mirror of
https://github.com/MISP/misp-galaxy.git
synced 2024-11-29 18:27:19 +00:00
Fix [mitre] running jq_all_the_things.sh
This commit is contained in:
parent
1e60ee58a7
commit
777ead0170
5 changed files with 235 additions and 235 deletions
File diff suppressed because it is too large
Load diff
|
@ -3797,7 +3797,7 @@
|
||||||
"value": "Data Compressed Mitigation - T1002"
|
"value": "Data Compressed Mitigation - T1002"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"description": "### Windows\nMonitor/harden access to LSASS and SAM table with tools that allow process whitelisting. Limit credential overlap across systems to prevent lateral movement opportunities using [Valid Accounts](https://attack.mitre.org/techniques/T1078) if passwords and hashes are obtained. Ensure that local administrator accounts have complex, unique passwords across all systems on the network. Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. (Citation: Microsoft Securing Privileged Access)\n\nOn Windows 8.1 and Windows Server 2012 R2, enable Protected Process Light for LSA. (Citation: Microsoft LSA)\n\nIdentify and block potentially malicious software that may be used to dump credentials by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)\n\nWith Windows 10, Microsoft implemented new protections called Credential Guard to protect the LSA secrets that can be used to obtain credentials through forms of credential dumping. It is not configured by default and has hardware and firmware system requirements. (Citation: TechNet Credential Guard) It also does not protect against all forms of credential dumping. (Citation: GitHub SHB Credential Guard)\n\nManage the access control list for \u201cReplicating Directory Changes\u201d and other permissions associated with domain controller replication. (Citation: AdSecurity DCSync Sept 2015) (Citation: Microsoft Replication ACL)\n\nConsider disabling or restricting NTLM traffic. (Citation: Microsoft Disable NTLM Nov 2012)\n\n### Linux\nScraping the passwords from memory requires root privileges. Follow best practices in restricting access to escalated privileges to avoid hostile programs from accessing such sensitive regions of memory.",
|
"description": "### Windows\nMonitor/harden access to LSASS and SAM table with tools that allow process whitelisting. Limit credential overlap across systems to prevent lateral movement opportunities using [Valid Accounts](https://attack.mitre.org/techniques/T1078) if passwords and hashes are obtained. Ensure that local administrator accounts have complex, unique passwords across all systems on the network. Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. (Citation: Microsoft Securing Privileged Access)\n\nOn Windows 8.1 and Windows Server 2012 R2, enable Protected Process Light for LSA. (Citation: Microsoft LSA)\n\nIdentify and block potentially malicious software that may be used to dump credentials by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)\n\nWith Windows 10, Microsoft implemented new protections called Credential Guard to protect the LSA secrets that can be used to obtain credentials through forms of credential dumping. It is not configured by default and has hardware and firmware system requirements. (Citation: TechNet Credential Guard) It also does not protect against all forms of credential dumping. (Citation: GitHub SHB Credential Guard)\n\nManage the access control list for “Replicating Directory Changes” and other permissions associated with domain controller replication. (Citation: AdSecurity DCSync Sept 2015) (Citation: Microsoft Replication ACL)\n\nConsider disabling or restricting NTLM traffic. (Citation: Microsoft Disable NTLM Nov 2012)\n\n### Linux\nScraping the passwords from memory requires root privileges. Follow best practices in restricting access to escalated privileges to avoid hostile programs from accessing such sensitive regions of memory.",
|
||||||
"meta": {
|
"meta": {
|
||||||
"external_id": "T1003",
|
"external_id": "T1003",
|
||||||
"refs": [
|
"refs": [
|
||||||
|
@ -7168,7 +7168,7 @@
|
||||||
"value": "Clipboard Data Mitigation - T1115"
|
"value": "Clipboard Data Mitigation - T1115"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"description": "Enforce that all binaries be signed by the correct Apple Developer IDs, and whitelist applications via known hashes. Binaries can also be baselined for what dynamic libraries they require, and if an app requires a new dynamic library that wasn\u2019t included as part of an update, it should be investigated.",
|
"description": "Enforce that all binaries be signed by the correct Apple Developer IDs, and whitelist applications via known hashes. Binaries can also be baselined for what dynamic libraries they require, and if an app requires a new dynamic library that wasn’t included as part of an update, it should be investigated.",
|
||||||
"meta": {
|
"meta": {
|
||||||
"external_id": "T1161",
|
"external_id": "T1161",
|
||||||
"refs": [
|
"refs": [
|
||||||
|
@ -7608,7 +7608,7 @@
|
||||||
"value": "LC_MAIN Hijacking Mitigation - T1149"
|
"value": "LC_MAIN Hijacking Mitigation - T1149"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"description": "Since StartupItems are deprecated, preventing all users from writing to the <code>/Library/StartupItems</code> directory would prevent any startup items from getting registered. Similarly, appropriate permissions should be applied such that only specific users can edit the startup items so that they can\u2019t be leveraged for privilege escalation.",
|
"description": "Since StartupItems are deprecated, preventing all users from writing to the <code>/Library/StartupItems</code> directory would prevent any startup items from getting registered. Similarly, appropriate permissions should be applied such that only specific users can edit the startup items so that they can’t be leveraged for privilege escalation.",
|
||||||
"meta": {
|
"meta": {
|
||||||
"external_id": "T1165",
|
"external_id": "T1165",
|
||||||
"refs": [
|
"refs": [
|
||||||
|
@ -7689,7 +7689,7 @@
|
||||||
"value": "Browser Extensions Mitigation - T1176"
|
"value": "Browser Extensions Mitigation - T1176"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"description": "This type of attack technique cannot be easily mitigated with preventive controls or patched since it is based on the abuse of operating system design features. For example, mitigating specific API calls will likely have unintended side effects, such as preventing legitimate process-loading mechanisms from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.\n\nAlthough Process Doppelg\u00e4nging may be used to evade certain types of defenses, it is still good practice to identify potentially malicious software that may be used to perform adversarial actions and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
|
"description": "This type of attack technique cannot be easily mitigated with preventive controls or patched since it is based on the abuse of operating system design features. For example, mitigating specific API calls will likely have unintended side effects, such as preventing legitimate process-loading mechanisms from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.\n\nAlthough Process Doppelgänging may be used to evade certain types of defenses, it is still good practice to identify potentially malicious software that may be used to perform adversarial actions and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
|
||||||
"meta": {
|
"meta": {
|
||||||
"external_id": "T1186",
|
"external_id": "T1186",
|
||||||
"refs": [
|
"refs": [
|
||||||
|
@ -7711,7 +7711,7 @@
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"uuid": "34d6a2ef-370e-4d21-a34b-6208b7c78f31",
|
"uuid": "34d6a2ef-370e-4d21-a34b-6208b7c78f31",
|
||||||
"value": "Process Doppelg\u00e4nging Mitigation - T1186"
|
"value": "Process Doppelgänging Mitigation - T1186"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"description": "On Windows 8.1 and Server 2012 R2, enable LSA Protection by setting the Registry key <code>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\RunAsPPL</code> to <code>dword:00000001</code>. (Citation: Microsoft LSA Protection Mar 2014) LSA Protection ensures that LSA plug-ins and drivers are only loaded if they are digitally signed with a Microsoft signature and adhere to the Microsoft Security Development Lifecycle (SDL) process guidance.\n\nOn Windows 10 and Server 2016, enable Windows Defender Credential Guard (Citation: Microsoft Enable Cred Guard April 2017) to run lsass.exe in an isolated virtualized environment without any device drivers. (Citation: Microsoft Credential Guard April 2017)\n\nEnsure safe DLL search mode is enabled <code>HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\SafeDllSearchMode</code> to mitigate risk that lsass.exe loads a malicious code library. (Citation: Microsoft DLL Security)",
|
"description": "On Windows 8.1 and Server 2012 R2, enable LSA Protection by setting the Registry key <code>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\RunAsPPL</code> to <code>dword:00000001</code>. (Citation: Microsoft LSA Protection Mar 2014) LSA Protection ensures that LSA plug-ins and drivers are only loaded if they are digitally signed with a Microsoft signature and adhere to the Microsoft Security Development Lifecycle (SDL) process guidance.\n\nOn Windows 10 and Server 2016, enable Windows Defender Credential Guard (Citation: Microsoft Enable Cred Guard April 2017) to run lsass.exe in an isolated virtualized environment without any device drivers. (Citation: Microsoft Credential Guard April 2017)\n\nEnsure safe DLL search mode is enabled <code>HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\SafeDllSearchMode</code> to mitigate risk that lsass.exe loads a malicious code library. (Citation: Microsoft DLL Security)",
|
||||||
|
@ -10386,7 +10386,7 @@
|
||||||
"value": "Trap Mitigation - T1154"
|
"value": "Trap Mitigation - T1154"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"description": "Prevent users from changing the <code>HISTCONTROL</code> environment variable (Citation: Securing bash history). Also, make sure that the <code>HISTCONTROL</code> environment variable is set to \u201cignoredup\u201d instead of \u201cignoreboth\u201d or \u201cignorespace\u201d.",
|
"description": "Prevent users from changing the <code>HISTCONTROL</code> environment variable (Citation: Securing bash history). Also, make sure that the <code>HISTCONTROL</code> environment variable is set to “ignoredup” instead of “ignoreboth” or “ignorespace”.",
|
||||||
"meta": {
|
"meta": {
|
||||||
"external_id": "T1148",
|
"external_id": "T1148",
|
||||||
"refs": [
|
"refs": [
|
||||||
|
@ -10441,7 +10441,7 @@
|
||||||
"value": "AppleScript Mitigation - T1155"
|
"value": "AppleScript Mitigation - T1155"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"description": "The sudoers file should be strictly edited such that passwords are always required and that users can\u2019t spawn risky processes as users with higher privilege. By requiring a password, even if an adversary can get terminal access, they must know the password to run anything in the sudoers file.",
|
"description": "The sudoers file should be strictly edited such that passwords are always required and that users can’t spawn risky processes as users with higher privilege. By requiring a password, even if an adversary can get terminal access, they must know the password to run anything in the sudoers file.",
|
||||||
"meta": {
|
"meta": {
|
||||||
"external_id": "T1169",
|
"external_id": "T1169",
|
||||||
"refs": [
|
"refs": [
|
||||||
|
|
|
@ -3098,7 +3098,7 @@
|
||||||
"value": "Lazarus Group - G0032"
|
"value": "Lazarus Group - G0032"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"description": "[Putter Panda](https://attack.mitre.org/groups/G0024) is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA\u2019s 3rd General Staff Department (GSD). (Citation: CrowdStrike Putter Panda)",
|
"description": "[Putter Panda](https://attack.mitre.org/groups/G0024) is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA’s 3rd General Staff Department (GSD). (Citation: CrowdStrike Putter Panda)",
|
||||||
"meta": {
|
"meta": {
|
||||||
"external_id": "G0024",
|
"external_id": "G0024",
|
||||||
"refs": [
|
"refs": [
|
||||||
|
@ -6982,7 +6982,7 @@
|
||||||
"value": "APT30 - G0013"
|
"value": "APT30 - G0013"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"description": "[APT1](https://attack.mitre.org/groups/G0006) is a Chinese threat group that has been attributed to the 2nd Bureau of the People\u2019s Liberation Army (PLA) General Staff Department\u2019s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. (Citation: Mandiant APT1)",
|
"description": "[APT1](https://attack.mitre.org/groups/G0006) is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. (Citation: Mandiant APT1)",
|
||||||
"meta": {
|
"meta": {
|
||||||
"external_id": "G0006",
|
"external_id": "G0006",
|
||||||
"refs": [
|
"refs": [
|
||||||
|
@ -12696,7 +12696,7 @@
|
||||||
"value": "DarkVishnya - G0105"
|
"value": "DarkVishnya - G0105"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"description": "[POLONIUM](https://attack.mitre.org/groups/G1005) is a Lebanon-based group that has primarily targeted Israeli organizations, including critical manufacturing, information technology, and defense industry companies, since at least February 2022. Security researchers assess [POLONIUM](https://attack.mitre.org/groups/G1005) has coordinated their operations with multiple actors affiliated with Iran\u2019s Ministry of Intelligence and Security (MOIS), based on victim overlap as well as common techniques and tooling.(Citation: Microsoft POLONIUM June 2022)",
|
"description": "[POLONIUM](https://attack.mitre.org/groups/G1005) is a Lebanon-based group that has primarily targeted Israeli organizations, including critical manufacturing, information technology, and defense industry companies, since at least February 2022. Security researchers assess [POLONIUM](https://attack.mitre.org/groups/G1005) has coordinated their operations with multiple actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS), based on victim overlap as well as common techniques and tooling.(Citation: Microsoft POLONIUM June 2022)",
|
||||||
"meta": {
|
"meta": {
|
||||||
"external_id": "G1005",
|
"external_id": "G1005",
|
||||||
"refs": [
|
"refs": [
|
||||||
|
@ -13274,7 +13274,7 @@
|
||||||
"value": "Orangeworm - G0071"
|
"value": "Orangeworm - G0071"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"description": "[Whitefly](https://attack.mitre.org/groups/G0107) is a cyber espionage group that has been operating since at least 2017. The group has targeted organizations based mostly in Singapore across a wide variety of sectors, and is primarily interested in stealing large amounts of sensitive information. The group has been linked to an attack against Singapore\u2019s largest public health organization, SingHealth.(Citation: Symantec Whitefly March 2019)",
|
"description": "[Whitefly](https://attack.mitre.org/groups/G0107) is a cyber espionage group that has been operating since at least 2017. The group has targeted organizations based mostly in Singapore across a wide variety of sectors, and is primarily interested in stealing large amounts of sensitive information. The group has been linked to an attack against Singapore’s largest public health organization, SingHealth.(Citation: Symantec Whitefly March 2019)",
|
||||||
"meta": {
|
"meta": {
|
||||||
"external_id": "G0107",
|
"external_id": "G0107",
|
||||||
"refs": [
|
"refs": [
|
||||||
|
@ -13420,7 +13420,7 @@
|
||||||
"value": "SideCopy - G1008"
|
"value": "SideCopy - G1008"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"description": "[Naikon](https://attack.mitre.org/groups/G0019) is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People\u2019s Liberation Army\u2019s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020).(Citation: CameraShy) Active since at least 2010, [Naikon](https://attack.mitre.org/groups/G0019) has primarily conducted operations against government, military, and civil organizations in Southeast Asia, as well as against international bodies such as the United Nations Development Programme (UNDP) and the Association of Southeast Asian Nations (ASEAN).(Citation: CameraShy)(Citation: Baumgartner Naikon 2015) \n\nWhile [Naikon](https://attack.mitre.org/groups/G0019) shares some characteristics with [APT30](https://attack.mitre.org/groups/G0013), the two groups do not appear to be exact matches.(Citation: Baumgartner Golovkin Naikon 2015)",
|
"description": "[Naikon](https://attack.mitre.org/groups/G0019) is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020).(Citation: CameraShy) Active since at least 2010, [Naikon](https://attack.mitre.org/groups/G0019) has primarily conducted operations against government, military, and civil organizations in Southeast Asia, as well as against international bodies such as the United Nations Development Programme (UNDP) and the Association of Southeast Asian Nations (ASEAN).(Citation: CameraShy)(Citation: Baumgartner Naikon 2015) \n\nWhile [Naikon](https://attack.mitre.org/groups/G0019) shares some characteristics with [APT30](https://attack.mitre.org/groups/G0013), the two groups do not appear to be exact matches.(Citation: Baumgartner Golovkin Naikon 2015)",
|
||||||
"meta": {
|
"meta": {
|
||||||
"external_id": "G0019",
|
"external_id": "G0019",
|
||||||
"refs": [
|
"refs": [
|
||||||
|
|
|
@ -1406,7 +1406,7 @@
|
||||||
"value": "Cherry Picker - S0107"
|
"value": "Cherry Picker - S0107"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"description": "[Zeus Panda](https://attack.mitre.org/software/S0330) is a Trojan designed to steal banking information and other sensitive credentials for exfiltration. [Zeus Panda](https://attack.mitre.org/software/S0330)\u2019s original source code was leaked in 2011, allowing threat actors to use its source code as a basis for new malware variants. It is mainly used to target Windows operating systems ranging from Windows XP through Windows 10.(Citation: Talos Zeus Panda Nov 2017)(Citation: GDATA Zeus Panda June 2017)",
|
"description": "[Zeus Panda](https://attack.mitre.org/software/S0330) is a Trojan designed to steal banking information and other sensitive credentials for exfiltration. [Zeus Panda](https://attack.mitre.org/software/S0330)’s original source code was leaked in 2011, allowing threat actors to use its source code as a basis for new malware variants. It is mainly used to target Windows operating systems ranging from Windows XP through Windows 10.(Citation: Talos Zeus Panda Nov 2017)(Citation: GDATA Zeus Panda June 2017)",
|
||||||
"meta": {
|
"meta": {
|
||||||
"external_id": "S0330",
|
"external_id": "S0330",
|
||||||
"mitre_platforms": [
|
"mitre_platforms": [
|
||||||
|
@ -2741,7 +2741,7 @@
|
||||||
"value": "Small Sieve - S1035"
|
"value": "Small Sieve - S1035"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"description": "[Cobalt Strike](https://attack.mitre.org/software/S0154) is a commercial, full-featured, remote access tool that bills itself as \u201cadversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors\u201d. Cobalt Strike\u2019s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.(Citation: cobaltstrike manual)\n\nIn addition to its own capabilities, [Cobalt Strike](https://attack.mitre.org/software/S0154) leverages the capabilities of other well-known tools such as Metasploit and [Mimikatz](https://attack.mitre.org/software/S0002).(Citation: cobaltstrike manual)",
|
"description": "[Cobalt Strike](https://attack.mitre.org/software/S0154) is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.(Citation: cobaltstrike manual)\n\nIn addition to its own capabilities, [Cobalt Strike](https://attack.mitre.org/software/S0154) leverages the capabilities of other well-known tools such as Metasploit and [Mimikatz](https://attack.mitre.org/software/S0002).(Citation: cobaltstrike manual)",
|
||||||
"meta": {
|
"meta": {
|
||||||
"external_id": "S0154",
|
"external_id": "S0154",
|
||||||
"mitre_platforms": [
|
"mitre_platforms": [
|
||||||
|
@ -4385,7 +4385,7 @@
|
||||||
"value": "JSS Loader - S0648"
|
"value": "JSS Loader - S0648"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"description": "[DEFENSOR ID](https://attack.mitre.org/software/S0479) is a banking trojan capable of clearing a victim\u2019s bank account or cryptocurrency wallet and taking over email or social media accounts. [DEFENSOR ID](https://attack.mitre.org/software/S0479) performs the majority of its malicious functionality by abusing Android\u2019s accessibility service.(Citation: ESET DEFENSOR ID) ",
|
"description": "[DEFENSOR ID](https://attack.mitre.org/software/S0479) is a banking trojan capable of clearing a victim’s bank account or cryptocurrency wallet and taking over email or social media accounts. [DEFENSOR ID](https://attack.mitre.org/software/S0479) performs the majority of its malicious functionality by abusing Android’s accessibility service.(Citation: ESET DEFENSOR ID) ",
|
||||||
"meta": {
|
"meta": {
|
||||||
"external_id": "S0479",
|
"external_id": "S0479",
|
||||||
"mitre_platforms": [
|
"mitre_platforms": [
|
||||||
|
@ -11990,7 +11990,7 @@
|
||||||
"value": "GLOOXMAIL - S0026"
|
"value": "GLOOXMAIL - S0026"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"description": "[Circles](https://attack.mitre.org/software/S0602) reportedly takes advantage of Signaling System 7 (SS7) weaknesses, the protocol suite used to route phone calls, to both track the location of mobile devices and intercept voice calls and SMS messages. It can be connected to a telecommunications company\u2019s infrastructure or purchased as a cloud service. Circles has reportedly been linked to the NSO Group.(Citation: CitizenLab Circles)",
|
"description": "[Circles](https://attack.mitre.org/software/S0602) reportedly takes advantage of Signaling System 7 (SS7) weaknesses, the protocol suite used to route phone calls, to both track the location of mobile devices and intercept voice calls and SMS messages. It can be connected to a telecommunications company’s infrastructure or purchased as a cloud service. Circles has reportedly been linked to the NSO Group.(Citation: CitizenLab Circles)",
|
||||||
"meta": {
|
"meta": {
|
||||||
"external_id": "S0602",
|
"external_id": "S0602",
|
||||||
"refs": [
|
"refs": [
|
||||||
|
@ -13144,7 +13144,7 @@
|
||||||
"value": "BUBBLEWRAP - S0043"
|
"value": "BUBBLEWRAP - S0043"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"description": "[NETEAGLE](https://attack.mitre.org/software/S0034) is a backdoor developed by [APT30](https://attack.mitre.org/groups/G0013) with compile dates as early as 2008. It has two main variants known as \u201cScout\u201d and \u201cNorton.\u201d (Citation: FireEye APT30)",
|
"description": "[NETEAGLE](https://attack.mitre.org/software/S0034) is a backdoor developed by [APT30](https://attack.mitre.org/groups/G0013) with compile dates as early as 2008. It has two main variants known as “Scout” and “Norton.” (Citation: FireEye APT30)",
|
||||||
"meta": {
|
"meta": {
|
||||||
"external_id": "S0034",
|
"external_id": "S0034",
|
||||||
"mitre_platforms": [
|
"mitre_platforms": [
|
||||||
|
@ -15080,7 +15080,7 @@
|
||||||
"value": "ADVSTORESHELL - S0045"
|
"value": "ADVSTORESHELL - S0045"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"description": "[Asacub](https://attack.mitre.org/software/S0540) is a banking trojan that attempts to steal money from victims\u2019 bank accounts. It attempts to do this by initiating a wire transfer via SMS message from compromised devices.(Citation: Securelist Asacub)",
|
"description": "[Asacub](https://attack.mitre.org/software/S0540) is a banking trojan that attempts to steal money from victims’ bank accounts. It attempts to do this by initiating a wire transfer via SMS message from compromised devices.(Citation: Securelist Asacub)",
|
||||||
"meta": {
|
"meta": {
|
||||||
"external_id": "S0540",
|
"external_id": "S0540",
|
||||||
"mitre_platforms": [
|
"mitre_platforms": [
|
||||||
|
@ -26750,7 +26750,7 @@
|
||||||
"value": "FlawedAmmyy - S0381"
|
"value": "FlawedAmmyy - S0381"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"description": "[Chameleon](https://attack.mitre.org/software/S1083) is an Android banking trojan that can leverage Android\u2019s Accessibility Services to perform malicious activities. Believed to have been first active in January 2023, [Chameleon](https://attack.mitre.org/software/S1083) has been observed targeting users in Australia and Poland by masquerading as official apps.(Citation: cyble_chameleon_0423)",
|
"description": "[Chameleon](https://attack.mitre.org/software/S1083) is an Android banking trojan that can leverage Android’s Accessibility Services to perform malicious activities. Believed to have been first active in January 2023, [Chameleon](https://attack.mitre.org/software/S1083) has been observed targeting users in Australia and Poland by masquerading as official apps.(Citation: cyble_chameleon_0423)",
|
||||||
"meta": {
|
"meta": {
|
||||||
"external_id": "S1083",
|
"external_id": "S1083",
|
||||||
"mitre_platforms": [
|
"mitre_platforms": [
|
||||||
|
@ -33878,7 +33878,7 @@
|
||||||
"value": "HOMEFRY - S0232"
|
"value": "HOMEFRY - S0232"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"description": "[SynAck](https://attack.mitre.org/software/S0242) is variant of Trojan ransomware targeting mainly English-speaking users since at least fall 2017. (Citation: SecureList SynAck Doppelg\u00e4nging May 2018) (Citation: Kaspersky Lab SynAck May 2018)",
|
"description": "[SynAck](https://attack.mitre.org/software/S0242) is variant of Trojan ransomware targeting mainly English-speaking users since at least fall 2017. (Citation: SecureList SynAck Doppelgänging May 2018) (Citation: Kaspersky Lab SynAck May 2018)",
|
||||||
"meta": {
|
"meta": {
|
||||||
"external_id": "S0242",
|
"external_id": "S0242",
|
||||||
"mitre_platforms": [
|
"mitre_platforms": [
|
||||||
|
@ -34752,7 +34752,7 @@
|
||||||
"value": "MURKYTOP - S0233"
|
"value": "MURKYTOP - S0233"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"description": "[Bread](https://attack.mitre.org/software/S0432) was a large-scale billing fraud malware family known for employing many different cloaking and obfuscation techniques in an attempt to continuously evade Google Play Store\u2019s malware detection. 1,700 unique Bread apps were detected and removed from the Google Play Store before being downloaded by users.(Citation: Google Bread)",
|
"description": "[Bread](https://attack.mitre.org/software/S0432) was a large-scale billing fraud malware family known for employing many different cloaking and obfuscation techniques in an attempt to continuously evade Google Play Store’s malware detection. 1,700 unique Bread apps were detected and removed from the Google Play Store before being downloaded by users.(Citation: Google Bread)",
|
||||||
"meta": {
|
"meta": {
|
||||||
"external_id": "S0432",
|
"external_id": "S0432",
|
||||||
"mitre_platforms": [
|
"mitre_platforms": [
|
||||||
|
@ -39242,7 +39242,7 @@
|
||||||
"value": "RCSAndroid - S0295"
|
"value": "RCSAndroid - S0295"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"description": "[InnaputRAT](https://attack.mitre.org/software/S0259) is a remote access tool that can exfiltrate files from a victim\u2019s machine. [InnaputRAT](https://attack.mitre.org/software/S0259) has been seen out in the wild since 2016. (Citation: ASERT InnaputRAT April 2018)",
|
"description": "[InnaputRAT](https://attack.mitre.org/software/S0259) is a remote access tool that can exfiltrate files from a victim’s machine. [InnaputRAT](https://attack.mitre.org/software/S0259) has been seen out in the wild since 2016. (Citation: ASERT InnaputRAT April 2018)",
|
||||||
"meta": {
|
"meta": {
|
||||||
"external_id": "S0259",
|
"external_id": "S0259",
|
||||||
"mitre_platforms": [
|
"mitre_platforms": [
|
||||||
|
@ -50277,7 +50277,7 @@
|
||||||
"value": "Goopy - S0477"
|
"value": "Goopy - S0477"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"description": "[EventBot](https://attack.mitre.org/software/S0478) is an Android banking trojan and information stealer that abuses Android\u2019s accessibility service to steal data from various applications.(Citation: Cybereason EventBot) [EventBot](https://attack.mitre.org/software/S0478) was designed to target over 200 different banking and financial applications, the majority of which are European bank and cryptocurrency exchange applications.(Citation: Cybereason EventBot)",
|
"description": "[EventBot](https://attack.mitre.org/software/S0478) is an Android banking trojan and information stealer that abuses Android’s accessibility service to steal data from various applications.(Citation: Cybereason EventBot) [EventBot](https://attack.mitre.org/software/S0478) was designed to target over 200 different banking and financial applications, the majority of which are European bank and cryptocurrency exchange applications.(Citation: Cybereason EventBot)",
|
||||||
"meta": {
|
"meta": {
|
||||||
"external_id": "S0478",
|
"external_id": "S0478",
|
||||||
"mitre_platforms": [
|
"mitre_platforms": [
|
||||||
|
|
|
@ -2170,7 +2170,7 @@
|
||||||
"value": "Rubeus - S1071"
|
"value": "Rubeus - S1071"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"description": "[Cachedump](https://attack.mitre.org/software/S0119) is a publicly-available tool that program extracts cached password hashes from a system\u2019s registry. (Citation: Mandiant APT1)",
|
"description": "[Cachedump](https://attack.mitre.org/software/S0119) is a publicly-available tool that program extracts cached password hashes from a system’s registry. (Citation: Mandiant APT1)",
|
||||||
"meta": {
|
"meta": {
|
||||||
"external_id": "S0119",
|
"external_id": "S0119",
|
||||||
"mitre_platforms": [
|
"mitre_platforms": [
|
||||||
|
@ -2305,7 +2305,7 @@
|
||||||
"value": "Pacu - S1091"
|
"value": "Pacu - S1091"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"description": "[Winexe](https://attack.mitre.org/software/S0191) is a lightweight, open source tool similar to [PsExec](https://attack.mitre.org/software/S0029) designed to allow system administrators to execute commands on remote servers. (Citation: Winexe Github Sept 2013) [Winexe](https://attack.mitre.org/software/S0191) is unique in that it is a GNU/Linux based client. (Citation: \u00dcberwachung APT28 Forfiles June 2015)",
|
"description": "[Winexe](https://attack.mitre.org/software/S0191) is a lightweight, open source tool similar to [PsExec](https://attack.mitre.org/software/S0029) designed to allow system administrators to execute commands on remote servers. (Citation: Winexe Github Sept 2013) [Winexe](https://attack.mitre.org/software/S0191) is unique in that it is a GNU/Linux based client. (Citation: Überwachung APT28 Forfiles June 2015)",
|
||||||
"meta": {
|
"meta": {
|
||||||
"external_id": "S0191",
|
"external_id": "S0191",
|
||||||
"refs": [
|
"refs": [
|
||||||
|
|
Loading…
Reference in a new issue