting[[CiteRef::Beechey 2010]] tools like AppLocker[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Modify Registry Mitigation"
},
{
"meta": {
"uuid": "82d8e990-c901-4aed-8596-cc002e7eb307"
},
"description": "Benign software uses legitimate processes to gather system time. Efforts should be focused on preventing unwanted or unknown code from executing on a system. Some common tools, such as net.exe, may be blocked by policy to prevent common ways of acquiring remote system time.\n\nIdentify unnecessary system utilities or potentially malicious software that may be used to acquire system time information, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "System Time Discovery Mitigation"
},
{
"meta": {
"uuid": "c1676218-c16a-41c9-8f7a-023779916e39"
},
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about network connections, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Local Network Connections Discovery Mitigation"
},
{
"meta": {
"uuid": "51b37302-b844-4c08-ac98-ae6955ed1f55"
},
"description": "Blocking software based on screen capture functionality may be difficult, and there may be legitimate software that performs those actions. Instead, identify potentially malicious software that may have functionality to acquire screen captures, and audit and/or block it by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Screen Capture Mitigation"
},
{
"meta": {
"uuid": "308855d1-078b-47ad-8d2a-8f9b2713ffb5"
},
"description": "Do not reuse local administrator account passwords across systems. Ensure password complexity and uniqueness such that the passwords cannot be cracked or guessed. Deny remote use of local admin credentials to log into systems. Do not allow domain user accounts to be in the local Administrators group multiple systems.\n\nIdentify unnecessary system utilities or potentially malicious software that may be used to leverage SMB and the Windows admin shares, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Windows Admin Shares Mitigation"
},
{
"meta": {
"uuid": "fe0aeb41-1a51-4152-8467-628256ea6adf"
},
"description": "Use auditing tools capable of detecting privilege and service abuse opportunities on systems within an enterprise and correct them. Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations. Toolkits like the PowerSploit framework contain the PowerUp modules that can be used to explore systems for [[Privilege Escalation]] weaknesses.[[CiteRef::Powersploit]]\n\nIdentify and block potentially malicious software that may be executed through service abuse by using whitelisting[[CiteRef::Beechey 2010]] tools like AppLocker[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] that are capable of auditing and/or blocking unknown programs.",
"value": "Modify Existing Service Mitigation"
},
{
"meta": {
"uuid": "160af6af-e733-4b6a-a04a-71c620ac0930"
},
"description": "Evaluate the security of third-party software that could be used to deploy or execute programs. Ensure that access to management systems for deployment systems is limited, monitored, and secure. Have a strict approval policy for use of deployment systems.\n\nGrant access to application deployment systems only to a limited number of authorized administrators. Ensure proper system and access isolation for critical network systems through use of firewalls, account privilege separation, group policy, and multifactor authentication. Verify that account credentials that may be used to access deployment systems are unique and not used throughout the enterprise network. Patch deployment systems regularly to prevent potential remote access through [[Technique/T1068|Exploitation of Vulnerability]]. \n\nIf the application deployment system can be configured to deploy only signed binaries, then ensure that the trusted signing certificates are not co-located with the application deployment system and are instead located on a system that cannot be accessed remotely or to which remote access is tightly controlled.",
"value": "Third-party Software Mitigation"
},
{
"meta": {
"uuid": "d9f4b5fa-2a39-4bdf-b40a-ea998933cd6d"
},
"description": "Mitigating this technique specifically may be difficult as it requires fine-grained API control. Efforts should be focused on preventing unwanted or unknown code from executing on a system.\n\nIdentify and block potentially malicious software that may be used to capture video and images by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Video Capture Mitigation"
},
{
"meta": {
"uuid": "23061b40-a7b6-454f-8950-95d5ff80331c"
},
"description": "HTTP Public Key Pinning (HPKP) is one method to mitigate potential man-in-the-middle situations where and adversary uses a mis-issued or fraudulent certificate to intercept encrypted communications by enforcing use of an expected certificate.[[CiteRef::Wikipedia HPKP]]",
"value": "Install Root Certificate Mitigation"
},
{
"meta": {
"uuid": "4a99fecc-680b-448e-8fe7-8144c60d272c"
},
"description": "Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Use multifactor authentication.",
"value": "Brute Force Mitigation"
},
{
"meta": {
"uuid": "383caaa3-c46a-4f61-b2e3-653eb132f0e7"
},
"description": "Use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages.\n\nUse of two-factor authentication for public-facing webmail servers is also a recommended best practice to minimize the usefulness of user names and passwords to adversaries.\n\nIdentify unnecessary system utilities or potentially malicious software that may be used to collect email data files or access the corporate email server, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Email Collection Mitigation"
},
{
"meta": {
"uuid": "92e6d080-ca3f-4f95-bc45-172a32c4e502"
},
"description": "Update software regularly by employing patch management for internal enterprise endpoints and servers. Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization. Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing, virtualization, and exploit prevention tools such as the Microsoft Enhanced Mitigation Experience Toolkit.[[CiteRef::SRD EMET]]",
"value": "Exploitation of Vulnerability Mitigation"
},
{
"meta": {
"uuid": "cdecc44a-1dbf-4c1f-881c-f21e3f47272a"
},
"description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known tools and protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.[[CiteRef::University of Birmingham C2]]",
"value": "Remote File Copy Mitigation"
},
{
"meta": {
"uuid": "0e5bdf42-a7f7-4d16-a074-4915bd262f80"
},
"description": "Follow best practices for network firewall configurations to allow only necessary ports and traffic to enter and exit the network. For example, if services like FTP are not required for sending information outside of a network, then block FTP-related ports at the network perimeter. Enforce proxies and use dedicated servers for services such as DNS and only allow those systems to communicate over respective ports/protocols, instead of all systems within a network.[[CiteRef::TechNet Firewall Design]] These actions will help reduce command and control and exfiltration path opportunities.\n\nNetwork intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool command and control signatures over time or construct protocols in such a way to avoid detection by common defensive tools.[[CiteRef::University of Birmingham C2]]",
"value": "Exfiltration Over Alternative Protocol Mitigation"
},
{
"meta": {
"uuid": "53b3b027-bed3-480c-9101-1247047d0fe6"
},
"description": "Disable the RDP service if it is unnecessary, remove unnecessary accounts and groups from Remote Desktop Users groups, and enable firewall rules to block RDP traffic between network security zones. Audit the Remote Desktop Users group membership regularly. Remove the local Administrators group from the list of groups allowed to log in through RDP. Limit remote user permissions if remote access is necessary. Use remote desktop gateways and multifactor authentication for remote logins.[[CiteRef::Berkley Secure]]",
"value": "Remote Desktop Protocol Mitigation"
},
{
"meta": {
"uuid": "4689b9fb-dca4-473e-831b-34717ad50c97"
},
"description": "Firewalls and Web proxies can be used to enforce external network communication policy. It may be difficult for an organization to block particular services because so many of them are commonly used during the course of business.\n\nNetwork intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol or encoded commands used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.[[CiteRef::University of Birmingham C2]]",
"value": "Web Service Mitigation"
},
{
"meta": {
"uuid": "d256cb63-b021-4b4a-bb6d-1b42eea179a3"
},
"description": "Use network intrusion detection/prevention systems to detect and prevent remote service scans. Ensure that unnecessary ports and services are closed and proper network segmentation is followed to protect critical servers and devices.\n\nIdentify unnecessary system utilities or potentially malicious software that may be used to acquire information about services running on remote systems, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Network Service Scanning Mitigation"
},
{
"meta": {
"uuid": "0bc3ce00-83bc-4a92-a042-79ffbc6af259"
},
"description": "Disabling WMI services may cause system instability and should be evaluated to assess the impact to a network. By default, only administrators are allowed to connect remotely using WMI; restrict other users that are allowed to connect, or disallow all users from connecting remotely to WMI. Prevent credential overlap across systems of administrator and privileged accounts.[[CiteRef::FireEye WMI 2015]]",
"value": "Windows Management Instrumentation Event Subscription Mitigation"
},
{
"meta": {
"uuid": "7ee0879d-ce4f-4f54-a96b-c532dfb98ffd"
},
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to collect data from the local system, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Data from Local System Mitigation"
},
{
"meta": {
"uuid": "a569295c-a093-4db4-9fb4-7105edef85ad"
},
"description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Since the custom protocol used may not adhere to typical protocol standards, there may be opportunities to signature the traffic on a network level for detection. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.[[CiteRef::University of Birmingham C2]]",
"value": "Custom Cryptographic Protocol Mitigation"
},
{
"meta": {
"uuid": "0472af99-f25c-4abe-9fce-010fa3450e72"
},
"description": "Establish an organizational policy that prohibits password storage in files. Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers. Preemptively search for files containing passwords and remove when found. Restrict file shares to specific directories with access only to necessary users. Remove vulnerable Group Policy Preferences.[[CiteRef::Microsoft MS14-025]]",
"value": "Credentials in Files Mitigation"
},
{
"meta": {
"uuid": "dd9a85ad-6a92-4986-a215-b01d0ce7b987"
},
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about groups and permissions, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Permission Groups Discovery Mitigation"
},
{
"meta": {
"uuid": "9ab7de33-99b2-4d8d-8cf3-182fa0015cc2"
},
"description": "Restrict write access to logon scripts to specific administrators. Prevent access to administrator accounts by mitigating [[Credential Access]] techniques and limiting account access and permissions of [[Technique/T1078|Legitimate Credentials]].\n\nIdentify and block potentially malicious software that may be executed through logon script modification by using whitelisting[[CiteRef::Beechey 2010]] tools like AppLocker[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] that are capable of auditing and/or blocking unknown programs.",
"value": "Logon Scripts Mitigation"
},
{
"meta": {
"uuid": "82fbc58b-171d-4a2d-9a20-c6b2a716bd08"
},
"description": "Process whitelisting and trusted publishers to verify authenticity of software can help prevent signed malicious or untrusted code from executing on a system.[[CiteRef::NSA MS AppLocker]][[CiteRef::TechNet Trusted Publishers]][[CiteRef::Securelist Digital Certificates]]",
"value": "Code Signing Mitigation"
},
{
"meta": {
"uuid": "3e9f8875-d2f7-4380-a578-84393bd3b025"
},
"description": "Disable the WinRM service. If the service is necessary, lock down critical enclaves with separate WinRM infrastructure, accounts, and permissions. Follow WinRM best practices on configuration of authentication methods and use of host firewalls to restrict WinRM access to allow communication only to/from specific devices.[[CiteRef::NSA Spotting]]",
"value": "Windows Remote Management Mitigation"
},
{
"meta": {
"uuid": "bcc91b8c-f104-4710-964e-1d5409666736"
},
"description": "Ensure that externally facing Web servers are patched regularly to prevent adversary access through [[Technique/T1068|Exploitation of Vulnerability]] to gain remote code access or through file inclusion weaknesses that may allow adversaries to upload files or scripts that are automatically served as Web pages. \n\nAudit account and group permissions to ensure that accounts used to manage servers do not overlap with accounts and permissions of users in the internal network that could be acquired through [[Credential Access]] and used to log into the Web server and plant a Web shell or pivot from the Web server into the internal network.[[CiteRef::US-CERT Alert TA15-314A Web Shells]]",
"value": "Web Shell Mitigation"
},
{
"meta": {
"uuid": "d0fcf37a-b6c4-4745-9c43-4fcdb8bfc88e"
},
"description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.[[CiteRef::University of Birmingham C2]]",
"value": "Data Obfuscation Mitigation"
},
{
"meta": {
"uuid": "c95c8b5c-b431-43c9-9557-f494805e2502"
},
"description": "Ensure updated virus definitions. Create custom signatures for observed malware. Employ heuristic-based malware detection.\n\nIdentify and prevent execution of potentially malicious software that may have been packed by using whitelisting[[CiteRef::Beechey 2010]] tools like AppLocker[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Software Packing Mitigation"
},
{
"meta": {
"uuid": "bd2554b8-634f-4434-a986-9b49c29da2ae"
},
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about local security software, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Security Software Discovery Mitigation"
}
]
}

View file

@ -0,0 +1,767 @@
{
"values": [
{
"description": "Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm.[[Citation: Kaspersky Poseidon Group]]",
"value": "Poseidon Group",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Group/G0033",
"https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/"
],
"uuid": "7ecc3b4f-5cdb-457e-b55a-df376b359446",
"synonyms": [
"Poseidon Group"
]
}
},
{
"description": "Group5 is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. Group5 has used two commonly available remote access tools (RATs), njRAT and NanoCore, as well as an Android RAT, DroidJack.[[Citation: Citizen Lab Group5]]",
"value": "Group5",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Group/G0043",
"https://citizenlab.org/2016/08/group5-syria/"
],
"uuid": "7331c66a-5601-4d3f-acf6-ad9e3035eb40",
"synonyms": [
"Group5"
]
}
},
{
"description": "PittyTiger is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control.[[Citation: Bizeul 2014]][[Citation: Villeneuve 2014]]",
"value": "PittyTiger",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Group/G0011",
"http://blog.cassidiancybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2",
"https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html"
],
"uuid": "fe98767f-9df8-42b9-83c9-004b1dec8647",
"synonyms": [
"PittyTiger"
]
}
},
{
"description": "admin@338 is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors.[[Citation: FireEye admin@338]]",
"value": "admin@338",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Group/G0018",
"https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html"
],
"uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756",
"synonyms": [
"admin@338"
]
}
},
{
"description": "RTM is a cybercriminal group that has been active since at least 2015 and is primarily interested in users of remote banking systems in Russia and neighboring countries. The group uses a Trojan by the same name (RTM).[[Citation: ESET RTM Feb 2017]]",
"value": "RTM",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Group/G0048",
"https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf"
],
"uuid": "c416b28c-103b-4df1-909e-78089a7e0e5f",
"synonyms": [
"RTM"
]
}
},
{
"description": "APT16 is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations.[[Citation: FireEye EPS Awakens Part 2]]",
"value": "APT16",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Group/G0023",
"https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html"
],
"uuid": "d6e88e18-81e8-4709-82d8-973095da1e70",
"synonyms": [
"APT16"
]
}
},
{
"description": "APT28 is a threat group that has been attributed to the Russian government.[[Citation: FireEye APT28]][[Citation: SecureWorks TG-4127]][[Citation: FireEye APT28 January 2017]][[Citation: GRIZZLY STEPPE JAR]] This group reportedly compromised the Democratic National Committee in April 2016.[[Citation: Crowdstrike DNC June 2016]]",
"value": "APT28",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Group/G0007",
"https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf",
"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf",
"https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign"
],
"uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"synonyms": [
"APT28",
"Sednit",
"Sofacy",
"Pawn Storm",
"Fancy Bear",
"STRONTIUM",
"Tsar Team",
"Threat Group-4127",
"TG-4127"
]
}
},
{
"description": "Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting. Though both this group and Axiom use the malware Winnti, the two groups appear to be distinct based on differences in reporting on the groups' TTPs and targeting.[[Citation: Kaspersky Winnti April 2013]][[Citation: Kaspersky Winnti June 2015]][[Citation: Novetta Winnti April 2015]]",
"value": "Winnti Group",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Group/G0044",
"http://www.novetta.com/wp-content/uploads/2015/04/novetta%20winntianalysis.pdf",
"https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/winnti-more-than-just-a-game-130410.pdf",
"https://securelist.com/blog/incidents/70991/games-are-over/"
],
"uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff",
"synonyms": [
"Winnti Group",
"Blackfly"
]
}
},
{
"description": "Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications.Deep Panda.Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion.[[Citation: Symantec Black Vine]]",
"value": "Deep Panda",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Group/G0009",
"http://blog.crowdstrike.com/deep-thought-chinese-targeting-national-security-think-tanks/",
"http://www.symantec.com/content/en/us/enterprise/media/security%20response/whitepapers/the-black-vine-cyberespionage-group.pdf",
"https://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf",
"https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/"
],
"uuid": "a653431d-6a5e-4600-8ad3-609b5af57064",
"synonyms": [
"Deep Panda",
"Shell Crew",
"WebMasters",
"KungFu Kittens",
"PinkPanther",
"Black Vine"
]
}
},
{
"description": "Molerats is a politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States.[[Citation: DustySky]][[Citation: DustySky2]]",
"value": "Molerats",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Group/G0021",
"http://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2%20-6.2016%20TLP%20White.pdf"
],
"uuid": "df71bb3b-813c-45eb-a8bc-f2a419837411",
"synonyms": [
"Molerats",
"Gaza cybergang",
"Operation Molerats"
]
}
},
{
"description": "Strider is a threat group that has been active since at least 2011 and has targeted victims in Russia, China, Sweden, Belgium, Iran, and Rwanda.[[Citation: Symantec Strider Blog]][[Citation: Kaspersky ProjectSauron Blog]]",
"value": "Strider",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Group/G0041",
"http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets",
"https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/"
],
"uuid": "277d2f87-2ae5-4730-a3aa-50c1fdff9656",
"synonyms": [
"Strider",
"ProjectSauron"
]
}
},
{
"description": "Sandworm Team is a cyber espionage group that has operated since approximately 2009 and has been attributed to Russia.[[Citation: iSIGHT Sandworm 2014]] This group is also known as Quedagh.[[Citation: F-Secure BlackEnergy 2014]]",
"value": "Sandworm Team",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Group/G0034",
"https://www.f-secure.com/documents/996508/1030745/blackenergy%20whitepaper.pdf",
"http://www.isightpartners.com/2014/10/cve-2014-4114/"
],
"uuid": "381fcf73-60f6-4ab2-9991-6af3cbc35192",
"synonyms": [
"Sandworm Team",
"Quedagh"
]
}
},
{
"description": "FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.[[Citation: FireEye FIN6 April 2016]]",
"value": "FIN6",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Group/G0037",
"https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf"
],
"uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb",
"synonyms": [
"FIN6"
]
}
},
{
"description": "Dust Storm is a threat group that has targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries.[[Citation: Cylance Dust Storm]]",
"value": "Dust Storm",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Group/G0031",
"https://www.cylance.com/hubfs/2015%20cylance%20website/assets/operation-dust-storm/Op%20Dust%20Storm%20Report.pdf?t=1456259131512"
],
"uuid": "ae41895a-243f-4a65-b99b-d85022326c31",
"synonyms": [
"Dust Storm"
]
}
},
{
"description": "Cleaver is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver.[[Citation: Cylance Cleaver]] Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889).[[Citation: Dell Threat Group 2889]]",
"value": "Cleaver",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Group/G0003",
"http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/",
"http://www.cylance.com/assets/Cleaver/Cylance%20Operation%20Cleaver%20Report.pdf"
],
"uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
"synonyms": [
"Cleaver",
"Threat Group 2889",
"TG-2889"
]
}
},
{
"description": "APT12 is a threat group that has been attributed to China.[[Citation: Meyers Numbered Panda]] It is also known as DynCalc, IXESHE, and Numbered Panda.[[Citation: Moran 2014]][[Citation: Meyers Numbered Panda]]",
"value": "APT12",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Group/G0005",
"https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html",
"http://www.crowdstrike.com/blog/whois-numbered-panda/"
],
"uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb",
"synonyms": [
"APT12",
"IXESHE",
"DynCalc",
"Numbered Panda"
]
}
},
{
"description": "Moafee is a threat group that appears to operate from the Guandong Province of China. Due to overlapping TTPs, including similar custom tools, Moafee is thought to have a direct or indirect relationship with the threat group DragonOK. .[[Citation: Haq 2014]]",
"value": "Moafee",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Group/G0002",
"https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html"
],
"uuid": "2e5d3a83-fe00-41a5-9b60-237efc84832f",
"synonyms": [
"Moafee"
]
}
},
{
"description": "Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.[[Citation: Dell TG-3390]]",
"value": "Threat Group-3390",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Group/G0027",
"http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/"
],
"uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c",
"synonyms": [
"Threat Group-3390",
"TG-3390",
"Emissary Panda"
]
}
},
{
"description": "DragonOK is a threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. [[Citation: Operation Quantum Entanglement]][[Citation: Symbiotic APT Groups]] It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT. [[Citation: New DragonOK]]",
"value": "DragonOK",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Group/G0017",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf",
"https://dl.mandiant.com/EE/library/MIRcon2014/MIRcon%202014%20R&D%20Track%20Insight%20into%20Symbiotic%20APT.pdf",
"http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/"
],
"uuid": "f3bdec95-3d62-42d9-a840-29630f6cdc1a",
"synonyms": [
"DragonOK"
]
}
},
{
"description": "APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the Peoples Liberation Army (PLA) General Staff Departments (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398.[[Citation: Mandiant APT1]]",
"value": "APT1",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Group/G0006",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"synonyms": [
"APT1",
"Comment Crew",
"Comment Group",
"Comment Panda"
]
}
},
{
"description": "Taidoor is a threat group that has operated since at least 2009 and has primarily targeted the Taiwanese government.[[Citation: TrendMicro Taidoor]]",
"value": "Taidoor",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Group/G0015",
"http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp%20the%20taidoor%20campaign.pdf"
],
"uuid": "59140a2e-d117-4206-9b2c-2a8662bd9d46",
"synonyms": [
"Taidoor"
]
}
},
{
"description": "Night Dragon is a threat group that has conducted activity originating primarily in China.[[Citation: McAfee Night Dragon]]",
"value": "Night Dragon",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Group/G0014",
"http://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf"
],
"uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8",
"synonyms": [
"Night Dragon"
]
}
},
{
"description": "Naikon is a threat group that has focused on targets around the South China Sea.Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.[[Citation: Baumgartner Golovkin Naikon 2015]]",
"value": "Naikon",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Group/G0019",
"http://cdn2.hubspot.net/hubfs/454298/Project%20CAMERASHY%20ThreatConnect%20Copyright%202015.pdf",
"https://securelist.com/analysis/publications/69953/the-naikon-apt/",
"https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf"
],
"uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050",
"synonyms": [
"Naikon"
]
}
},
{
"description": "Ke3chang is a threat group attributed to actors operating out of China.[[Citation: Villeneuve et al 2014]]",
"value": "Ke3chang",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Group/G0004",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf"
],
"uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c",
"synonyms": [
"Ke3chang"
]
}
},
{
"description": "Patchwork is a threat group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Much of the code used by this group was copied and pasted from online forums.[[Citation: Cymmetria Patchwork]][[Citation: Symantec Patchwork]]",
"value": "Patchwork",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Group/G0040",
"http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries",
"https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling%20Patchwork.pdf"
],
"uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0",
"synonyms": [
"Patchwork",
"Dropping Elephant",
"Chinastrats"
]
}
},
{
"description": "APT30 is a threat group suspected to be associated with the Chinese government.Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.[[Citation: Baumgartner Golovkin Naikon 2015]]",
"value": "APT30",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Group/G0013",
"https://securelist.com/analysis/publications/69953/the-naikon-apt/",
"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
],
"uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd",
"synonyms": [
"APT30"
]
}
},
{
"description": "MONSOON is the name of an espionage campaign that apparently started in December 2015 and was ongoing as of July 2016. It is believed that the actors behind MONSOON are the same actors behind Operation Hangover. While attribution is unclear, the campaign has targeted victims with military and political interests in the Indian Subcontinent.[[Citation: Forcepoint Monsoon]] Operation Hangover has been reported as being Indian in origin, and can be traced back to 2010.[[Citation: Operation Hangover May 2013]]",
"value": "MONSOON",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Group/G0042",
"https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf",
"http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling%20an%20Indian%20Cyberattack%20Infrastructure.pdf"
],
"uuid": "9559ecaf-2e75-48a7-aee8-9974020bc772",
"synonyms": [
"MONSOON",
"Operation Hangover"
]
}
},
{
"description": "APT17 is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations.[[Citation: FireEye APT17]]",
"value": "APT17",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Group/G0025",
"https://www2.fireeye.com/rs/fireye/images/APT17%20Report.pdf"
],
"uuid": "090242d7-73fc-4738-af68-20162f7a5aae",
"synonyms": [
"APT17",
"Deputy Dog"
]
}
},
{
"description": "FIN7 is a financially motivated threat group that has primarily targeted the retail and hospitality sectors, often using point-of-sale malware.[[Citation: FireEye FIN7 March 2017]]",
"value": "FIN7",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Group/G0046",
"https://www.fireeye.com/blog/threat-research/2017/03/fin7%20spear%20phishing.html"
],
"uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc",
"synonyms": [
"FIN7"
]
}
},
{
"description": "APT3 is a China-based threat group.[[Citation: FireEye Clandestine Wolf]] This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.[[Citation: FireEye Clandestine Wolf]][[Citation: FireEye Operation Double Tap]] As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.[[Citation: Symantec Buckeye]]",
"value": "APT3",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Group/G0022",
"http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong",
"https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html",
"https://www.fireeye.com/blog/threat-research/2014/11/operation%20doubletap.html"
],
"uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"synonyms": [
"APT3",
"Gothic Panda",
"Pirpi",
"UPS Team",
"Buckeye",
"Threat Group-0110",
"TG-0110"
]
}
},
{
"description": "GCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services.[[Citation: Securelist GCMAN]]",
"value": "GCMAN",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Group/G0036",
"https://securelist.com/blog/research/73638/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/"
],
"uuid": "0ea72cd5-ca30-46ba-bc04-378f701c658f",
"synonyms": [
"GCMAN"
]
}
},
{
"description": "Lazarus Group is a threat group that has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment. It was responsible for a campaign known as Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.[[Citation: Novetta Blockbuster]]",
"value": "Lazarus Group",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Group/G0032",
"https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf"
],
"uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
"synonyms": [
"Lazarus Group"
]
}
},
{
"description": "Lotus Blossom is threat group that has targeted government and military organizations in Southeast Asia.[[Citation: Lotus Blossom Jun 2015]] It is also known as Spring Dragon.[[Citation: Spring Dragon Jun 2015]]",
"value": "Lotus Blossom",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Group/G0030",
"https://securelist.com/blog/research/70726/the-spring-dragon-apt/",
"https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html"
],
"uuid": "88b7dbc2-32d3-4e31-af2f-3fc24e1582d7",
"synonyms": [
"Lotus Blossom",
"Spring Dragon"
]
}
},
{
"description": "Equation is a sophisticated threat group that employs multiple remote access tools. The group is known to use zero-day exploits and has developed the capability to overwrite the firmware of hard disk drives.[[Citation: Kaspersky Equation QA]]",
"value": "Equation",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Group/G0020",
"https://securelist.com/files/2015/02/Equation%20group%20questions%20and%20answers.pdf"
],
"uuid": "96e239be-ad99-49eb-b127-3007b8c1bec9",
"synonyms": [
"Equation"
]
}
},
{
"description": "Darkhotel is a threat group that has been active since at least 2004. The group has conducted activity on hotel and business center WiFi and physical connections as well as peer-to-peer and file sharing networks. The actors have also conducted spearphishing.[[Citation: Kaspersky Darkhotel]]",
"value": "Darkhotel",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Group/G0012",
"https://securelist.com/files/2014/11/darkhotel%20kl%2007.11.pdf"
],
"uuid": "9e729a7e-0dd6-4097-95bf-db8d64911383",
"synonyms": [
"Darkhotel"
]
}
},
{
"description": "Dragonfly is a cyber espionage group that has been active since at least 2011. They initially targeted defense and aviation companies but shifted to focus on the energy sector in early 2013. They have also targeted companies related to industrial control systems.[[Citation: Symantec Dragonfly]]",
"value": "Dragonfly",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Group/G0035",
"http://www.symantec.com/content/en/us/enterprise/media/security%20response/whitepapers/Dragonfly%20Threat%20Against%20Western%20Energy%20Suppliers.pdf"
],
"uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1",
"synonyms": [
"Dragonfly",
"Energetic Bear"
]
}
},
{
"description": "Suckfly is a China-based threat group that has been active since at least 2014.[[Citation: Symantec Suckfly March 2016]]",
"value": "Suckfly",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Group/G0039",
"http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates"
],
"uuid": "5cbe0d3b-6fb1-471f-b591-4b192915116d",
"synonyms": [
"Suckfly"
]
}
},
{
"description": "Stealth Falcon is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012. Circumstantial evidence suggests there could be a link between this group and the United Arab Emirates (UAE) government, but that has not been confirmed.[[Citation: Citizen Lab Stealth Falcon May 2016]]",
"value": "Stealth Falcon",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Group/G0038",
"https://citizenlab.org/2016/05/stealth-falcon/"
],
"uuid": "894aab42-3371-47b1-8859-a4a074c804c8",
"synonyms": [
"Stealth Falcon"
]
}
},
{
"description": "Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same.[[Citation: Scarlet Mimic Jan 2016]]",
"value": "Scarlet Mimic",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Group/G0029",
"http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/"
],
"uuid": "c5574ca0-d5a4-490a-b207-e4658e5fd1d7",
"synonyms": [
"Scarlet Mimic"
]
}
},
{
"description": "Threat Group-1314 is an unattributed threat group that has used compromised credentials to log into a victim's remote access infrastructure.[[Citation: Dell TG-1314]]",
"value": "Threat Group-1314",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Group/G0028",
"http://www.secureworks.com/resources/blog/living-off-the-land/"
],
"uuid": "d519164e-f5fa-4b8c-a1fb-cf0172ad0983",
"synonyms": [
"Threat Group-1314",
"TG-1314"
]
}
},
{
"description": "Turla is a threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies.[[Citation: Kaspersky Turla]]",
"value": "Turla",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Group/G0010",
"https://securelist.com/analysis/publications/65545/the-epic-turla-operation/"
],
"uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6",
"synonyms": [
"Turla",
"Waterbug"
]
}
},
{
"description": "APT29 is threat group that has been attributed to the Russian government and has operated since at least 2008.[[Citation: F-Secure The Dukes]][[Citation: GRIZZLY STEPPE JAR]] This group reportedly compromised the Democratic National Committee starting in the summer of 2015.[[Citation: Crowdstrike DNC June 2016]]",
"value": "APT29",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Group/G0016",
"https://www.f-secure.com/documents/996508/1030745/dukes%20whitepaper.pdf",
"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"
],
"uuid": "899ce53f-13a0-479b-a0e4-67d46e241542",
"synonyms": [
"APT29",
"The Dukes",
"Cozy Bear"
]
}
},
{
"description": "menuPass is a threat group that appears to originate from China and has been active since approximately 2009. The group has targeted healthcare, defense, aerospace, and government sectors, and has targeted Japanese victims since at least 2014.[[Citation: Palo Alto menuPass Feb 2017]][[Citation: Crowdstrike CrowdCast Oct 2013]][[Citation: FireEye Poison Ivy]]",
"value": "menuPass",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Group/G0045",
"https://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem",
"http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf"
],
"uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f",
"synonyms": [
"menuPass",
"Stone Panda",
"APT10"
]
}
},
{
"description": "Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLAs 3rd General Staff Department (GSD).[[Citation: CrowdStrike Putter Panda]]",
"value": "Putter Panda",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Group/G0024",
"http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf"
],
"uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45",
"synonyms": [
"Putter Panda",
"APT2",
"MSUpdater"
]
}
},
{
"description": "Axiom is a cyber espionage group suspected to be associated with the Chinese government.Winnti Group use the malware Winnti, the two groups appear to be distinct based on differences in reporting on the groups' TTPs and targeting.[[Citation: Kaspersky Winnti April 2013]][[Citation: Kaspersky Winnti June 2015]][[Citation: Novetta Winnti April 2015]]",
"value": "Axiom",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Group/G0001",
"http://www.novetta.com/wp-content/uploads/2014/11/Executive%20Summary-Final%201.pdf",
"http://www.novetta.com/wp-content/uploads/2015/04/novetta%20winntianalysis.pdf",
"https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/winnti-more-than-just-a-game-130410.pdf",
"https://securelist.com/blog/incidents/70991/games-are-over/"
],
"uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973",
"synonyms": [
"Axiom",
"Group 72"
]
}
},
{
"description": "Carbanak is a threat group that mainly targets banks. It also refers to malware of the same name (Carbanak).[[Citation: Kaspersky Carbanak]]",
"value": "Carbanak",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Group/G0008",
"https://securelist.com/files/2015/02/Carbanak%20APT%20eng.pdf"
],
"uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c",
"synonyms": [
"Carbanak",
"Anunak"
]
}
},
{
"description": "APT18 is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical.[[Citation: Dell Lateral Movement]]",
"value": "APT18",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Group/G0026",
"http://www.secureworks.com/resources/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems/"
],
"uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648",
"synonyms": [
"APT18",
"Threat Group-0416",
"TG-0416",
"Dynamite Panda"
]
}
},
{
"description": "Gamaredon Group is a threat group that has been active since at least 2013 and has targeted individuals likely involved in the Ukrainian government.[[Citation: Palo Alto Gamaredon Feb 2017]]",
"value": "Gamaredon Group",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Group/G0047",
"https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/"
],
"uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf",
"synonyms": [
"Gamaredon Group"
]
}
}
],
"description": "Name of ATT&CK Group",
"name": "intrusion Set",
"type": "mitre-intrusion-set",
"uuid": "10df003c-7831-11e7-bdb9-971cdd1218df",
"authors": [
"MITRE"
],
"version": 3,
"source": "https://github.com/mitre/cti"
}

1558
clusters/mitre_malware.json Normal file

File diff suppressed because it is too large Load diff

407
clusters/mitre_tool.json Normal file
View file

@ -0,0 +1,407 @@
{
"values": [
{
"value": "at",
"description": "at is used to schedule tasks on a system to run at a specified date or time.[[Citation: TechNet At]]\n\nAliases: at, at.exe",
"meta": {
"uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952",
"refs": [
"https://attack.mitre.org/wiki/Software/S0110",
"https://technet.microsoft.com/en-us/library/bb490866.aspx"
],
"synonyms": [
"at",
"at.exe"
]
}
},
{
"value": "route",
"description": "route can be used to find or change information within the local system IP routing table.[[Citation: TechNet Route]]\n\nAliases: route, route.exe",
"meta": {
"uuid": "c11ac61d-50f4-444f-85d8-6f006067f0de",
"refs": [
"https://attack.mitre.org/wiki/Software/S0103",
"https://technet.microsoft.com/en-us/library/bb490991.aspx"
],
"synonyms": [
"route",
"route.exe"
]
}
},
{
"value": "Tasklist",
"description": "The Tasklist utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface.[[Citation: Microsoft Tasklist]]",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0057",
"https://technet.microsoft.com/en-us/library/bb491010.aspx"
],
"uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f"
}
},
{
"value": "Windows Credential Editor",
"description": "Windows Credential Editor is a password dumping tool.[[Citation: Amplia WCE]]\n\nAliases: Windows Credential Editor, WCE",
"meta": {
"uuid": "242f3da3-4425-4d11-8f5c-b842886da966",
"refs": [
"https://attack.mitre.org/wiki/Software/S0005",
"http://www.ampliasecurity.com/research/wcefaq.html"
],
"synonyms": [
"Windows Credential Editor",
"WCE"
]
}
},
{
"value": "schtasks",
"description": "schtasks is used to schedule execution of programs or scripts on a Windows system to run at a specific date and time.[[Citation: TechNet Schtasks]]\n\nAliases: schtasks, schtasks.exe",
"meta": {
"uuid": "c9703cd3-141c-43a0-a926-380082be5d04",
"refs": [
"https://attack.mitre.org/wiki/Software/S0111",
"https://technet.microsoft.com/en-us/library/bb490996.aspx"
],
"synonyms": [
"schtasks",
"schtasks.exe"
]
}
},
{
"value": "UACMe",
"description": "UACMe is an open source assessment tool that contains many methods for bypassing Windows User Account Control on multiple versions of the operating system.[[Citation: Github UACMe]]",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0116",
"https://github.com/hfiref0x/UACME"
],
"uuid": "102c3898-85e0-43ee-ae28-62a0a3ed9507"
}
},
{
"value": "ifconfig",
"description": "ifconfig is a Unix-based utility used to gather information about and interact with the TCP/IP settings on a system.[[Citation: Wikipedia Ifconfig]]",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0101",
"https://en.wikipedia.org/wiki/Ifconfig"
],
"uuid": "362dc67f-4e85-4562-9dac-1b6b7f3ec4b5"
}
},
{
"value": "Mimikatz",
"description": "Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks.[[Citation: Deply Mimikatz]][[Citation: Adsecurity Mimikatz Guide]]",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0002",
"https://adsecurity.org/?page%20id=1821",
"https://github.com/gentilkiwi/mimikatz"
],
"uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60"
}
},
{
"value": "xCmd",
"description": "xCmd is an open source tool that is similar to PsExec and allows the user to execute applications on remote systems.[[Citation: xCmd]]",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0123",
"https://ashwinrayaprolu.wordpress.com/2011/04/12/xcmd-an-alternative-to-psexec/"
],
"uuid": "4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b"
}
},
{
"value": "Systeminfo",
"description": "Systeminfo is a Windows utility that can be used to gather detailed information about a computer.[[Citation: TechNet Systeminfo]]\n\nAliases: Systeminfo, systeminfo.exe",
"meta": {
"uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1",
"refs": [
"https://attack.mitre.org/wiki/Software/S0096",
"https://technet.microsoft.com/en-us/library/bb491007.aspx"
],
"synonyms": [
"Systeminfo",
"systeminfo.exe"
]
}
},
{
"value": "netsh",
"description": "netsh is a scripting utility used to interact with networking components on local or remote systems.[[Citation: TechNet Netsh]]\n\nAliases: netsh, netsh.exe",
"meta": {
"uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71",
"refs": [
"https://attack.mitre.org/wiki/Software/S0108",
"https://technet.microsoft.com/library/bb490939.aspx"
],
"synonyms": [
"netsh",
"netsh.exe"
]
}
},
{
"value": "dsquery",
"description": "dsquery is a command-line utility that can be used to query Active Directory for information from a system within a domain.[[Citation: TechNet Dsquery]] It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.\n\nAliases: dsquery, dsquery.exe",
"meta": {
"uuid": "38952eac-cb1b-4a71-bad2-ee8223a1c8fe",
"refs": [
"https://attack.mitre.org/wiki/Software/S0105",
"https://technet.microsoft.com/en-us/library/cc732952.aspx"
],
"synonyms": [
"dsquery",
"dsquery.exe"
]
}
},
{
"value": "gsecdump",
"description": "gsecdump is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems.[[Citation: TrueSec Gsecdump]]",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0008",
"http://www.truesec.com/Tools/Tool/gsecdump%20v2.0b5"
],
"uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54"
}
},
{
"value": "Ping",
"description": "Ping is an operating system utility commonly used to troubleshoot and verify network connections.[[Citation: TechNet Ping]]\n\nAliases: Ping, ping.exe",
"meta": {
"uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47",
"refs": [
"https://attack.mitre.org/wiki/Software/S0097",
"https://technet.microsoft.com/en-us/library/bb490968.aspx"
],
"synonyms": [
"Ping",
"ping.exe"
]
}
},
{
"value": "Fgdump",
"description": "Fgdump is a Windows password hash dumper.[[Citation: Mandiant APT1]]",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0120",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"uuid": "4f45dfeb-fe51-4df0-8db3-edf7dd0513fe"
}
},
{
"value": "Lslsass",
"description": "Lslsass is a publicly-available tool that can dump active logon session password hashes from the lsass process.[[Citation: Mandiant APT1]]",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0121",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"uuid": "2fab555f-7664-4623-b4e0-1675ae38190b"
}
},
{
"value": "Pass-The-Hash Toolkit",
"description": "Pass-The-Hash Toolkit is a toolkit that allows an adversary to \"pass\" a password hash (without knowing the original password) to log in to systems.[[Citation: Mandiant APT1]]",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0122",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"uuid": "a52edc76-328d-4596-85e7-d56ef5a9eb69"
}
},
{
"value": "FTP",
"description": "FTP is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a system or to exfiltrate data.[[Citation: Wikipedia FTP]]\n\nAliases: FTP, ftp.exe",
"meta": {
"uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565",
"refs": [
"https://attack.mitre.org/wiki/Software/S0095",
"https://en.wikipedia.org/wiki/File%20Transfer%20Protocol"
],
"synonyms": [
"FTP",
"ftp.exe"
]
}
},
{
"value": "ipconfig",
"description": "ipconfig is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration.[[Citation: TechNet Ipconfig]]\n\nAliases: ipconfig, ipconfig.exe",
"meta": {
"uuid": "294e2560-bd48-44b2-9da2-833b5588ad11",
"refs": [
"https://attack.mitre.org/wiki/Software/S0100",
"https://technet.microsoft.com/en-us/library/bb490921.aspx"
],
"synonyms": [
"ipconfig",
"ipconfig.exe"
]
}
},
{
"value": "nbtstat",
"description": "nbtstat is a utility used to troubleshoot NetBIOS name resolution.[[Citation: TechNet Nbtstat]]\n\nAliases: nbtstat, nbtstat.exe",
"meta": {
"uuid": "b35068ec-107a-4266-bda8-eb7036267aea",
"refs": [
"https://attack.mitre.org/wiki/Software/S0102",
"https://technet.microsoft.com/en-us/library/cc940106.aspx"
],
"synonyms": [
"nbtstat",
"nbtstat.exe"
]
}
},
{
"value": "HTRAN",
"description": "HTRAN is a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location. It can be used by adversaries to hide their location when interacting with the victim networks. [[Citation: Operation Quantum Entanglement]]\n\nAliases: HTRAN, HUC Packet Transmit Tool",
"meta": {
"uuid": "d5e96a35-7b0b-4c6a-9533-d63ecbda563e",
"refs": [
"https://attack.mitre.org/wiki/Software/S0040",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf"
],
"synonyms": [
"HTRAN",
"HUC Packet Transmit Tool"
]
}
},
{
"value": "netstat",
"description": "netstat is an operating system utility that displays active TCP connections, listening ports, and network statistics.[[Citation: TechNet Netstat]]\n\nAliases: netstat, netstat.exe",
"meta": {
"uuid": "4664b683-f578-434f-919b-1c1aad2a1111",
"refs": [
"https://attack.mitre.org/wiki/Software/S0104",
"https://technet.microsoft.com/en-us/library/bb490947.aspx"
],
"synonyms": [
"netstat",
"netstat.exe"
]
}
},
{
"value": "pwdump",
"description": "pwdump is a credential dumper.[[Citation: Wikipedia pwdump]]",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0006",
"https://en.wikipedia.org/wiki/Pwdump"
],
"uuid": "9de2308e-7bed-43a3-8e58-f194b3586700"
}
},
{
"value": "Cachedump",
"description": "Cachedump is a publicly-available tool that program extracts cached password hashes from a systems registry.[[Citation: Mandiant APT1]]",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0119",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"uuid": "c9cd7ec9-40b7-49db-80be-1399eddd9c52"
}
},
{
"value": "Net",
"description": "The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections.Net has a great deal of functionality,[[Citation: Savill 1999]] much of which is useful for an adversary, such as gathering system and network information for [[Discovery]], moving laterally through [[Windows admin shares]] using <code>net use</code> commands, and interacting with services.\n\nAliases: Net, net.exe",
"meta": {
"uuid": "03342581-f790-4f03-ba41-e82e67392e23",
"refs": [
"https://attack.mitre.org/wiki/Software/S0039",
"https://msdn.microsoft.com/en-us/library/aa939914",
"http://windowsitpro.com/windows/netexe-reference"
],
"synonyms": [
"Net",
"net.exe"
]
}
},
{
"value": "PsExec",
"description": "PsExec is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.[[Citation: Russinovich Sysinternals]][[Citation: SANS PsExec]]",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0029",
"https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx",
"https://digital-forensics.sans.org/blog/2012/12/17/protecting-privileged-domain-accounts-psexec-deep-dive"
],
"uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db"
}
},
{
"value": "Arp",
"description": "Arp displays information about a system's Address Resolution Protocol (ARP) cache.[[Citation: TechNet Arp]]\n\nAliases: Arp, arp.exe",
"meta": {
"uuid": "30489451-5886-4c46-90c9-0dff9adc5252",
"refs": [
"https://attack.mitre.org/wiki/Software/S0099",
"https://technet.microsoft.com/en-us/library/bb490864.aspx"
],
"synonyms": [
"Arp",
"arp.exe"
]
}
},
{
"value": "cmd",
"description": "cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities.[[Citation: TechNet Cmd]]\n\nCmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., <code>dir</code>[[Citation: TechNet Dir]]), deleting files (e.g., <code>del</code>[[Citation: TechNet Del]]), and copying files (e.g., <code>copy</code>[[Citation: TechNet Copy]]).\n\nAliases: cmd, cmd.exe",
"meta": {
"uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e",
"refs": [
"https://attack.mitre.org/wiki/Software/S0106",
"https://technet.microsoft.com/en-us/library/bb490880.aspx",
"https://technet.microsoft.com/en-us/library/bb490886.aspx",
"https://technet.microsoft.com/en-us/library/cc771049.aspx",
"https://technet.microsoft.com/en-us/library/cc755121.aspx"
],
"synonyms": [
"cmd",
"cmd.exe"
]
}
},
{
"value": "Reg",
"description": "Reg is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information.Reg are known to be used by persistent threats.[[Citation: Windows Commands JPCERT]]\n\nAliases: Reg, reg.exe",
"meta": {
"uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f",
"refs": [
"https://attack.mitre.org/wiki/Software/S0075",
"https://technet.microsoft.com/en-us/library/cc732643.aspx",
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html"
],
"synonyms": [
"Reg",
"reg.exe"
]
}
}
],
"type": "mitre-tool",
"authors": [
"MITRE"
],
"version": 2,
"source": "https://github.com/mitre/cti",
"name": "Tool",
"description": "Name of ATT&CK software",
"uuid": "d700dc5c-78f6-11e7-a476-5f748c8e4fe0"
}

File diff suppressed because it is too large Load diff

1166
clusters/rat.json Normal file

File diff suppressed because it is too large Load diff

View file

@ -6,6 +6,7 @@
"Comment Panda",
"PLA Unit 61398",
"APT 1",
"APT1",
"Advanced Persistent Threat 1",
"Byzantine Candor",
"Group 3",
@ -29,6 +30,7 @@
},
{
"value": "Nitro",
"description": "These attackers were the subject of an extensive report by Symantec in 2011, which termed the attackers Nitro and stated: 'The goal of the attackers appears to be to collect intellectual property such as design documents, formulas, and manufacturing processes. In addition, the same attackers appear to have a lengthy operation history including attacks on other industries and organizations. Attacks on the chemical industry are merely their latest attack wave. As part of our investigations, we were also able to identify and contact one of the attackers to try and gain insights into the motivations behind these attacks.' Palo Alto Networks reported on continued activity by the attackers in 2014. ",
"meta": {
"country": "CN",
"refs": [
@ -41,10 +43,12 @@
},
{
"value": "Codoso",
"description": "The New York Times described Codoso as: 'A collection of hackers for hire that the security industry has been tracking for years. Over the years, the group has breached banks, law firms and tech companies, and once hijacked the Forbes website to try to infect visitors computers with malware.'",
"meta": {
"country": "CN",
"refs": [
"https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
"https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks",
"https://www.nytimes.com/2016/06/12/technology/the-chinese-hackers-in-the-back-office.html"
],
"synonyms": [
"C0d0so",
@ -138,7 +142,7 @@
"http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf"
]
},
"description": "The CrowdStrike Intelligence team has been tracking this particular unit since 2012, under the codename PUTTER PANDA, and has documented activity dating back to 2007. The report identifies Chen Ping, aka cpyy, and the primary location of Unit 61486. ",
"description": "Putter Panda were the subject of an extensive report by CrowdStrike, which stated: 'The CrowdStrike Intelligence team has been tracking this particular unit since2012, under the codename PUTTER PANDA, and has documented activity dating back to 2007. The report identifies Chen Ping, aka cpyy, and the primary location of Unit 61486.'",
"value": "Putter Panda"
},
{
@ -158,7 +162,8 @@
"http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong"
]
},
"value": "UPS"
"value": "UPS",
"description": "Symantec described UPS in 2016 report as: 'Buckeye (also known as APT3, Gothic Panda, UPS Team, and TG-0110) is a cyberespionage group that is believed to have been operating for well over half a decade. Traditionally, the group attacked organizations in the US as well as other targets. However, Buckeyes focus appears to have changed as of June 2015, when the group began compromising political entities in Hong Kong.'"
},
{
"meta": {
@ -171,7 +176,8 @@
"https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2"
]
},
"value": "DarkHotel"
"value": "DarkHotel",
"description": "Kaspersky described DarkHotel in a 2014 report as: '... DarkHotel drives its campaigns by spear-phishing targets with highly advanced Flash zero-day exploits that effectively evade the latest Windows and Adobe defenses, and yet they also imprecisely spread among large numbers of vague targets with peer-to-peer spreading tactics. Moreover, this crews most unusual characteristic is that for several years the Darkhotel APT has maintained a capability to use hotel networks to follow and hit selected targets as they travel around the world.'"
},
{
"meta": {
@ -214,10 +220,12 @@
],
"country": "CN",
"refs": [
"http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html"
"http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html",
"http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf"
]
},
"value": "Aurora Panda"
"value": "Aurora Panda",
"description": "FireEye described APT17 in a 2015 report as: 'APT17, also known as DeputyDog, is a China based threat group that FireEye Intelligence has observed conducting network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations.'"
},
{
"meta": {
@ -233,7 +241,8 @@
"https://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach/107828"
]
},
"value": "Wekby"
"value": "Wekby",
"description": "Wekby was described by Palo Alto Networks in a 2015 report as: 'Wekby is a group that has been active for a number of years, targeting various industries such as healthcare, telecommunications, aerospace, defense, and high tech. The group is known to leverage recently released exploits very shortly after those exploits are available, such as in the case of HackingTeams Flash zero - day exploit.'"
},
{
"meta": {
@ -245,7 +254,8 @@
"http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf"
]
},
"value": "Tropic Trooper"
"value": "Tropic Trooper",
"description": "TrendMicro described Tropic Trooper in a 2015 report as: 'Taiwan and the Philippines have become the targets of an ongoing campaign called Operation TropicTrooper. Active since 2012, the attackers behind the campaign haveset their sights on the Taiwanese government as well as a number of companies in the heavy industry. The same campaign has also targeted key Philippine military agencies.'"
},
{
"meta": {
@ -258,7 +268,8 @@
"Ragebeast",
"Blackfly",
"Lead",
"Wicked Spider"
"Wicked Spider",
"Barium"
],
"country": "CN",
"refs": [
@ -267,7 +278,8 @@
"https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp"
]
},
"value": "Axiom"
"value": "Axiom",
"description": "The Winnti grouping of activity is large and may actually be a number of linked groups rather than a single discrete entity. Kaspersky describe Winnti as: 'The Winnti group has been attacking companies in the online video game industry since 2009 and is currently still active. The groups objectives are stealing digital certificates signed by legitimate software vendors in addition to intellectual property theft, including the source code of online game projects. The majority of the victims are from South East Asia.'"
},
{
"meta": {
@ -304,7 +316,8 @@
"http://www.fireeye.com/blog/technical/malware-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html"
]
},
"value": "Naikon"
"value": "Naikon",
"description": "Kaspersky described Naikon in a 2015 report as: 'The Naikon group is mostly active in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, and Nepal, hitting a variety of targets in a very opportunistic way.'"
},
{
"meta": {
@ -314,7 +327,8 @@
],
"country": "CN",
"refs": [
"https://securelist.com/blog/research/70726/the-spring-dragon-apt/"
"https://securelist.com/blog/research/70726/the-spring-dragon-apt/",
"https://securelist.com/spring-dragon-updated-activity/79067/"
]
},
"value": "Lotus Blossom"
@ -365,9 +379,14 @@
"menuPass",
"happyyongzi",
"POTASSIUM",
"DustStorm"
"DustStorm",
"Red Apollo",
"CVNX"
],
"country": "CN"
"country": "CN",
"refs": [
"http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/"
]
},
"value": "Stone Panda"
},
@ -491,15 +510,6 @@
]
}
},
{
"meta": {
"country": "CN",
"refs": [
"http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf"
]
},
"value": "HiddenLynx"
},
{
"meta": {
"country": "CN",
@ -740,7 +750,9 @@
"TG-4127",
"Group-4127",
"STRONTIUM",
"TAG_0700"
"TAG_0700",
"Swallowtail",
"IRON TWILIGHT"
],
"country": "RU",
"refs": [
@ -774,7 +786,8 @@
"https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/"
]
},
"value": "APT 29"
"value": "APT 29",
"description": "A 2015 report by F-Secure describe APT29 as: 'The Dukes are a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making. The Dukes show unusual confidence in their ability to continue successfully compromising their targets, as well as in their ability to operate with impunity. The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks, and governmental subcontractors. Their targets have also included the governments of members of the Commonwealth of Independent States;Asian, African, and Middle Eastern governments;organizations associated with Chechen extremism;and Russian speakers engaged in the illicit trade of controlled substances and drugs. The Dukes are known to employ a vast arsenal of malware toolsets, which we identify as MiniDuke, CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, PinchDuke, and GeminiDuke. In recent years, the Dukes have engaged in apparently biannual large - scale spear - phishing campaigns against hundreds or even thousands of recipients associated with governmental institutions and affiliated organizations. These campaigns utilize a smash - and - grab approach involving a fast but noisy breakin followed by the rapid collection and exfiltration of as much data as possible.If the compromised target is discovered to be of value, the Dukes will quickly switch the toolset used and move to using stealthier tactics focused on persistent compromise and long - term intelligence gathering '"
},
{
"meta": {
@ -794,11 +807,13 @@
],
"refs": [
"https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf",
"https://www.circl.lu/pub/tr-25/"
"https://www.circl.lu/pub/tr-25/",
"https://www.theguardian.com/technology/2014/aug/07/turla-hackers-spying-governments-researcher-kaspersky-symantec"
],
"country": "RU"
},
"value": "Turla Group"
"value": "Turla Group",
"description": "A 2014 Guardian article described Turla as: 'Dubbed the Turla hackers, initial intelligence had indicated western powers were key targets, but it was later determined embassies for Eastern Bloc nations were of more interest. Embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany were all attacked, though researchers from Kaspersky Lab and Symantec could not confirm which countries were the true targets. In one case from May 2012, the office of the prime minister of a former Soviet Union member country was infected, leading to 60 further computers being affected, Symantec researchers said. There were some other victims, including the ministry for health of a Western European country, the ministry for education of a Central American country, a state electricity provider in the Middle East and a medical organisation in the US, according to Symantec. It is believed the group was also responsible for a much - documented 2008 attack on the US Central Command. The attackers - who continue to operate - have ostensibly sought to carry out surveillance on targets and pilfer data, though their use of encryption across their networks has made it difficult to ascertain exactly what the hackers took.Kaspersky Lab, however, picked up a number of the attackers searches through their victims emails, which included terms such as Nato and EU energy dialogue Though attribution is difficult to substantiate, Russia has previously been suspected of carrying out the attacks and Symantecs Gavin O Gorman told the Guardian a number of the hackers appeared to be using Russian names and language in their notes for their malicious code. Cyrillic was also seen in use.'"
},
{
"meta": {
@ -848,11 +863,13 @@
"meta": {
"synonyms": [
"Carbanak",
"Carbon Spider"
"Carbon Spider",
"FIN7"
],
"country": "RU",
"refs": [
"https://en.wikipedia.org/wiki/Carbanak"
"https://en.wikipedia.org/wiki/Carbanak",
"https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor"
],
"motive": "Cybercrime"
},
@ -940,13 +957,16 @@
"meta": {
"country": "KP",
"synonyms": [
"Operation DarkSeoul"
"Operation DarkSeoul",
"Hidden Cobra"
],
"refs": [
"https://threatpost.com/operation-blockbuster-coalition-ties-destructive-attacks-to-lazarus-group/116422/"
"https://threatpost.com/operation-blockbuster-coalition-ties-destructive-attacks-to-lazarus-group/116422/",
"https://www.us-cert.gov/ncas/alerts/TA17-164A"
]
},
"value": "Lazarus Group"
"value": "Lazarus Group",
"description": "Since 2009, HIDDEN COBRA actors have leveraged their capabilities to target and compromise a range of victims; some intrusions have resulted in the exfiltration of data while others have been disruptive in nature. Commercial reporting has referred to this activity as Lazarus Group and Guardians of Peace. Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors include Destover, Duuzer, and Hangman."
},
{
"meta": {
@ -1063,9 +1083,6 @@
{
"meta": {
"country": "CN",
"synonyms": [
"Operation C-Major"
],
"refs": [
"http://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf"
]
@ -1430,16 +1447,6 @@
"value": "Hammer Panda",
"description": "Hammer Panda is a group of suspected Chinese origin targeting organisations in Russia."
},
{
"meta": {
"country": "CHN",
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp"
]
},
"value": "Barium",
"description": "Barium is one of the groups using Winnti."
},
{
"meta": {
"country": "IRN",
@ -1485,6 +1492,121 @@
},
"value": "Groundbait",
"description": "Groundbait is a group targeting anti-government separatists in the self-declared Donetsk and Luhansk Peoples Republics."
},
{
"meta": {
"refs": [
"https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7"
],
"country": "US"
},
"value": "Longhorn",
"description": "Longhorn has been active since at least 2011. It has used a range of back door Trojans in addition to zero-day vulnerabilities to compromise its targets. Longhorn has infiltrated governments and internationally operating organizations, in addition to targets in the financial, telecoms, energy, aerospace, information technology, education, and natural resources sectors. All of the organizations targeted would be of interest to a nation-state attacker. Longhorn has infected 40 targets in at least 16 countries across the Middle East, Europe, Asia, and Africa. On one occasion a computer in the United States was compromised but, following infection, an uninstaller was launched within hours, which may indicate this victim was infected unintentionally."
},
{
"meta": {
"refs": [
"https://www.f-secure.com/documents/996508/1030745/callisto-group"
]
},
"value": "Callisto",
"description": "The Callisto Group is an advanced threat actor whose known targets include military personnel, government officials, think tanks, and journalists in Europe and the South Caucasus. Their primary interest appears to be gathering intelligence related to foreign and security policy in the Eastern Europe and South Caucasus regions."
},
{
"meta": {
"synonyms": [
"OceanLotus Group",
"Ocean Lotus",
"APT-32",
"APT 32"
],
"refs": [
"https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html"
]
},
"value": "APT32",
"description": "Cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists. FireEye assesses that APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests."
},
{
"value": "SilverTerrier",
"description": "As these tools rise and fall in popularity (and more importantly, as detection rates by antivirus vendors improve), SilverTerrier actors have consistently adopted new malware families and shifted to the latest packing tools available. ",
"meta": {
"country": "NG",
"refs": [
"https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/silverterrier-next-evolution-in-nigerian-cybercrime.pdf"
]
}
},
{
"value": "WildNeutron",
"description": "A corporate espionage group has compromised a string of major corporations over the past three years in order to steal confidential information and intellectual property. The gang, which Symantec calls Butterfly, is not-state sponsored, rather financially motivated. It has attacked multi-billion dollar companies operating in the internet, IT software, pharmaceutical, and commodities sectors. Twitter, Facebook, Apple, and Microsoft are among the companies who have publicly acknowledged attacks.",
"meta": {
"refs": [
"https://www.symantec.com/connect/blogs/butterfly-profiting-high-level-corporate-attacks",
"https://securelist.com/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/",
"https://research.kudelskisecurity.com/2015/11/05/sphinx-moth-expanding-our-knowledge-of-the-wild-neutron-morpho-apt/"
],
"synonyms": [
"Butterfly",
"Morpho",
"Sphinx Moth"
]
}
},
{
"value": "PLATINUM",
"description": "PLATINUM has been targeting its victims since at least as early as 2009, and may have been active for several years prior. Its activities are distinctly different not only from those typically seen in untargeted attacks, but from many targeted attacks as well. A large share of targeted attacks can be characterized as opportunistic: the activity group changes its target profiles and attack geographies based on geopolitical seasons, and may attack institutions all over the world. Like many such groups, PLATINUM seeks to steal sensitive intellectual property related to government interests, but its range of preferred targets is consistently limited to specific governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. The groups persistent use of spear phishing tactics (phishing attempts aimed at specific individuals) and access to previously undiscovered zero-day exploits have made it a highly resilient threat.",
"meta": {
"refs": [
"http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf",
"https://blogs.technet.microsoft.com/mmpc/2016/04/26/digging-deep-for-platinum/"
]
}
},
{
"value": "ELECTRUM",
"description": "Dragos, Inc. tracks the adversary group behind CRASHOVERRIDE as ELECTRUM and assesses with high confidence through confidential sources that ELECTRUM has direct ties to the Sandworm team. Our intelligence ICS WorldView customers have received a comprehensive report and this industry report will not get into sensitive technical details but instead focus on information needed for defense and impact awareness.",
"meta": {
"refs": [
"https://dragos.com/blog/crashoverride/CrashOverride-01.pdf",
"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"
]
}
},
{
"meta": {
"refs": [
"https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html",
"https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html",
"https://www.root9b.com/sites/default/files/whitepapers/PoS%20Malware%20ShellTea%20PoSlurp.pdf",
"http://files.shareholder.com/downloads/AMDA-254Q5F/0x0x938351/665BA6A3-9573-486C-B96F-80FA35759E8C/FEYE_rpt-mtrends-2017_FINAL2.pdf"
]
},
"description": "FIN8 is a financially motivated group targeting the retail, hospitality and entertainment industries. The actor had previously conducted several tailored spearphishing campaigns using the downloader PUNCHBUGGY and POS malware PUNCHTRACK.",
"value": "FIN8"
},
{
"value": "El Machete",
"description": "El Machete is one of these threats that was first publicly disclosed and named by Kaspersky here. Weve found that this group has continued to operate successfully, predominantly in Latin America, since 2014. All attackers simply moved to new C2 infrastructure, based largely around dynamic DNS domains, in addition to making minimal changes to the malware in order to evade signature-based detection.",
"meta": {
"refs": [
"https://securelist.com/blog/research/66108/el-machete/",
"https://www.cylance.com/en_us/blog/el-machete-malware-attacks-cut-through-latam.html"
]
}
},
{
"value": "Cobalt",
"description": "A criminal group dubbed Cobalt is behind synchronized ATM heists that saw machines across Europe, CIS countries (including Russia), and Malaysia being raided simultaneously, in the span of a few hours. The group has been active since June 2016, and their latest attacks happened in July and August.",
"meta": {
"refs": [
"https://www.helpnetsecurity.com/2016/11/22/cobalt-hackers-synchronized-atm-heists/"
],
"synonyms": [
"Cobalt group",
"Cobalt gang"
]
}
}
],
"name": "Threat actor",
@ -1499,5 +1621,5 @@
],
"description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
"uuid": "7cdff317-a673-4474-84ec-4f1754947823",
"version": 17
"version": 25
}

File diff suppressed because it is too large Load diff

View file

@ -0,0 +1,7 @@
{
"version": 2,
"uuid": "c4e851fa-775f-11e7-8163-b774922098cd",
"type": "mitre-attack-pattern",
"name": "Attack Pattern",
"description": "ATT&CK Tactic"
}

View file

@ -0,0 +1,7 @@
{
"uuid": "6fcb4472-6de4-11e7-b5f7-37771619e14e",
"name": "Course of Action",
"description": "ATT&CK Mitigation",
"type": "mitre-course-of-action",
"version": 3
}

View file

@ -0,0 +1,7 @@
{
"type": "mitre-intrusion-set",
"uuid": "1023f364-7831-11e7-8318-43b5531983ab",
"description": "Name of ATT&CK Group",
"version": 3,
"name": "Intrusion Set"
}

View file

@ -0,0 +1,7 @@
{
"version": 2,
"uuid": "d752161c-78f6-11e7-a0ea-bfa79b407ce4",
"description": "Name of ATT&CK software",
"name": "Malware",
"type": "mitre-malware"
}

7
galaxies/mitre_tool.json Normal file
View file

@ -0,0 +1,7 @@
{
"name": "Tool",
"type": "mitre-tool",
"description": "Name of ATT&CK software",
"uuid": "d5cbd1a2-78f6-11e7-a833-7b9bccca9649",
"version": 2
}

7
galaxies/rat.json Normal file
View file

@ -0,0 +1,7 @@
{
"type": "rat",
"name": "RAT",
"description": "remote administration tool or remote access tool (RAT), also called sometimes remote access trojan, is a piece of software or programming that allows a remote \"operator\" to control a system as if they have physical access to that system.",
"version": 1,
"uuid": "06825db6-4797-11e7-ac4d-af25fdcdd299"
}

View file

@ -1,7 +1,7 @@
{
"$schema": "http://json-schema.org/schema#",
"title": "Validator for misp-galaxies",
"id": "https://www.github.com/MISP/misp-galaxies/schema.json",
"title": "Validator for misp-galaxies - Clusters",
"id": "https://www.github.com/MISP/misp-galaxies/schema_clusters.json",
"type": "object",
"additionalProperties": false,
"properties": {
@ -38,8 +38,36 @@
},
"meta": {
"type": "object",
"additionalProperties": false,
"additionalProperties": true,
"properties": {
"type": {
"type": "array",
"uniqueItems": true,
"items": {
"type": "string"
}
},
"complexity": {
"type": "string"
},
"effectiveness": {
"type": "string"
},
"country": {
"type": "string"
},
"possible_issues": {
"type": "string"
},
"colour": {
"type": "string"
},
"motive": {
"type": "string"
},
"impact": {
"type": "string"
},
"refs": {
"type": "array",
"uniqueItems": true,
@ -64,36 +92,28 @@
"status": {
"type": "string"
},
"country": {
"date": {
"type": "string"
},
"effectiveness": {
"encryption": {
"type": "string"
},
"complexity": {
"type": "string"
},
"type": {
"extensions": {
"type": "array",
"uniqueItems": true,
"items": {
"type": "string"
}
},
"impact": {
"type": "string"
},
"motive": {
"type": "string"
},
"colour": {
"type": "string"
},
"possible_issues": {
"ransomnotes": {
"type": "array",
"uniqueItems": true,
"items": {
"type": "string"
}
}
}
}
},
"required": [
"value"

View file

@ -1,7 +1,7 @@
{
"$schema": "http://json-schema.org/schema#",
"title": "Validator for misp-galaxies",
"id": "https://www.github.com/MISP/misp-galaxies/schema.json",
"title": "Validator for misp-galaxies - Galaxies",
"id": "https://www.github.com/MISP/misp-galaxies/schema_galaxies.json",
"type": "object",
"additionalProperties": false,
"properties": {

31
schema_misp.json Normal file
View file

@ -0,0 +1,31 @@
{
"$schema": "http://json-schema.org/schema#",
"title": "Validator for misp-galaxies - MISP",
"id": "https://www.github.com/MISP/misp-galaxies/schema_misp.json",
"type": "object",
"additionalProperties": false,
"properties": {
"elements_url": {
"type": "string"
},
"default_predicate_value_in": {
"type": "string"
},
"default_predicate_value": {
"type": "string"
},
"cluster_url": {
"type": "string"
},
"predicate_in": {
"type": "string"
}
},
"required": [
"elements_url",
"default_predicate_value_in",
"default_predicate_value",
"cluster_url",
"predicate_in"
]
}

58
schema_vocabularies.json Normal file
View file

@ -0,0 +1,58 @@
{
"$schema": "http://json-schema.org/schema#",
"title": "Validator for misp-galaxies - Vocabularies",
"id": "https://www.github.com/MISP/misp-galaxies/schema_vocabularies.json",
"type": "object",
"additionalProperties": false,
"properties": {
"version": {
"type": "integer"
},
"description": {
"type": "string"
},
"source": {
"type": "string"
},
"author": {
"type": "array",
"uniqueItems": true,
"items": {
"type": "string"
}
},
"uuid": {
"type": "string"
},
"stix": {
"type": "string"
},
"type": {
"type": "string"
},
"values": {
"type": "array",
"uniqueItems": true,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"description": {
"type": "string"
},
"value": {
"type": "string"
}
}
}
}
},
"required": [
"version",
"description",
"author",
"uuid",
"type",
"values"
]
}

106
tools/adoc_galaxy.py Normal file
View file

@ -0,0 +1,106 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
#
# A simple converter of MISP galaxy cluster to asciidoctor format
# Copyright (C) 2017 Alexandre Dulaunoy
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
import json
import argparse
thisDir = os.path.dirname(__file__)
clusters = []
pathClusters = os.path.join(thisDir, '../clusters')
for f in os.listdir(pathClusters):
if '.json' in f:
clusters.append(f)
clusters.sort()
argParser = argparse.ArgumentParser(description='Generate documentation from MISP galaxy clusters', epilog='Available galaxy clusters are {0}'.format(clusters))
argParser.add_argument('-v', action='store_true', help='Verbose mode')
args = argParser.parse_args()
def header(adoc=False):
if adoc is False:
return False
doc = adoc
doc = doc + ":toc: right\n"
doc = doc + ":toclevels: 1\n"
doc = doc + ":toc-title: MISP Galaxy Cluster\n"
doc = doc + ":icons: font\n"
doc = doc + ":sectanchors:\n"
doc = doc + ":sectlinks:\n"
doc = doc + ":images-cdn: https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/logos/\n"
doc = doc + "\n= MISP Galaxy Clusters\n\n"
doc = doc + "Generated from https://github.com/MISP/misp-galaxy.\n\n"
doc = doc + "\nimage::{images-cdn}misp-logo.png[MISP logo]\n"
doc = "{}{}".format(doc, "\nMISP galaxy is a simple method to express a large object called cluster that can be attached to MISP events or attributes. A cluster can be composed of one or more elements. Elements are expressed as key-values. There are default vocabularies available in MISP galaxy but those can be overwritten, replaced or updated as you wish. Existing clusters and vocabularies can be used as-is or as a template. MISP distribution can be applied to each cluster to permit a limited or broader distribution scheme.\n")
doc = doc + "\n\n"
return doc
def asciidoc(content=False, adoc=None, t='title',title=''):
adoc = adoc + "\n"
output = ""
if t == 'title':
output = '== ' + content
elif t == 'info':
output = "\n{}.\n\n{} {} {}{}.json[*this location*] {}.\n".format(content, 'NOTE: ', title, 'is a cluster galaxy available in JSON format at https://github.com/MISP/misp-galaxy/blob/master/clusters/',title.lower(),' The JSON format can be freely reused in your application or automatically enabled in https://www.github.com/MISP/MISP[MISP]')
elif t == 'author':
output = '\nauthors:: {}\n'.format(' - '.join(content))
elif t == 'value':
output = '=== ' + content
elif t == 'description':
output = '\n{}\n'.format(content)
elif t == 'meta':
if 'synonyms' in content:
for s in content['synonyms']:
output = "{}\n* {}\n".format(output,s)
output = '{} is also known as:\n{}\n'.format(title,output)
if 'refs' in content:
output = '{}{}'.format(output,'\n.Table References\n|===\n|Links\n')
for r in content['refs']:
output = '{}|{}[{}]\n'.format(output, r, r)
output = '{}{}'.format(output,'|===\n')
adoc = adoc + output
return adoc
adoc = ""
print (header(adoc=adoc))
for cluster in clusters:
fullPathClusters = os.path.join(pathClusters, cluster)
with open(fullPathClusters) as fp:
c = json.load(fp)
title = c['name']
adoc = asciidoc(content=title, adoc=adoc, t='title')
adoc = asciidoc(content=c['description'], adoc=adoc, t='info', title=title)
if 'authors' in c:
adoc = asciidoc(content=c['authors'], adoc=adoc, t='author', title=title)
for v in c['values']:
adoc = asciidoc(content=v['value'], adoc=adoc, t='value', title=title)
if 'description' in v:
adoc = asciidoc(content=v['description'], adoc=adoc, t='description')
if 'meta' in v:
adoc = asciidoc(content=v['meta'], adoc=adoc, t='meta', title=v['value'])
print (adoc)

7
tools/gen.sh Normal file
View file

@ -0,0 +1,7 @@
python3 adoc_galaxy.py >a.txt
asciidoctor a.txt
asciidoctor-pdf -a allow-uri-read a.txt
cp a.html ../../misp-website/galaxy.html
cp a.pdf ../../misp-website/galaxy.pdf
scp a.html circl@cpab.circl.lu:/var/www/nwww.circl.lu/doc/misp-galaxy/index.html
scp a.pdf circl@cpab.circl.lu:/var/www/nwww.circl.lu/doc/misp-galaxy/galaxy.pdf

View file

@ -0,0 +1,59 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import json
import re
import os
import argparse
parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s attack-patterns\nMust be in the mitre/cti/ATTACK/attack-pattern folder')
parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one")
args = parser.parse_args()
values = []
for element in os.listdir('.'):
if element.endswith('.json'):
with open(element) as json_data:
d = json.load(json_data)
json_data.close()
temp = d['objects'][0]
value = {}
value['description'] = temp['description']
value['value'] = temp['name']
value['meta'] = {}
value['meta']['refs'] = []
for reference in temp['external_references']:
if 'url' in reference:
value['meta']['refs'].append(reference['url'])
if 'x_mitre_data_sources' in temp:
value['meta']['x_mitre_data_sources'] = temp['x_mitre_data_sources']
if 'x_mitre_platforms' in temp:
value['meta']['x_mitre_platforms'] = temp['x_mitre_platforms']
values.append(value)
value['meta']['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
galaxy = {}
galaxy['name'] = "Attack Pattern"
galaxy['type'] = "mitre-attack-pattern"
galaxy['description'] = "ATT&CK Tactic"
galaxy['uuid' ] = "c4e851fa-775f-11e7-8163-b774922098cd"
galaxy['version'] = args.version
cluster = {}
cluster['name'] = "Attack Pattern"
cluster['type'] = "mitre-attack-pattern"
cluster['description'] = "ATT&CK tactic"
cluster['version'] = args.version
cluster['source'] = "https://github.com/mitre/cti"
cluster['uuid' ] = "dcb864dc-775f-11e7-9fbb-1f41b4996683"
cluster['authors'] = ["MITRE"]
cluster['values'] = values
with open('generate/galaxies/mitre_attack-pattern.json', 'w') as galaxy_file:
json.dump(galaxy, galaxy_file, indent=4)
with open('generate/clusters/mitre_attack-pattern.json', 'w') as cluster_file:
json.dump(cluster, cluster_file, indent=4)

View file

@ -0,0 +1,51 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import json
import re
import os
import argparse
parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s courses-of-action.\nMust be in the mitre/cti/ATTACK/course-of-action folder')
parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one")
args = parser.parse_args()
values = []
for element in os.listdir('.'):
if element.endswith('.json'):
with open(element) as json_data:
d = json.load(json_data)
json_data.close()
temp = d['objects'][0]
value = {}
value['description'] = temp['description']
value['value'] = temp['name']
value['meta'] = {}
value['meta']['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
values.append(value)
galaxy = {}
galaxy['name'] = "Course of Action"
galaxy['type'] = "mitre-course-of-action"
galaxy['description'] = "ATT&CK Mitigation"
galaxy['uuid' ] = "6fcb4472-6de4-11e7-b5f7-37771619e14e"
galaxy['version'] = args.version
cluster = {}
cluster['name'] = "Course of Action"
cluster['type'] = "mitre-course-of-action"
cluster['description'] = "ATT&CK Mitigation"
cluster['version'] = args.version
cluster['source'] = "https://github.com/mitre/cti"
cluster['uuid' ] = "a8825ae8-6dea-11e7-8d57-7728f3cfe086"
cluster['authors'] = ["MITRE"]
cluster['values'] = values
with open('generate/galaxies/mitre_course-of-action.json', 'w') as galaxy_file:
json.dump(galaxy, galaxy_file, indent=4)
with open('generate/clusters/mitre_course-of-action.json', 'w') as cluster_file:
json.dump(cluster, cluster_file, indent=4)

View file

@ -0,0 +1,56 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import json
import re
import os
import argparse
parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s intrusion-sets\nMust be in the mitre/cti/ATTACK/intrusion-set folder')
parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one")
args = parser.parse_args()
values = []
for element in os.listdir('.'):
if element.endswith('.json'):
with open(element) as json_data:
d = json.load(json_data)
json_data.close()
temp = d['objects'][0]
value = {}
value['description'] = temp['description']
value['value'] = temp['name']
value['meta'] = {}
value['meta']['synonyms'] = temp['aliases']
value['meta']['refs']= []
for reference in temp['external_references']:
if 'url' in reference:
value['meta']['refs'].append(reference['url'])
value['meta']['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
values.append(value)
galaxy = {}
galaxy['name'] = "Intrusion Set"
galaxy['type'] = "mitre-intrusion-set"
galaxy['description'] = "Name of ATT&CK Group"
galaxy['uuid' ] = "1023f364-7831-11e7-8318-43b5531983ab"
galaxy['version'] = args.version
cluster = {}
cluster['name'] = "intrusion Set"
cluster['type'] = "mitre-intrusion-set"
cluster['description'] = "Name of ATT&CK Group"
cluster['version'] = args.version
cluster['source'] = "https://github.com/mitre/cti"
cluster['uuid' ] = "10df003c-7831-11e7-bdb9-971cdd1218df"
cluster['authors'] = ["MITRE"]
cluster['values'] = values
with open('generate/galaxies/mitre_intrusion-set.json', 'w') as galaxy_file:
json.dump(galaxy, galaxy_file, indent=4)
with open('generate/clusters/mitre_intrusion-set.json', 'w') as cluster_file:
json.dump(cluster, cluster_file, indent=4)

View file

@ -0,0 +1,57 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import json
import re
import os
import argparse
parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s malwares\nMust be in the mitre/cti/ATTACK/malware folder')
parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one")
args = parser.parse_args()
values = []
for element in os.listdir('.'):
if element.endswith('.json'):
with open(element) as json_data:
d = json.load(json_data)
json_data.close()
temp = d['objects'][0]
value = {}
value['description'] = temp['description']
value['value'] = temp['name']
value['meta'] = {}
value['meta']['refs'] = []
for reference in temp['external_references']:
if 'url' in reference:
value['meta']['refs'].append(reference['url'])
if'x_mitre_aliases' in temp:
value['meta']['synonyms'] = temp['x_mitre_aliases']
value['meta']['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
values.append(value)
galaxy = {}
galaxy['name'] = "Malware"
galaxy['type'] = "mitre-malware"
galaxy['description'] = "Name of ATT&CK software"
galaxy['uuid' ] = "d752161c-78f6-11e7-a0ea-bfa79b407ce4"
galaxy['version'] = args.version
cluster = {}
cluster['name'] = "Malware"
cluster['type'] = "mitre-malware"
cluster['description'] = "Name of ATT&CK software"
cluster['version'] = args.version
cluster['source'] = "https://github.com/mitre/cti"
cluster['uuid' ] = "d752161c-78f6-11e7-a0ea-bfa79b407ce4"
cluster['authors'] = ["MITRE"]
cluster['values'] = values
with open('generate/galaxies/mitre_malware.json', 'w') as galaxy_file:
json.dump(galaxy, galaxy_file, indent=4)
with open('generate/clusters/mitre_malware.json', 'w') as cluster_file:
json.dump(cluster, cluster_file, indent=4)

View file

@ -0,0 +1,57 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import json
import re
import os
import argparse
parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s tools\nMust be in the mitre/cti/ATTACK/tool folder')
parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one")
args = parser.parse_args()
values = []
for element in os.listdir('.'):
if element.endswith('.json'):
with open(element) as json_data:
d = json.load(json_data)
json_data.close()
temp = d['objects'][0]
value = {}
value['description'] = temp['description']
value['value'] = temp['name']
value['meta'] = {}
value['meta']['refs'] = []
for reference in temp['external_references']:
if 'url' in reference:
value['meta']['refs'].append(reference['url'])
if'x_mitre_aliases' in temp:
value['meta']['synonyms'] = temp['x_mitre_aliases']
value['meta']['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
values.append(value)
galaxy = {}
galaxy['name'] = "Tool"
galaxy['type'] = "mitre-tool"
galaxy['description'] = "Name of ATT&CK software"
galaxy['uuid' ] = "d5cbd1a2-78f6-11e7-a833-7b9bccca9649"
galaxy['version'] = args.version
cluster = {}
cluster['name'] = "Tool"
cluster['type'] = "mitre-tool"
cluster['description'] = "Name of ATT&CK software"
cluster['version'] = args.version
cluster['source'] = "https://github.com/mitre/cti"
cluster['uuid' ] = "d700dc5c-78f6-11e7-a476-5f748c8e4fe0"
cluster['authors'] = ["MITRE"]
cluster['values'] = values
with open('generate/galaxies/mitre_tool.json', 'w') as galaxy_file:
json.dump(galaxy, galaxy_file, indent=4)
with open('generate/clusters/mitre_tool.json', 'w') as cluster_file:
json.dump(cluster, cluster_file, indent=4)

View file

@ -48,3 +48,27 @@ do
fi
echo ''
done
for dir in misp/*.json
do
echo -n "${dir}: "
jsonschema -i ${dir} schema_misp.json
rc=$?
if [[ $rc != 0 ]]; then
echo "Error on ${dir}"
exit $rc
fi
echo ''
done
for dir in vocabularies/*/*.json
do
echo -n "${dir}: "
jsonschema -i ${dir} schema_vocabularies.json
rc=$?
if [[ $rc != 0 ]]; then
echo "Error on ${dir}"
exit $rc
fi
echo ''
done

View file

@ -91,10 +91,10 @@
"value": "Unauthorized Access"
}
],
"version" : 1,
"version" : 2,
"description": "The IntendedEffectVocab is the default STIX vocabulary for expressing the intended effect of a threat actor",
"source": "STIX 1.0",
"author": "STIX",
"author": ["STIX"],
"uuid": "b6975c96-296a-48cf-9006-034ed102bc85",
"stix": "1.2.1",
"type": "threat-actor-intended-effect-vocabulary"

View file

@ -56,10 +56,10 @@
"description": "The threat actor is motivated by the desire to exercise some political advantage."
}
],
"version" : 1,
"version" : 2,
"description": "The MotivationVocab is the default STIX vocabulary for expressing the motivation of a threat actor.",
"source": "STIX 1.0",
"author": "STIX",
"author": ["STIX"],
"uuid": "74183277-5ee6-436a-9859-cb16fb3f21e2",
"stix": "1.2.1",
"type": "threat-actor-motivation-vocabulary"

View file

@ -67,9 +67,9 @@
"value": "Skill Development / Recruitment - University Programs"
}
],
"version" : 1,
"version" : 2,
"description": "The PlanningAndOperationalSupportVocab is the default STIX vocabulary for expressing the planning and operational support functions available to a threat actor.",
"author": "STIX",
"author": ["STIX"],
"source": "STIX 1.0",
"stix": "1.0.1",
"uuid": "f91f69d2-fcd0-45f2-baeb-4f79f9458da7",

View file

@ -17,9 +17,9 @@
"description": "Demonstrates a nascent capability. A novice has basic computer skills and likely requires the assistance of a Practitioner or higher to engage in hacking activity. He uses existing and frequently well known and easy-to-find techniques and programs or scripts to search for and exploit weaknesses in other computers on the Internet and lacks the ability to conduct his own reconnaissance and targeting research."
}
],
"version" : 1,
"version" : 2,
"description": "The ThreatActorSophisticationVocab enumeration is used to define the default STIX vocabulary for expressing the subjective level of sophistication of a threat actor.",
"author": "STIX",
"author": ["STIX"],
"uuid": "fcaf1309-28c4-4d09-b56f-84d6cf6afbb3",
"stix": "1.0",
"type": "threat-actor-sophistication-vocabulary"

View file

@ -52,10 +52,10 @@
"value": "Disgruntled Customer / User"
}
],
"version": 1,
"version": 2,
"uuid": "3d7dc2ee-ca54-4a5e-96a3-2e7cba0ffe95",
"description": "The ThreatActorTypeVocab enumeration is used to define the default STIX vocabulary for expressing the subjective type of a threat actor.",
"author": "STIX",
"author": ["STIX"],
"source": "STIX 1.0",
"stix": "1.0",
"type": "threat-actor-type-vocabulary"